Debian 10261 Published by

An updated Wordpress package has been released for Debian GNU/Linux 8 LTS to address several vulnerabilities



Package : wordpress
Version : 4.1.28+dfsg-0+deb8u1
CVE ID : CVE-2019-17669 CVE-2019-17670 CVE-2019-17671 CVE-2019-17675
Debian Bug : 942459

Several vulnerabilities in wordpress, a web blogging tool, have been fixed.

CVE-2019-17669

Server Side Request Forgery (SSRF) vulnerability because URL validation does not consider the interpretation of a name as a series of hex characters.

CVE-2019-17670

Server Side Request Forgery (SSRF) vulnerability was reported in wp_validate_redirect(). Normalize the path when validating the location for relative URLs.

CVE-2019-17671

Unauthenticated viewing of certain content (private or draft posts) is possible because the static query property is mishandled.
CVE-2019-17675

Wordpress does not properly consider type confusion during validation of the referer in the admin pages. This vulnerability affects the check_admin_referer() WordPress function.

For Debian 8 "Jessie", these problems have been fixed in version 4.1.28+dfsg-0+deb8u1.

We recommend that you upgrade your wordpress packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS