On Fri, Sep 9, 2016 at 3:39 AM Salvatore Bonaccorso <car...@debian.org> wrote:
> the following vulnerabilities were published for wordpress. > > CVE-2016-6896[0] and CVE-2016-6897[1]. It was reported that they at > least affect 4.5.3, no earlier version were so far checked, since no > full details to fixes given. There are more information in [2]. > It's a little more complicated than that with three vulnerabilities and the identification a bit mixed up. So here goes. CSRFcheck done too late. This is CVE-2016-6897, oss-sec correctly broke the two issues out due to different versions being impacted. It was (silently?) fixed for wordpress 4.6 but that didn't get updated (I missed the 4.6 announcement) so sid was still vulnerable until I uploaded 4.6.1 Reported in wordpress 37490 and fixed in changeset 38168. Directory traversal This is CVE-2016-6896. Wordpress 4.6.1 reports this as " a cross-site scripting vulnerability via image filename, reported by SumOfPwn researcher Cengiz Han Sahin". Fixed in changeset 38538. Upgrade Package Uploader This has no CVE. Wordpress 4.6.1 reports this as "path traversal vulnerability in the upgrade package uploader, reported by Dominik Schilling". Fixed in changeset 38524. The first changeset is simple with the other two being trivial. I will start to look at jessie and see if that version is impacted. My initial hunch is it will be. Expect a debdiff shortly! - Craig
