Vulnérabilité dans Wordpress (08 janvier 2016)

Avis et alertes de sécurité au jour le jour (aucune question posée dans ce sous-forum)

Modérateur: Modérateurs et Modératrices

Vulnérabilité dans Wordpress (08 janvier 2016)

Messagede pierre » 08 Jan 2016, 20:21

Vulnérabilité dans Wordpress (corrigée le 08 janvier 2016)

Version initiale de l'avis
08 janvier 2016

Source
Bulletin de sécurité Wordpress du 06 janvier 2016
https://wordpress.org/news/2016/01/word ... e-release/

1 - Risque(s)
injection de code indirecte à distance

2 - Systèmes affectés
Versions antérieures à 4.4.1

3 - Résumé
Une vulnérabilité a été corrigée dans Wordpress. Elle permet à un attaquant de provoquer une injection de code indirecte à distance (XSS).
Plusieurs autres bug (52 bugs), ne concernant pas la sécurité, sont également corrigés.

Summary

WordPress 4.4.1 contains fixes for 52 bugs from 4.4, including:

Administration

34987 “Configure” link for dashboard widgets no longer displayed.
35047 Notices are not moved to first header when header-elements are nested inside .wrap
35057 bug in new default_hidden_columns filter
35112 Screen Options in Appearance -> Menu not saved correctly sometimes

Bootstrap/Load

34967 SHORTINIT and date_i18n: Call to undefined function _x()
35013 WP4.4 function handle_404 yelds a fatal error on line 613 when trying to clone $wp_query->post if it’s not an object

Build/Test tools

30787 Shrinkwrap NPM dependencies

Bundled Theme

35270 Bump twentysixteen for 4.4.1

Canonical

34890 Canonical meta tag for paginated posts incorrect with ugly permalinks

Comments

34946 new comment redirects break anchors in Safari
34997 preprocess_comment filter does not contain old user_ID field for user_id, instead it has new user_id field
35006 Comments sent immediately to Trash for matching keyword blacklist should not generate email notifications
35025 Performance regression in comments_template in 4.4
35068 Comments not showing up when there are unapproved messages
35175 Page parameter no longer works in wp_list_comments

Customize

35081 Missing Change Theme button when there are only two themes available

Embeds

35152 Remove Rdio embed support
35194 Remove embed discovery tags from HTML header of static home pages
35237 Invalid argument supplied for foreach() in /wp-includes/embed-template.php on line 54

Emoji

33592 Unicode 8.0 Emoji

External Libraries

34948 Update random_compat for “Don’t instantiate COM if it’s a disabled class”

Filesystem API

34976 Plug ins fail to update after WP 4.4 installed

Formatting

35008 Ampersands in URLs are no longer converted to entities
35058 PHP Fatal when map_deep tries to work on an object that has a property by reference

HTTP API

34935 Removed SSL certificates causing errors in WP 4.4

Help/About

35215 Setting help tab priorities fails to correctly order the tabs

Login/Registration

34925 4.4 wp-login.php: no longer possible to use the login_post scheme
35103 login_url Filter is now applied to Login Form Action Attribute

Mail

35212 Update PHPMailer to 5.2.14

Media

35045 Responsive images not added when effective scheme differs from image src scheme
35101 image_default_link_type option not being respected
35102 Responsive images support for external URLs
35106 Responsive images break uploads with full path stored in metadata
35108 Responsive images blurry – srcset attribute doesn’t include full size version
35153 Default link target for media files is none

Menus

34446 WordPress Notice after add support for post type archives in menu
34449 Remove CPT if exists menu item
35107 wp_nav_menu outputs tags without line breaks in 4.4, causes strange bug with justified text

Permalinks

35084 check for post status in get_page_uri causes issues with permalinks

Query

35031 wp_old_slug_redirect() in 4.4 redirecting existing posts
35115 404 error when URL includes title=…

Shortcodes

34939 Shortcode regex no longer matches [shortcode=XXX]

Taxonomy

34723 Warning in get_the_terms() because of non-array
35089 Query var on non-public taxonomy remains boolean true since [35333]
35137 get_terms() with a meta_query filter returns duplicated terms
35156 wp_list_categories() does not accept comma-separated IDs for exclude_tree parameter
35180 In WordPress 4.4 the_tags() is displaying tags ordered by ID instead of alphabetically by name

Themes

34962 Issues with wp_get_document_title function causing problems with document titles

Users

34993 Deleting a user no longer asks what to do with their content

Widgets

34978 Extra quotes in title in WP_Widget_RSS class, widget method
34995 WP_Widget::widget not called

XML-RPC

35053 XML-RPC when post with date_created_gmt, its post_date will gmt date not local date
35185 Unable to create Post via XMLRPC after upgrading to 4.4



4 - Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
WordPress 4.4.1 Security and Maintenance Release

5 - Documentation
Bulletin de sécurité Wordpress du 06 janvier 2016
https://wordpress.org/news/2016/01/word ... e-release/

Ticket 35031
https://core.trac.wordpress.org/ticket/35031
Image
__________________
Pierre (aka Terdef)
Appel à donation - Le site a besoin de votre aide

Comment je me fais avoir/infecter ? - Protéger navigateur, navigation et vie privée - Bloquer publicité et surveillance sur le Web
Accélérer Windows - Accélérer Internet - Décontamination - Installer Malwarebytes - Forums d'entraide

Il ne sera répondu à aucune demande de dépannage posée en MP (Messagerie Privée). Les demandes doivent être publiques et les réponses doivent profiter au public.
Image
Avatar de l’utilisateur
pierre
 
Messages: 25749
Inscription: 20 Mai 2002, 23:01
Localisation: Ici et maintenant

Retourner vers Alertes

Qui est en ligne

Utilisateurs parcourant ce forum: Aucun utilisateur enregistré et 4 invités