Your message dated Sat, 23 Sep 2017 10:03:41 +0000
with message-id <[email protected]>
and subject line Bug#874416: fixed in wordpress-shibboleth 1.4-2+deb9u1
has caused the Debian Bug report #874416,
regarding wordpress-shibboleth: CVE-2017-14313: XSS due to add_query_arg
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
874416: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=874416
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: wordpress-shibboleth
Version: 1.4-2
Severity: important
X-Debbugs-Cc: [email protected]
Tags: security

I have just become aware of an old security issue that was fixed
in upstream:

https://github.com/michaelryanmcneill/shibboleth/commit/1d65ad6786282d23ba1865f5
6e2fd19188e7c26a

As far as I understand, this is 

https://make.wordpress.org/plugins/2015/04/20/fixing-add_query_arg-and-remove_q
uery_arg-usage/

Given that noone has noticed and reported this as an issue for a year
in the Debian package, and I'm not completely sure of how easy it is
to exploit, I'm not exactly sure of the correct severity or whether
this warrants a DSA or just a point release update. I'm CCing
the Wordpress maintainer in case they have any ideas.

This bug will be fixed in unstable shortly.

--- End Message ---
--- Begin Message ---
Source: wordpress-shibboleth
Source-Version: 1.4-2+deb9u1

We believe that the bug you reported is fixed in the latest version of
wordpress-shibboleth, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <[email protected]> (supplier of updated wordpress-shibboleth 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 14 Sep 2017 11:20:16 +0100
Source: wordpress-shibboleth
Binary: wordpress-shibboleth
Architecture: source
Version: 1.4-2+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Dominic Hargreaves <[email protected]>
Changed-By: Dominic Hargreaves <[email protected]>
Description:
 wordpress-shibboleth - Shibboleth plugin for WordPress
Closes: 874416
Changes:
 wordpress-shibboleth (1.4-2+deb9u1) stretch-security; urgency=high
 .
   * [CVE-2017-14313]: Fix XSS in login form (Closes: #874416)
Checksums-Sha1:
 4e65eec81b28c885f77bfdf3de4fe62a1ee3bcea 1978 
wordpress-shibboleth_1.4-2+deb9u1.dsc
 0e8d76e555797fae6b8b153cd94e96bb3abaaed0 491213 
wordpress-shibboleth_1.4.orig.tar.gz
 7656667523fbee086df58bd86fe3d2b6675374e6 2104 
wordpress-shibboleth_1.4-2+deb9u1.diff.gz
 9220cba82e941262c14e2c8ebaf31dd6e93ad301 5809 
wordpress-shibboleth_1.4-2+deb9u1_source.buildinfo
Checksums-Sha256:
 81d2edaa9959baa27a4fbf8b2efad73ed6f39acf20ed5cc7de5ea88821d2cb19 1978 
wordpress-shibboleth_1.4-2+deb9u1.dsc
 3905264005217524127a856a0f0b924ebc49c8f63c1d825df5c541af9cfa5b49 491213 
wordpress-shibboleth_1.4.orig.tar.gz
 e3019500aa0208ed0b1ade0303a0a8e2dc2506e5a6bd4855bc089fc9a8d9c025 2104 
wordpress-shibboleth_1.4-2+deb9u1.diff.gz
 43faec357b9cad62f905441abd3577f1aa4053cc07a1d9c4aacec78ee2ee1abb 5809 
wordpress-shibboleth_1.4-2+deb9u1_source.buildinfo
Files:
 793201040186bac754a95c9ce7db7d70 1978 php optional 
wordpress-shibboleth_1.4-2+deb9u1.dsc
 7b38a0d32e352afb644bcdef5bdd512c 491213 php optional 
wordpress-shibboleth_1.4.orig.tar.gz
 88f56ba6e7b0c70392c66e2596aa2891 2104 php optional 
wordpress-shibboleth_1.4-2+deb9u1.diff.gz
 03abc2cadde161d59216346f6184881c 5809 php optional 
wordpress-shibboleth_1.4-2+deb9u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJBBAEBCAArFiEEy0llJ/kAnyscGnbawAV+cU1pT7IFAlm6XPINHGRvbUBlYXJ0
aC5saQAKCRDABX5xTWlPst6PD/9XGJpzv1eUscoDGsuwMp9iDrgZOtNgYe27IYPY
e9hjLHLhrzQtZ37EiIy0gkey14j/o0d0OpHxKzGD/S8Y/FVJROe8RmgnUmmVH0Yt
YG5kjOlZMdhXwGv9jtGWgVdgjhgPhynxz4QPJBlLZ3Me6zak9IX2ZP7h+N0Dchdb
lLb2rT7kEAPsArpGBEeV9YSfJl7GMzp4imVYcRk7z0pO4p5W3mFZwm+V4c4qjFPI
RI+9an3KUDEJbq6d/AtRjxVcWgERVnpIHqKYsJ9JIO6x6UVpZhefP3u4ByGUZu91
/RX6Ji1jNJ0AUrq3paOB+hqdQR0Ph3qhiIRIVwkz/0h4khnYQUHv+cOjC/3rKi44
BgxxpuOQAQji7459UEMODB5SfMceBhV6g6HLj1DPRovoAwoKdpiznDdROxjIc1j5
N4DhyTPjrqn07QOMovzTOEMZGmztiAK88YI05HzWcDIiBmxf3x0+Pf8hjFkLN7VX
AujjeyHwmqJ/3e8ckgoWiWraeMcYB6BtylabgyyUE8733jJmI25ggmc4W5HEluXr
lsrRPqKmDOuAA9rSAPRsB1B0pLZ8+FOCO6e7lBLkbeD8imrvk1U/H6XtrcVUNHe7
Kodil/rd/10hptaPXSyPsVCKIgpAEwPAQqTEmBnnviTU4ZV4/NGefOPhuktUJzEQ
nTn1OA==
=NyU+
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to