Your message dated Thu, 09 Oct 2025 09:35:38 +0000
with message-id <[email protected]>
and subject line Bug#1117047: fixed in wordpress 6.8.3+dfsg1-1
has caused the Debian Bug report #1117047,
regarding wordpress: CVE-2025-58674 CVE-2025-58246
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1117047: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117047
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: wordpress
Version: 6.8.1+dfsg1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 6.1.6+dfsg1-0+deb12u1
Control: found -1 5.7.11+dfsg1-0+deb11u1
Hi,
The following vulnerabilities were published for wordpress.
CVE-2025-58674[0]:
| Improper Neutralization of Input During Web Page Generation ('Cross-
| site Scripting') vulnerability in WordPress allows Stored XSS.
| WordPress core security team is aware of the issue and working on a
| fix. This is low severity vulnerability that requires an attacker to
| have Author or higher user privileges to execute the attack
| vector.This issue affects WordPress: from 6.8 through 6.8.2, from
| 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6,
| from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through
| 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9
| through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13,
| from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through
| 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1
| through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27,
| from 4.8 through 4.8.26, from 4.7 through 4.7.30.
CVE-2025-58246[1]:
| Insertion of Sensitive Information Into Sent Data vulnerability in
| WordPress allows Retrieve Embedded Sensitive Data. The WordPress
| Core security team is aware of the issue and is already working on a
| fix. This is a low-severity vulnerability. Contributor-level
| privileges required in order to exploit it. This issue affects
| WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6
| through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from
| 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8,
| from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through
| 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5
| through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19,
| from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through
| 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7
| through 4.7.30.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-58674
https://www.cve.org/CVERecord?id=CVE-2025-58674
[1] https://security-tracker.debian.org/tracker/CVE-2025-58246
https://www.cve.org/CVERecord?id=CVE-2025-58246
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: wordpress
Source-Version: 6.8.3+dfsg1-1
Done: Craig Small <[email protected]>
We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Craig Small <[email protected]> (supplier of updated wordpress package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 09 Oct 2025 20:03:14 +1100
Source: wordpress
Architecture: source
Version: 6.8.3+dfsg1-1
Distribution: unstable
Urgency: medium
Maintainer: Craig Small <[email protected]>
Changed-By: Craig Small <[email protected]>
Closes: 1117047
Changes:
wordpress (6.8.3+dfsg1-1) unstable; urgency=medium
.
* New upstream security release Closes: #1117047
Fixes the following CVEs:
- Stored XSS in nav menus CVE-2025-58674
- Data exposure CVE-2025-58246
* Update copyright files to use download links
Checksums-Sha1:
4756579a9ab7a95d138ae855a1ca169d6e851943 2422 wordpress_6.8.3+dfsg1-1.dsc
5c2771f2140ba44f1b7e7f324ccecdf4d6eb2a5c 22351292
wordpress_6.8.3+dfsg1.orig.tar.xz
f06be9dac354ce312969f0f68d0bc49fddaf082d 6912896
wordpress_6.8.3+dfsg1-1.debian.tar.xz
29558c3d0a4599845a74ee2934e668c231c5883b 7588
wordpress_6.8.3+dfsg1-1_amd64.buildinfo
Checksums-Sha256:
491ff8d3406e4036db98bfcd1a377315f5b0b3f26481f00a09ddfde15af3f7b6 2422
wordpress_6.8.3+dfsg1-1.dsc
97c8d75a3e18c848434ff250f4461184730a9c8094402fa61a57714cfce724db 22351292
wordpress_6.8.3+dfsg1.orig.tar.xz
0cce628f62a1aff2356629a238cc47f45d1136f60edf910fe9a3bd4fa67109fb 6912896
wordpress_6.8.3+dfsg1-1.debian.tar.xz
e07a5b8621ecb6006c2f8bb95799d3078ba574766d294186d952636e37de32fd 7588
wordpress_6.8.3+dfsg1-1_amd64.buildinfo
Files:
85c98c17cd68664d5327ec086301b335 2422 web optional wordpress_6.8.3+dfsg1-1.dsc
e67aaba6b7a84cd70df0cc847f4ca812 22351292 web optional
wordpress_6.8.3+dfsg1.orig.tar.xz
a2431e748f52256f413b06a5a3304b47 6912896 web optional
wordpress_6.8.3+dfsg1-1.debian.tar.xz
8fedba9e42b2ed4716412f2d1b93a8db 7588 web optional
wordpress_6.8.3+dfsg1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAmjne9UACgkQAiFmwP88
hOOSbQ//UMAUgLtVtlZMyWHupBGLMZZEG9paJj6yr5X23zI7ONj9m8PfVgEoi3VL
0VykEKR0MRPi7clZReTFbk4RlQsBjZxqW35tXA+9kfHbXaeAxvowmMddjYlDu2Ey
N4ywG1s6jdG0BQUOetaDkxqVs2cg4ZpLkjDeUUACe2Js4PotGX8m55ELdDs++RMc
TmW4hrsMfU/VF9FSPD2LYEpgsXB/c+Q3DelLe8HYl0ldju2IP8nG3EkezfwWjPqW
FU13iT38UkcU9y0QGgSbI9D13HZXftCoTn/qfWk+I+v26lTWWnl9/Z/z15Yd9v/H
03RQ87B0bVvwFyV232YFMop5fyMg5+2Liu9rfUofCwNhyPH1sr4XLNBnZzcM5v6d
BHcea6klNdREGSSVEklaTY2RVJjdbW4W7GN4ckIhJPRLZFfKMQ6DppCBKYcO9rLh
CqXpedh1jM/bgFarhrymulZakhfttTU5tKd3MtEFgS5AjpSKb95V2IXzF7iW5MfM
4lwwqbUFWyykXvGdL2vGPn+1W90zMvpocUqDlnlEJdzZ04EoIwLz9HimBvT/XvU+
ScfPrs+5sbDYgFiWjbNZ4JHr2/O9H33Nb8GTHoUjkcAA6Dq6BgSwNZoawJe5Jhgw
j7IrG3WVLizDxh7kuT9gk+hb9JXQjMb+11x1bLJwto2OAbnBfMU=
=QsCA
-----END PGP SIGNATURE-----
pgpWRbgCa1lme.pgp
Description: PGP signature
--- End Message ---
