On Wed, May 17, 2017 at 09:54:55PM +1000, Craig Small wrote: > Source: wordpress > Version: 4.7.4+dfsg-1 > Severity: grave > Tags: upstream security > Justification: user security hole > > Wordpress 4.7.4 and earlier has 6 security holes that are fixed in > 4.7.5[1] > > * 2.7.0 - 4.7.4 > Insufficient redirect validation in the HTTP class. > * 2.5.0 - 4.7.4 > Improper handling of post meta data values in the XML-RPC API. > * 3.4.0 - 4.7.4 > Lack of capability checks for post meta data in the XML-RPC API. > * 2.5.0 - 4.7.4 > A Cross Site Request Forgery (CRSF) vulnerability was discovered in the > filesystem credentials dialog. > * 3.3 - 4.7.4 > A cross-site scripting (XSS) vulnerability was discovered when > attempting to upload very large files. > * 3.4.0 - 4.6.4 > A cross-site scripting (XSS) vulnerability was discovered related to the > Customizer. > > Looking at the versions, all distributions are vulnerable to all bugs, > yay me!
Craig, will this version make it to testing? If that is the case, I'll prepare the jessie backport today. Thanks a lot, Rodrigo