Candidate: CVE-2017-5493
PublicDate: 2017-01-15 02:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5493
 http://www.openwall.com/lists/oss-security/2017/01/14/1
 https://wpvulndb.com/vulnerabilities/8721
 https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4
 http://www.openwall.com/lists/oss-security/2017/01/14/6
 https://codex.wordpress.org/Version_4.7.1
 https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Description:
 wp-includes/ms-functions.php in the Multisite WordPress API in WordPress
 before 4.7.1 does not properly choose random numbers for keys, which makes
 it easier for remote attackers to bypass intended access restrictions via a
 crafted (1) site signup or (2) user signup.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851310
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N [7.5 HIGH]

Patches_wordpress:
upstream_wordpress: released (4.7.1+dfsg-1)
precise_wordpress: ignored (reached end-of-life)
precise/esm_wordpress: DNE (precise was needs-triage)
trusty_wordpress: ignored (reached end-of-life)
trusty/esm_wordpress: DNE (trusty was needed)
vivid/stable-phone-overlay_wordpress: DNE
vivid/ubuntu-core_wordpress: DNE
xenial_wordpress: ignored (end of standard support, was needed)
yakkety_wordpress: ignored (reached end-of-life)
zesty_wordpress: not-affected (4.7.1+dfsg-1)
artful_wordpress: not-affected (4.7.1+dfsg-1)
bionic_wordpress: not-affected (4.7.1+dfsg-1)
cosmic_wordpress: not-affected (4.7.1+dfsg-1)
disco_wordpress: not-affected (4.7.1+dfsg-1)
eoan_wordpress: not-affected (4.7.1+dfsg-1)
focal_wordpress: not-affected (4.7.1+dfsg-1)
groovy_wordpress: not-affected (4.7.1+dfsg-1)
hirsute_wordpress: not-affected (4.7.1+dfsg-1)
impish_wordpress: not-affected (4.7.1+dfsg-1)
jammy_wordpress: not-affected (4.7.1+dfsg-1)
devel_wordpress: not-affected (4.7.1+dfsg-1)