Your message dated Wed, 17 May 2017 13:04:10 +0000 with message-id <e1daycc-0000c5...@fasolo.debian.org> and subject line Bug#862816: fixed in wordpress 4.7.5+dfsg-1 has caused the Debian Bug report #862816, regarding wordpress: Six security bugs in wordpress 4.7.4 and earlier to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 862816: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862816 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: wordpress Version: 4.7.4+dfsg-1 Severity: grave Tags: upstream security Justification: user security hole Wordpress 4.7.4 and earlier has 6 security holes that are fixed in 4.7.5[1] * 2.7.0 - 4.7.4 Insufficient redirect validation in the HTTP class. * 2.5.0 - 4.7.4 Improper handling of post meta data values in the XML-RPC API. * 3.4.0 - 4.7.4 Lack of capability checks for post meta data in the XML-RPC API. * 2.5.0 - 4.7.4 A Cross Site Request Forgery (CRSF) vulnerability was discovered in the filesystem credentials dialog. * 3.3 - 4.7.4 A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files. * 3.4.0 - 4.6.4 A cross-site scripting (XSS) vulnerability was discovered related to the Customizer. Looking at the versions, all distributions are vulnerable to all bugs, yay me! I'll request the CVEs and update when I get them. 1: https://wordpress.org/news/2017/05/wordpress-4-7-5/ -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-2-amd64 (SMP w/6 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---Source: wordpress Source-Version: 4.7.5+dfsg-1 We believe that the bug you reported is fixed in the latest version of wordpress, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 862...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Craig Small <csm...@debian.org> (supplier of updated wordpress package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 17 May 2017 22:28:18 +1000 Source: wordpress Binary: wordpress wordpress-l10n wordpress-theme-twentysixteen wordpress-theme-twentyfifteen wordpress-theme-twentyseventeen Architecture: source all Version: 4.7.5+dfsg-1 Distribution: unstable Urgency: high Maintainer: Craig Small <csm...@debian.org> Changed-By: Craig Small <csm...@debian.org> Description: wordpress - weblog manager wordpress-l10n - weblog manager - language files wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files wordpress-theme-twentyseventeen - weblog manager - twentyseventeen theme files wordpress-theme-twentysixteen - weblog manager - twentysixteen theme files Closes: 862816 Changes: wordpress (4.7.5+dfsg-1) unstable; urgency=high . * New upstream release fixes 6 security issues Closes: #862816 CVEs to be added once issued - CVE-2017-XXX Insufficient redirect validation in the HTTP class. - CVE-2017-XXX Improper handling of post meta data values in the XML-RPC API. - CVE-2017-XXX Lack of capability checks for post meta data in the XML-RPC API. - CVE-2017-XXX A Cross Site Request Forgery (CRSF) vulnerability was discovered in the filesystem credentials dialog. - CVE-2017-XXX A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files. - CVE-2017-XXX A cross-site scripting (XSS) vulnerability was discovered related to the Customizer. Checksums-Sha1: 43813bb1a7c89df5077e262e77f11e27a51d2663 2539 wordpress_4.7.5+dfsg-1.dsc edf2c207b6c6c173d8958c0d9191e1e0d532e042 6240440 wordpress_4.7.5+dfsg.orig.tar.xz 764f75cdd54d93519680f85a407eea41d70993ce 6777608 wordpress_4.7.5+dfsg-1.debian.tar.xz 98a70f81755b076a260a2003a38cb3147a15e3b7 4381400 wordpress-l10n_4.7.5+dfsg-1_all.deb ae89a16efb8c65e3fd990aa6129e3fcd4a6ce313 700004 wordpress-theme-twentyfifteen_4.7.5+dfsg-1_all.deb 8555d8b32fcd5ee610ecc6c9aa4dab030055008e 939768 wordpress-theme-twentyseventeen_4.7.5+dfsg-1_all.deb 012a0e8ccf6bf185ec4f7f42f2e3d03020ce007b 588784 wordpress-theme-twentysixteen_4.7.5+dfsg-1_all.deb ec67f89f24b29f0b004b42e12e4ae42612b7969b 3999326 wordpress_4.7.5+dfsg-1_all.deb 6d5a897c36f78813cf257f039ba4f72ddde7a06d 7178 wordpress_4.7.5+dfsg-1_amd64.buildinfo Checksums-Sha256: cab256f193ab38566123a5379ca226ad038668d78050f83ee1d9b4ad36eb3498 2539 wordpress_4.7.5+dfsg-1.dsc a21bc1f4042bbd77eb1ddef2cdcd3fb60f121835cf5d219a6e12a2d06a839b7f 6240440 wordpress_4.7.5+dfsg.orig.tar.xz 728dd831e7a26bc7073b6f6955fcd73e858a10c61fb1fa00b378e1a05f2f788b 6777608 wordpress_4.7.5+dfsg-1.debian.tar.xz c4abbc72a824711a7fb981eb01e079c4b31a2d7e5cfc95bf5a0654aa2774ccbd 4381400 wordpress-l10n_4.7.5+dfsg-1_all.deb 30ba684a717ac9f9c526ababfbd7b07266c95374fedd74e1836bf7953a09de03 700004 wordpress-theme-twentyfifteen_4.7.5+dfsg-1_all.deb b8d6705407180581c18f7d18e2dced91aeb05469987118b19b883e53c8be5f6e 939768 wordpress-theme-twentyseventeen_4.7.5+dfsg-1_all.deb 3cf0884d0096d53977f418a104264dbcc766a907cb4c39a8db1354174fe303f2 588784 wordpress-theme-twentysixteen_4.7.5+dfsg-1_all.deb c44dfb5e52a72eb66d30aebb224f7aa9fac7446e93ca189182b1ed2359712601 3999326 wordpress_4.7.5+dfsg-1_all.deb c8a214b56218ec84895b633a792d18fdadd535806614d734cbfc5ed1a5fdc961 7178 wordpress_4.7.5+dfsg-1_amd64.buildinfo Files: 21f67e8b8e820eadb5a72641b0ab7b7e 2539 web optional wordpress_4.7.5+dfsg-1.dsc acb0c5ca4df36e2eef3274d6adc4f8b8 6240440 web optional wordpress_4.7.5+dfsg.orig.tar.xz 139a378f72804c8c62878ccf11b41dba 6777608 web optional wordpress_4.7.5+dfsg-1.debian.tar.xz b57e2873c4a37632c2ad79a6c9ac4c73 4381400 localization optional wordpress-l10n_4.7.5+dfsg-1_all.deb 3733b04bdfda35953ad0789a9305a3d3 700004 web optional wordpress-theme-twentyfifteen_4.7.5+dfsg-1_all.deb c3485bb17125f7d6fb07609bac1c90a3 939768 web optional wordpress-theme-twentyseventeen_4.7.5+dfsg-1_all.deb 6590f165220042397131ccc2a80074a4 588784 web optional wordpress-theme-twentysixteen_4.7.5+dfsg-1_all.deb 739882d09d273ef904b2baa7f44b9862 3999326 web optional wordpress_4.7.5+dfsg-1_all.deb 3a8bad8d3285059ce5d2e7b9c1b653c0 7178 web optional wordpress_4.7.5+dfsg-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAlkcQz4ACgkQAiFmwP88 hONdrw/9Gg2ZieCENmxoLuBlYX6P+lOyPvTgfl1G3yj1URCkPF08YPaHsNlMKOtw GaFRiqz3MOjO6oPIEkZ6RwUCtcsChUo+bX9WCE55E/cBGOE9JIosoI1IHvahmDtU ySCVNqm2Ea18nTuaX7OYHIP/kCSHImd3dDVMNs+fYXc0SCAeZVM2F+jQbIH45EM5 U4j6ieyW6c+n8Z2rrpZ2n2nlwDOSgZyHDzKwsJb7PmY/cRBThf0WsXQGRBS9mzpw HmfKeUyBY5VtHv7p/ss2DPyVBxwTGsyc3sKymqrKa9RhnaHVwGSkA4a3ELdHmjdR /LqBam0iP8TuMjognYGxTyMkol6XqBdtNmFOzYb5lqYa2j0hk3RvsVRKo0T3PTWt 55WVqFp2dIWvWlgjys0M9WQnRuOvzWSQ4HvY1I2iVXfLislnlWINNmGN35uioKrc n/U3yUMQdwjZgCwPnhzNyPqkMwRYeaoWf9jubTE0LYDfRfrGwbccHeAg5QxjlsgU o6OU02OBnBgF3yzAkQPwue2fttA7YaWjQn/f/pUlMn6PaCprjRrImTIboq+XfXlB 4x3ZYPBF3KLDNGFU9Z3XwBvu9ZVq+40iH60OpRryJEvNJ9auGuLdL8ivK2Xdpt+M 14ZPQIpUBqA2Qk/wWah5nKa3ip0anHaI08miB1utiV36AHY3JyM= =JuRM -----END PGP SIGNATURE-----
--- End Message ---
