Debian 10225 Published by

Updated Wordpress packages has been released for Debian GNU/Linux 7 LTS to address an issue introduced by the previous package




Package : wordpress
Version : 3.6.1+dfsg-1~deb7u19
Debian Bug : 881088

The fix for CVE-2017-14990 issued as DLA-1151-1 was incomplete and
caused a regression. It was discovered that an additional database
upgrade and further code changes would be necessary. At the moment
these changes are deemed as too intrusive and thus the initial patch
for CVE-2017-14990 has been removed again. For reference, the original
advisory text follows.

WordPress stores cleartext wp_signups.activation_key values (but
stores the analogous wp_users.user_activation_key values as hashes),
which might make it easier for remote attackers to hijack unactivated
user accounts by leveraging database read access (such as access
gained through an unspecified SQL injection vulnerability).

For Debian 7 "Wheezy", these problems have been fixed in version
3.6.1+dfsg-1~deb7u19.

We recommend that you upgrade your wordpress packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
  Wordpress Regression Update for Debian 7 LTS