Several vulnerabilities were discovered in Wordpress, a web blogging tool. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2014-0165 A user with a contributor role, using a specially crafted request, can publish posts, which is reserved for users of the next-higher role. CVE-2014-0166 Jon Cave of the WordPress security team discovered that the wp_validate_auth_cookie function in wp-includes/pluggable.php does not properly determine the validity of authentication cookies, allowing a remote attacker to obtain access via a forged cookie.

For the oldstable distribution (squeeze), these problems have been fixed in version 3.6.1+dfsg-1~deb6u2. For the stable distribution (wheezy), these problems have been fixed in version 3.6.1+dfsg-1~deb7u2. For the testing distribution (jessie), these problems have been fixed in version 3.8.2+dfsg-1. For the unstable distribution (sid), these problems have been fixed in version 3.8.2+dfsg-1. We recommend that you upgrade your wordpress packages.

WordPress is a full featured web blogging tool: * Instant publishing (no rebuilding) * Comment pingback support with spam protection * Non-crufty URLs * Themable * Plugin support

wordpress on Debian Linux

This check tests the installed software version using the apt package manager.

• http://www.debian.org/security/2014/dsa-2901.html

---

Updated on 2015-03-25