Bug#876274: marked as done (wordpress: 9 security bugs in wordpress 4.8.1 and earlier)

Fri, 22 Sep 2017 05:54:40 -0700 

Your message dated Fri, 22 Sep 2017 12:50:50 +0000
with message-id <e1dvnpu-000758...@fasolo.debian.org>
and subject line Bug#876274: fixed in wordpress 4.8.2+dfsg-1
has caused the Debian Bug report #876274,
regarding wordpress: 9 security bugs in wordpress 4.8.1 and earlier
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
876274: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876274
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Source: wordpress
Version: 4.8.1+dfsg-1
Severity: grave
Tags: security
Justification: user security hole

Wordpress 4.8.2 is out which fixes 9 security issues[1]

$wpdb->prepare() can create unexpected and unsafe queries leading to
potential SQL injection (SQLi). WordPress core is not directly
vulnerable to this issue, but we’ve added hardening to prevent plugins
and themes from accidentally causing a vulnerability. Reported by Slavco
A cross-site scripting (XSS) vulnerability was discovered in the oEmbed
discovery. Reported by xknown of the WordPress Security Team.
A cross-site scripting (XSS) vulnerability was discovered in the visual
editor. Reported by Rodolfo Assis (@brutelogic) of Sucuri Security.
A path traversal vulnerability was discovered in the file unzipping
code. Reported by Alex Chapman (noxrnet).
A cross-site scripting (XSS) vulnerability was discovered in the plugin
editor. Reported by 陈瑞琦 (Chen Ruiqi).
An open redirect was discovered on the user and term edit screens.
Reported by Yasin Soliman (ysx).
A path traversal vulnerability was discovered in the customizer.
Reported by Weston Ruter of the WordPress Security Team.
A cross-site scripting (XSS) vulnerability was discovered in template
names. Reported by Luka (sikic).
A cross-site scripting (XSS) vulnerability was discovered in the link
modal. Reported by Anas Roubi (qasuar).



1: 
https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/


-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.12.0-1-amd64 (SMP w/6 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---
--- Begin Message --- 
Source: wordpress
Source-Version: 4.8.2+dfsg-1

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 876...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Craig Small <csm...@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 22 Sep 2017 21:57:06 +1000
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentysixteen 
wordpress-theme-twentyfifteen wordpress-theme-twentyseventeen
Architecture: source all
Version: 4.8.2+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Craig Small <csm...@debian.org>
Changed-By: Craig Small <csm...@debian.org>
Description:
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
 wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files
 wordpress-theme-twentyseventeen - weblog manager - twentyseventeen theme files
 wordpress-theme-twentysixteen - weblog manager - twentysixteen theme files
Closes: 876274
Changes:
 wordpress (4.8.2+dfsg-1) unstable; urgency=high
 .
   * New upstream security release fixes 9 security issues closes: #876274
     CVE IDs will be updated when issued
     - CVE-2017-XXX
       $wpdb->prepare() can create unexpected and unsafe queries leading to
       potential SQL injection (SQLi)
     - CVE-2017-TBA
       Cross-site scripting (XSS) vulnerability in the oEmbed discovery
     - CVE-2017-TBA
       Cross-site scripting (XSS) vulnerability in the visual editor
     - CVE-2017-TBA
       Path traversal vulnerability in the file unzipping code
     - CVE-2017-TBA
       Cross-site scripting (XSS) vulnerability in the plugin editor
     - CVE-2017-TBA
       Open redirect in the user and term edit screens
     - CVE-2017-TBA
       Path traversal vulnerability in the customizer
     - CVE-2017-TBA
       Cross-site scripting (XSS) vulnerability in template names
     - CVE-2017-TBA
       Cross-site scripting (XSS) vulnerability in the link modal
Checksums-Sha1:
 cbc9ef4979b73c5d7777d9fa848d6150025eb1d3 2539 wordpress_4.8.2+dfsg-1.dsc
 a171c3eea4d19bd8dcf38e1133fd73aff5b1e6ca 6382228 
wordpress_4.8.2+dfsg.orig.tar.xz
 5b4304532f23b2e9f6ceb67d73dcf3a991a3e9de 6778320 
wordpress_4.8.2+dfsg-1.debian.tar.xz
 889414276026e65d95eab25d9016be33abcbb289 4381636 
wordpress-l10n_4.8.2+dfsg-1_all.deb
 98a870d255adfe319c8c6f5b9bc701d96afb75db 700400 
wordpress-theme-twentyfifteen_4.8.2+dfsg-1_all.deb
 48352fd64a2bcfb1265c9075c81c0ead24b4406a 940386 
wordpress-theme-twentyseventeen_4.8.2+dfsg-1_all.deb
 ffcb61aa538ff63f39f837039a280a089ff1a7e7 589080 
wordpress-theme-twentysixteen_4.8.2+dfsg-1_all.deb
 5dccbb4344649df3f1d720c4a3d6d2493b046146 4140230 wordpress_4.8.2+dfsg-1_all.deb
 38a97910927bfec86664e92a25e38f0efa312723 7190 
wordpress_4.8.2+dfsg-1_amd64.buildinfo
Checksums-Sha256:
 2397c07e18b9dade3135ec95b7114f0e99d5da779a042107b4a68945be94bc01 2539 
wordpress_4.8.2+dfsg-1.dsc
 221c082e1b43fefd698cb6ec83d2c26c9098d2dad2cd4380eb9090aafdebe4da 6382228 
wordpress_4.8.2+dfsg.orig.tar.xz
 0635de07449e30868f1ddfda0e69d0055ad6589d8ff199c48c724abc731f1bb3 6778320 
wordpress_4.8.2+dfsg-1.debian.tar.xz
 cb182e54602b69494933587e47e0919bb993002b3b0888953b1b812642d310ee 4381636 
wordpress-l10n_4.8.2+dfsg-1_all.deb
 c642ca89b5779f62359e6783930651745b09504f19307c75f395e0c6083f87c9 700400 
wordpress-theme-twentyfifteen_4.8.2+dfsg-1_all.deb
 68605f8548ece394f88683a9eb8f8ec5da1271428aeaa2855556d8b56eecdd31 940386 
wordpress-theme-twentyseventeen_4.8.2+dfsg-1_all.deb
 c94314de632f3f445d4157a1135c32a43e7f2dd56595f5e28ce659f9a132a788 589080 
wordpress-theme-twentysixteen_4.8.2+dfsg-1_all.deb
 21260644b2c5e3bd10f0f538699521cef23ff4b9c3772b331f69936c341e31d0 4140230 
wordpress_4.8.2+dfsg-1_all.deb
 73d9a41d62b6055fcd3b6cc24f764d05cfd60a7bd7ca8070f6ed700d24697b72 7190 
wordpress_4.8.2+dfsg-1_amd64.buildinfo
Files:
 2d39b59b9dc4e09a32ff339359687fe7 2539 web optional wordpress_4.8.2+dfsg-1.dsc
 1f1cc2fafa694a196b9a9c152521d93e 6382228 web optional 
wordpress_4.8.2+dfsg.orig.tar.xz
 2c7cef8f928dd7ca33635034f10f8068 6778320 web optional 
wordpress_4.8.2+dfsg-1.debian.tar.xz
 d1c904be0e422e9588079bb3d036f3c4 4381636 localization optional 
wordpress-l10n_4.8.2+dfsg-1_all.deb
 f4f7cf58b3e037e0aaf60aceef0ef56a 700400 web optional 
wordpress-theme-twentyfifteen_4.8.2+dfsg-1_all.deb
 f16d70eeebcc1719e71eee7753899e6e 940386 web optional 
wordpress-theme-twentyseventeen_4.8.2+dfsg-1_all.deb
 aab8a72df9a764df4f118f3451028d22 589080 web optional 
wordpress-theme-twentysixteen_4.8.2+dfsg-1_all.deb
 643427935a7561a188cd72f9431ffffc 4140230 web optional 
wordpress_4.8.2+dfsg-1_all.deb
 d8d3b6579df2fc9d8711cf5de76d5f94 7190 web optional 
wordpress_4.8.2+dfsg-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAlnE++AACgkQAiFmwP88
hON4Ew//RU83/CXuE/7AX4iHg7sADWXzauRLtwMUicYgC18Tdyv93eMdCyzF4OTj
KyotwLMaTSByJbYTFZy7mOqtTBPsjgD/UWJumLZ0o53g4MSR5RKNrzqB/5pXy9Rj
1eZ9XOSgeejDBNQk6eDPYG7HBDWAkMMzg62UbP2HYcOMB4UJIPW+Q1i7awMX8Mcq
URIZhJoapBrfaYJvwOQPkCHFMJL9CozfKvTCNOBsg3TBGwNxQNUjOgL56oNGUiHG
TkpooVlb3pwsjPJ1Qtpa/kwn+sV7+fiQF48ZTLzmkdm5TT/toe6dXJB/lO839UB8
jr2e774OHbwAXv82H9QLAhnPZjY11vLRXL5TnZe8r4Mz0Gupc9aaAD5ZMVcbI56M
/Q45w6YbFes/MguaREC/Fz3RnMgqD2wsRV9d1ypTveH5WruFR8ceaqLOw4HVFq+9
ywWwO68GBx7F81OFgUEXvYzI59cX8GPLuLUaHOo27VTeUh8pzz9z7Dy/WJUpmSuL
cYmbGpny5mBAyxChWejIXcaXrLU69mlviv7zUs87n1MBfaDbxZTwNLt6w33UGZps
tRV1S6GrZU9oDh/B4Yu/XOdIl5mHzKt86i0cC7/MKDpkC2G8cIzgh3uvidKs801l
xEds/YAz0EfzLIDMRHqqgixL/m0GRIAxk3gWzkPtHH/842/36ss=
=oKrM
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to