-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:233 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : wordpress Date : November 27, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated wordpress package fixes security vulnerabilities: XSS in wptexturize() via comments or posts, exploitable for unauthenticated users (CVE-2014-9031). XSS in media playlists (CVE-2014-9032). CSRF in the password reset process (CVE-2014-9033). Denial of service for giant passwords. The phpass library by Solar Designer was used in both projects without setting a maximum password length, which can lead to CPU exhaustion upon hashing (CVE-2014-9034). XSS in Press This (CVE-2014-9035). XSS in HTML filtering of CSS in posts (CVE-2014-9036). Hash comparison vulnerability in old-style MD5-stored passwords (CVE-2014-9037). SSRF: Safe HTTP requests did not sufficiently block the loopback IP address space (CVE-2014-9038). Previously an email address change would not invalidate a previous password reset email (CVE-2014-9039). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9031 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9032 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9033 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9034 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9035 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9036 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9037 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9038 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9039 http://advisories.mageia.org/MGASA-2014-0493.html _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: 62fa68f582bb7de0f5a2b73f4cd0d68a mbs1/x86_64/wordpress-3.9.3-1.mbs1.noarch.rpm 1dec5403e27c363d864c7b562b95e76e mbs1/SRPMS/wordpress-3.9.3-1.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFUd1a7mqjQ0CJFipgRAkRVAJ99KIVWb4ckhvSoKutVDSzMfujV1QCfR3/t FiSsXvz21f5N3G8Ykv4Txhk= =aPRO -----END PGP SIGNATURE-----