tag 862053 pending
thanks
Hello,
Bug #862053 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
https://anonscm.debian.org/cgit/collab-maint/wordpress.git/commit/?id=15f30ad
---
commit 15f30ad74428038ecaed723da126e387e01148da
Author: Craig Small <csm...@debian.org>
Date: Mon Jun 5 21:37:17 2017 +1000
Don't use SERVER_NAME for emails
WordPress uses the SERVER_NAME variable to generate the from address for
password resets. This variable can be set by the hostname sent by the
client, which means it can be spoofed.
This patch fixes CVE-2017-8295 and closes #862053
diff --git a/debian/changelog b/debian/changelog
index 2201ddc..7c9bd0f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+wordpress (4.7.5+dfsg-2) UNRELEASED; urgency=medium
+
+ * Don't trust SERVER_NAME variable for emails
+ CVE-2017-8295 Closes: #862053
+
+ -- Craig Small <csm...@debian.org> Mon, 05 Jun 2017 21:36:10 +1000
+
wordpress (4.7.5+dfsg-1) unstable; urgency=high
* New upstream release fixes 6 security issues Closes: #862816
