Your message dated Sun, 30 Jun 2024 09:52:08 +0000 with message-id <e1snre8-00d9rd...@fasolo.debian.org> and subject line Bug#1074486: fixed in wordpress 6.5.5+dfsg1-1 has caused the Debian Bug report #1074486, regarding wordpress: CVE-2024-6307 CVE-2024-31111 CVE-2024-32111 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1074486: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074486 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: wordpress Version: 6.5.3+dfsg1-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerabilities were published for wordpress. CVE-2024-6307[0]: | WordPress Core is vulnerable to Stored Cross-Site Scripting via the | HTML API in various versions prior to 6.5.5 due to insufficient | input sanitization and output escaping on URLs. This makes it | possible for authenticated attackers, with contributor-level access | and above, to inject arbitrary web scripts in pages that will | execute whenever a user accesses an injected page. CVE-2024-31111[1]: | Improper Neutralization of Input During Web Page Generation (XSS or | 'Cross-site Scripting') vulnerability in Automattic WordPress allows | Stored XSS.This issue affects WordPress: from 6.5 through 6.5.4, | from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through | 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 | through 5.9.9. CVE-2024-32111[2]: | Improper Limitation of a Pathname to a Restricted Directory ('Path | Traversal') vulnerability in Automattic WordPress allows Relative | Path Traversal.This issue affects WordPress: from 6.5 through 6.5.4, | from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through | 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 | through 5.9.9, from 5.8 through 5.8.9, from 5.7 through 5.7.11, from | 5.6 through 5.6.13, from 5.5 through 5.5.14, from 5.4 through | 5.4.15, from 5.3 through 5.3.17, from 5.2 through 5.2.20, from 5.1 | through 5.1.18, from 5.0 through 5.0.21, from 4.9 through 4.9.25, | from 4.8 through 4.8.24, from 4.7 through 4.7.28, from 4.6 through | 4.6.28, from 4.5 through 4.5.31, from 4.4 through 4.4.32, from 4.3 | through 4.3.33, from 4.2 through 4.2.37, from 4.1 through 4.1.40. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-6307 https://www.cve.org/CVERecord?id=CVE-2024-6307 [1] https://security-tracker.debian.org/tracker/CVE-2024-31111 https://www.cve.org/CVERecord?id=CVE-2024-31111 [2] https://security-tracker.debian.org/tracker/CVE-2024-32111 https://www.cve.org/CVERecord?id=CVE-2024-32111 [3] https://wordpress.org/news/2024/06/wordpress-6-5-5/ Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: wordpress Source-Version: 6.5.5+dfsg1-1 Done: Craig Small <csm...@debian.org> We believe that the bug you reported is fixed in the latest version of wordpress, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1074...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Craig Small <csm...@debian.org> (supplier of updated wordpress package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 30 Jun 2024 19:28:36 +1000 Source: wordpress Architecture: source Version: 6.5.5+dfsg1-1 Distribution: unstable Urgency: medium Maintainer: Craig Small <csm...@debian.org> Changed-By: Craig Small <csm...@debian.org> Closes: 1074486 Changes: wordpress (6.5.5+dfsg1-1) unstable; urgency=medium . * New upstream security release Closes: #1074486 Fixes the following CVEs - Stored XSS via HTMP API CVE-2024-6307 - Stored XSS in Template Part block CVE-2024-31111 - Relative Path traversal CVE-2024-32111 Checksums-Sha1: b29ae1712e1565c580b965e1644b071ba30d1cf2 2420 wordpress_6.5.5+dfsg1-1.dsc 287e7fe783a32061ca43c598b1ad54d2e6a56d65 17009476 wordpress_6.5.5+dfsg1.orig.tar.xz 10fbf935be8337ff9cf8c560566dd63463f47478 6923044 wordpress_6.5.5+dfsg1-1.debian.tar.xz 6591417b0438f0fa52216a51237e47cf8f46f9b4 7986 wordpress_6.5.5+dfsg1-1_amd64.buildinfo Checksums-Sha256: df5b90896a076d4bef62956895a0848ce6a8bf2a322aed18a36102a62c7cebc5 2420 wordpress_6.5.5+dfsg1-1.dsc 74bdd094cebcd2a95a796f0bc8c3e38983d37e909b563e9297459bc6342857ec 17009476 wordpress_6.5.5+dfsg1.orig.tar.xz b451a2be80bad89b79ffdcd5738987e2028f910037de23ac763aecb4f953dbc3 6923044 wordpress_6.5.5+dfsg1-1.debian.tar.xz ef4a36cbcdc64b60b729c1511546e84f8dda30b9b3c3ed311694021711d3496d 7986 wordpress_6.5.5+dfsg1-1_amd64.buildinfo Files: 53dae7d0fb54ec63f3239dda60858c02 2420 web optional wordpress_6.5.5+dfsg1-1.dsc 648514ad2bb8db3c153b2364de3a7d75 17009476 web optional wordpress_6.5.5+dfsg1.orig.tar.xz 9b6617d4df269810b32f6482af0e208c 6923044 web optional wordpress_6.5.5+dfsg1-1.debian.tar.xz 4144ad00159aa377adb146167f2c5d61 7986 web optional wordpress_6.5.5+dfsg1-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAmaBJcgACgkQAiFmwP88 hOO5Kg/8CShVj6feqN5g53OICjwIzgqTNJBBaD3PCbAWTytc+FgRsec5hMHR0q+s yHSxB/tgczcH4Q/tmPvL7lJ8Bj5+Jy+kAU48K5F0wUt9pb+ldnayPjBt39Bc+nGP RvLPPb3qyVSJapNIbrIb44OeG/P8BA4rKtm2T7LhUskTeYgq3TXH3ZM9R0U84Y/s d9yU2Aygh+W4qvyIcoDmx9GCtZbB9I+8a5vCcYUvNNLK06Y1/iHzRFttIZ+Uw6xZ cE1hVWmGG92bCztpUH3YGqC69k7dlJ2/NJYSmLoJZBSQTegtotFkzNGlbXJXq1bc vhkAPWLiKwtUgoBj+51QbPbZmJ2kWvgNCUph/xXovHR0M35LFIcOCdM0bmKZiMz0 FVq2K/93Ng4t/Nxs6hIZrCQmXaKuhy3rA3koKlM4qXYtsn7ptBniT9vuU++3V1NO ineuB7qF1DKFlhs/14gItheWnEVCbt6CqFh+6fwqe20M4r90cGAuTd6QYNjENu+3 7AcQRGYH9fhm7vhKXUhn2cuCBGDZAYec/2JJRgZZqc8NKMnaUymR0Q6+s3UY6S8s 8KU8vYZrRTCxB/KZZK5Nul5JBhszgIj+ax+rxnnXA/uFow246ZzkhR3mC5gDhDSe dfED41z984nziOXhxEQOj7MqyULw7bQ5QSEBBRukNZKSVu9OpDo= =9sRX -----END PGP SIGNATURE-----
pgplTyt18AA9w.pgp
Description: PGP signature
--- End Message ---
