Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Hi Please unblock package wordpress It fixes #862053, CVE-2017-8295, which was addressed already in the DSA for jessie (and would otherwise be a regression). Changelog entry: >wordpress (4.7.5+dfsg-2) unstable; urgency=medium > > * Don't trust SERVER_NAME variable for emails > CVE-2017-8295 Closes: #862053 > > -- Craig Small <csm...@debian.org> Mon, 05 Jun 2017 21:45:59 +1000 unblock wordpress/4.7.5+dfsg-2 I'm attaching the full debdiff against the current version in testing. Note it as well adjust the older changelog entry to add the CVE identiiers. Regards, Salvatore
diff -Nru wordpress-4.7.5+dfsg/debian/changelog wordpress-4.7.5+dfsg/debian/changelog --- wordpress-4.7.5+dfsg/debian/changelog 2017-05-17 14:28:18.000000000 +0200 +++ wordpress-4.7.5+dfsg/debian/changelog 2017-06-05 13:45:59.000000000 +0200 @@ -1,20 +1,26 @@ +wordpress (4.7.5+dfsg-2) unstable; urgency=medium + + * Don't trust SERVER_NAME variable for emails + CVE-2017-8295 Closes: #862053 + + -- Craig Small <csm...@debian.org> Mon, 05 Jun 2017 21:45:59 +1000 + wordpress (4.7.5+dfsg-1) unstable; urgency=high * New upstream release fixes 6 security issues Closes: #862816 - CVEs to be added once issued - - CVE-2017-XXX + - CVE-2017-9066 Insufficient redirect validation in the HTTP class. - - CVE-2017-XXX + - CVE-2017-9062 Improper handling of post meta data values in the XML-RPC API. - - CVE-2017-XXX + - CVE-2017-9065 Lack of capability checks for post meta data in the XML-RPC API. - - CVE-2017-XXX + - CVE-2017-9064 A Cross Site Request Forgery (CRSF) vulnerability was discovered in the filesystem credentials dialog. - - CVE-2017-XXX + - CVE-2017-9061 A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files. - - CVE-2017-XXX + - CVE-2017-9063 A cross-site scripting (XSS) vulnerability was discovered related to the Customizer. diff -Nru wordpress-4.7.5+dfsg/debian/patches/CVE-2017-8295 wordpress-4.7.5+dfsg/debian/patches/CVE-2017-8295 --- wordpress-4.7.5+dfsg/debian/patches/CVE-2017-8295 1970-01-01 01:00:00.000000000 +0100 +++ wordpress-4.7.5+dfsg/debian/patches/CVE-2017-8295 2017-06-05 13:45:59.000000000 +0200 @@ -0,0 +1,36 @@ +Description: Don't use SERVER_NAME for emails + WordPress uses the SERVER_NAME variable to generate the from address for + password resets. This variable can be set by the hostname sent by the + client, which means it can be spoofed. + + This patch fixes CVE-2017-8295 +Author: Maarten de Boer +Origin: upstream, https://core.trac.wordpress.org/attachment/ticket/25239/CVE-2017-8295.patch +Bug: https://core.trac.wordpress.org/ticket/25239 +Bug-Debian: https://bugs.debian.org/862053 +Reviewed-by: Craig Small <csm...@debian.org> +--- a/wp-includes/pluggable.php ++++ b/wp-includes/pluggable.php +@@ -323,11 +323,8 @@ + + if ( !isset( $from_email ) ) { + // Get the site domain and get rid of www. +- $sitename = strtolower( $_SERVER['SERVER_NAME'] ); +- if ( substr( $sitename, 0, 4 ) == 'www.' ) { +- $sitename = substr( $sitename, 4 ); +- } +- ++ $sitename = parse_url( network_home_url(), PHP_URL_HOST ); ++ + $from_email = 'wordpress@' . $sitename; + } + +@@ -1491,7 +1488,7 @@ + $notify_message .= sprintf( __( 'Spam it: %s' ), admin_url( "comment.php?action=spam&c={$comment->comment_ID}#wpbody-content" ) ) . "\r\n"; + } + +- $wp_email = 'wordpress@' . preg_replace('#^www\.#', '', strtolower($_SERVER['SERVER_NAME'])); ++ $wp_email = 'wordpress@' . parse_url(network_home_url(), PHP_URL_HOST); + + if ( '' == $comment->comment_author ) { + $from = "From: \"$blogname\" <$wp_email>"; diff -Nru wordpress-4.7.5+dfsg/debian/patches/series wordpress-4.7.5+dfsg/debian/patches/series --- wordpress-4.7.5+dfsg/debian/patches/series 2017-05-17 14:28:18.000000000 +0200 +++ wordpress-4.7.5+dfsg/debian/patches/series 2017-06-05 13:45:59.000000000 +0200 @@ -3,3 +3,4 @@ 003installer.patch 010disabling_update_note.patch #011support-symlinks-for-plugins.patch +CVE-2017-8295