From ${URL} : The 4.0.1 release of WordPress fixes a number of security issues. Refer to https://wordpress.org/news/2014/11/wordpress-4-0-1/ for full details. CVE assignments are pending: http://www.openwall.com/lists/oss-security/2014/11/20/43 Reference: https://wordpress.org/news/2014/11/wordpress-4-0-1/ @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
*** Bug 530006 has been marked as a duplicate of this bug. ***
Fixed versions in the tree, old gone.
CVE-2014-9039 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9039): wp-login.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to reset passwords by leveraging access to an e-mail account that received a password-reset message. CVE-2014-9038 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9038): wp-includes/http.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to conduct server-side request forgery (SSRF) attacks by referring to a 127.0.0.0/8 resource. CVE-2014-9037 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9037): WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to obtain access to an account idle since 2008 by leveraging an improper PHP dynamic type comparison for an MD5 hash. CVE-2014-9036 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9036): Cross-site scripting (XSS) vulnerability in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to inject arbitrary web script or HTML via a crafted Cascading Style Sheets (CSS) token sequence in a post. CVE-2014-9035 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9035): Cross-site scripting (XSS) vulnerability in Press This in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. CVE-2014-9034 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9034): wp-includes/class-phpass.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to cause a denial of service (CPU consumption) via a long password that is improperly handled during hashing, a similar issue to CVE-2014-9016. CVE-2014-9033 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9033): Cross-site request forgery (CSRF) vulnerability in wp-login.php in WordPress 3.7.4, 3.8.4, 3.9.2, and 4.0 allows remote attackers to hijack the authentication of arbitrary users for requests that reset passwords. CVE-2014-9032 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9032): Cross-site scripting (XSS) vulnerability in the media-playlists feature in WordPress before 3.9.x before 3.9.3 and 4.x before 4.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. CVE-2014-9031 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9031): Cross-site scripting (XSS) vulnerability in the wptexturize function in WordPress before 3.7.5, 3.8.x before 3.8.5, and 3.9.x before 3.9.3 allows remote attackers to inject arbitrary web script or HTML via crafted use of shortcode brackets in a text field, as demonstrated by a comment or a post.
Thanks, Tim. Closing noglsa for ~arch only.
