[SECURITY-L] WordPress 4.5.3 Maintenance and Security Release
CSIRT Unicamp
security em unicamp.br
Qua Jun 22 07:55:52 -03 2016
WordPress 4.5.3 Maintenance and Security Release
Posted June 18, 2016 by Adam Silverstein. Filed under Releases, Security.
WordPress 4.5.3 is now available. This is a security release for all
previous versions and we strongly encourage you to update your sites
immediately.
WordPress versions 4.5.2 and earlier are affected by several security
issues: redirect bypass in the customizer, reported by Yassine Aboukir;
two different XSS problems via attachment names, reported by Jouko
Pynnönen and Divyesh Prajapati; revision history information disclosure,
reported independently by John Blackbourn from the WordPress security
team and by Dan Moen; oEmbed denial of service reported by Jennifer Dodd
from Automattic; unauthorized category removal from a post, reported by
David Herrera from Alley Interactive; password change via stolen cookie,
reported by Michael Adams from the WordPress security team; and some
less secure sanitize_file_name edge cases reported by Peter Westwood of
the WordPress security team.
Thank you to the reporters for practicing responsible disclosure.
In addition to the security issues above, WordPress 4.5.3 fixes 17 bugs
from 4.5, 4.5.1 and 4.5.2. For more information, see the release notes:
https://codex.wordpress.org/Version_4.5.3
Download WordPress 4.5.3 or venture over to Dashboard → Updates and
simply click “Update Now.” Sites that support automatic background
updates are already beginning to update to WordPress 4.5.3.
Thanks to everyone who contributed to 4.5.3:
Boone Gorges, Silvan Hagen, vortfu, Eric Andrew Lewis, Nikolay
Bachiyski, Michael Adams, Jeremy Felt, Dominik Schilling, Weston Ruter,
Dion Hulse, Rachel Baker, Alex Concha, Jennifer M. Dodd, Brandon Kraft,
Gary Pendergast, Ella Iseulde Van Dorpe, Joe McGill, Pascal Birchler,
Sergey Biryukov, David Herrera and Adam Silverstein.
--
Gesiel Galvão Bernardes
===
Computer Security Incident Response Team - CSIRT
Universidade Estadual de Campinas - Unicamp
Centro de Computacao - CCUEC
Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830
Mais detalhes sobre a lista de discussão SECURITY-L