Your message dated Thu, 19 Oct 2017 17:32:51 +0000
with message-id <e1e5egd-000arx...@fasolo.debian.org>
and subject line Bug#876274: fixed in wordpress 4.7.5+dfsg-2+deb9u1
has caused the Debian Bug report #876274,
regarding wordpress: 9 security bugs in wordpress 4.8.1 and earlier
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
876274: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876274
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: wordpress
Version: 4.8.1+dfsg-1
Severity: grave
Tags: security
Justification: user security hole
Wordpress 4.8.2 is out which fixes 9 security issues[1]
$wpdb->prepare() can create unexpected and unsafe queries leading to
potential SQL injection (SQLi). WordPress core is not directly
vulnerable to this issue, but we’ve added hardening to prevent plugins
and themes from accidentally causing a vulnerability. Reported by Slavco
A cross-site scripting (XSS) vulnerability was discovered in the oEmbed
discovery. Reported by xknown of the WordPress Security Team.
A cross-site scripting (XSS) vulnerability was discovered in the visual
editor. Reported by Rodolfo Assis (@brutelogic) of Sucuri Security.
A path traversal vulnerability was discovered in the file unzipping
code. Reported by Alex Chapman (noxrnet).
A cross-site scripting (XSS) vulnerability was discovered in the plugin
editor. Reported by 陈瑞琦 (Chen Ruiqi).
An open redirect was discovered on the user and term edit screens.
Reported by Yasin Soliman (ysx).
A path traversal vulnerability was discovered in the customizer.
Reported by Weston Ruter of the WordPress Security Team.
A cross-site scripting (XSS) vulnerability was discovered in template
names. Reported by Luka (sikic).
A cross-site scripting (XSS) vulnerability was discovered in the link
modal. Reported by Anas Roubi (qasuar).
1:
https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.12.0-1-amd64 (SMP w/6 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8),
LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Source: wordpress
Source-Version: 4.7.5+dfsg-2+deb9u1
We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 876...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Craig Small <csm...@debian.org> (supplier of updated wordpress package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 07 Oct 2017 07:11:32 +1100
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentysixteen
wordpress-theme-twentyfifteen wordpress-theme-twentyseventeen
Architecture: source all
Version: 4.7.5+dfsg-2+deb9u1
Distribution: stretch-security
Urgency: medium
Maintainer: Craig Small <csm...@debian.org>
Changed-By: Craig Small <csm...@debian.org>
Description:
wordpress - weblog manager
wordpress-l10n - weblog manager - language files
wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files
wordpress-theme-twentyseventeen - weblog manager - twentyseventeen theme files
wordpress-theme-twentysixteen - weblog manager - twentysixteen theme files
Closes: 876274 877629
Changes:
wordpress (4.7.5+dfsg-2+deb9u1) stretch-security; urgency=medium
.
* Backport patches from 4.8.2 Closes: #876274
- CVE-2017-14723
$wpdb->prepare() can create unexpected and unsafe queries leading to
potential SQL injection (SQLi)
Changeset 41472, 41498
- CVE-2017-14724
Cross-site scripting (XSS) vulnerability in the oEmbed discovery
Changeset 41451
- CVE-2017-14726
Cross-site scripting (XSS) vulnerability in the visual editor
Changeset 41436
- CVE-2017-14719
Path traversal vulnerability in the file unzipping code
Changeset 41459
- CVE-2017-14721
Cross-site scripting (XSS) vulnerability in the plugin editor
Changeset 41413
- CVE-2017-14725
Open redirect in the user and term edit screens
Changeset 41418
- CVE-2017-14722
Path traversal vulnerability in the customizer
Changeset 41430
- CVE-2017-14720
Cross-site scripting (XSS) vulnerability in template names
Changeset 41413 (same as plugin editor)
- CVE-2017-14718
Cross-site scripting (XSS) vulnerability in the link modal
* Hash user activation key Closes: #877629
Fixes CVE-2017-14990
Checksums-Sha1:
a9e488c4df0b36dd39b41d462f810102f26435df 2567 wordpress_4.7.5+dfsg-2+deb9u1.dsc
edf2c207b6c6c173d8958c0d9191e1e0d532e042 6240440
wordpress_4.7.5+dfsg.orig.tar.xz
e0417f8708cc10ca56041e972fb4ca083bdac5e4 6785340
wordpress_4.7.5+dfsg-2+deb9u1.debian.tar.xz
014d493c433949581827abb22faad2d3f6297844 4382638
wordpress-l10n_4.7.5+dfsg-2+deb9u1_all.deb
99a9c6e1853fc992fb8645dedc7fe1302353cbbf 700472
wordpress-theme-twentyfifteen_4.7.5+dfsg-2+deb9u1_all.deb
db0d15595516b0867938d9fe49b7bd15bbd64ef0 940094
wordpress-theme-twentyseventeen_4.7.5+dfsg-2+deb9u1_all.deb
35adf0a11c5958aac424850a4e4304f019fced52 589188
wordpress-theme-twentysixteen_4.7.5+dfsg-2+deb9u1_all.deb
1a1fe93a389e4ae808187c824014fc2f01d57eca 4000422
wordpress_4.7.5+dfsg-2+deb9u1_all.deb
f86f46fb5375b65b7438360b44583563fab1ec26 7445
wordpress_4.7.5+dfsg-2+deb9u1_amd64.buildinfo
Checksums-Sha256:
37ba9d3c65c8f242019ab92e1c896c8bbb7f6ef376f4805eff8f233ab82d869b 2567
wordpress_4.7.5+dfsg-2+deb9u1.dsc
a21bc1f4042bbd77eb1ddef2cdcd3fb60f121835cf5d219a6e12a2d06a839b7f 6240440
wordpress_4.7.5+dfsg.orig.tar.xz
b610d6c3784f29ce1344c107d0b39029bef293c08adbad357263d2d6bf7f4f6d 6785340
wordpress_4.7.5+dfsg-2+deb9u1.debian.tar.xz
441b2b00c7cb3f223a6881f0054f94f91f02c93ac0dc209bf8b1d5c653ec9be8 4382638
wordpress-l10n_4.7.5+dfsg-2+deb9u1_all.deb
b06298da79ea789b0765b248359100fb0807a3a24249e7c126726ab21bb537a8 700472
wordpress-theme-twentyfifteen_4.7.5+dfsg-2+deb9u1_all.deb
572dffe8d5adc67d54bc69dde3b1dfa4c917d7549d2c1594ef802bd124d8735f 940094
wordpress-theme-twentyseventeen_4.7.5+dfsg-2+deb9u1_all.deb
ff42d848ff38035275ab9dbe524fe8f819cf0477ac63b88d8c95e9c0b5f8e501 589188
wordpress-theme-twentysixteen_4.7.5+dfsg-2+deb9u1_all.deb
2a0097fcf5d66f912e70f36ed27f0ad9d2888b3e08ac638f3d0a6ac66e420b53 4000422
wordpress_4.7.5+dfsg-2+deb9u1_all.deb
5da5441b9c3aa36ecbe618a003d703eb2a610d55648f6710feff4fe52182cf0e 7445
wordpress_4.7.5+dfsg-2+deb9u1_amd64.buildinfo
Files:
21a555aa4c57f04d5bc92477481b9063 2567 web optional
wordpress_4.7.5+dfsg-2+deb9u1.dsc
acb0c5ca4df36e2eef3274d6adc4f8b8 6240440 web optional
wordpress_4.7.5+dfsg.orig.tar.xz
2ac4750281b13334542a7db72cacd80d 6785340 web optional
wordpress_4.7.5+dfsg-2+deb9u1.debian.tar.xz
da8441d62a0fc891beaf9e36137b032d 4382638 localization optional
wordpress-l10n_4.7.5+dfsg-2+deb9u1_all.deb
3d21c554d514bcaa1cf9e30f2ce89294 700472 web optional
wordpress-theme-twentyfifteen_4.7.5+dfsg-2+deb9u1_all.deb
51cdc6b546ec088cb991cb9d0d8d49b7 940094 web optional
wordpress-theme-twentyseventeen_4.7.5+dfsg-2+deb9u1_all.deb
fea91b00203c8603998a988bbb55bcff 589188 web optional
wordpress-theme-twentysixteen_4.7.5+dfsg-2+deb9u1_all.deb
f05853250ca3347238d7acd3d908d766 4000422 web optional
wordpress_4.7.5+dfsg-2+deb9u1_all.deb
e27b814900766441f5aebbccefedafb6 7445 web optional
wordpress_4.7.5+dfsg-2+deb9u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAlnagMQACgkQAiFmwP88
hOM/Kg//dgoidYMOvRzgc8qubXLtoCNufKwlDsXeVsn/7K0dQ/4lcOLIC3p3Li+o
GO3Bce8g1IRSN9R9PFWmkysEARpEhoLAmL7gbvIHyLbElwcraXhcbxwVj5CKlnu/
KXiH3HL+shvlpmA99vLlxv4RDN4OMBMVK/MPUtfHKxYOhfdWA2TOYVzKBaySj7AZ
YyItOFb3xQsHN86jDie3Fn420DJqvrtyBdZXuFT1VoOrmmnTdczM/kl0EqONy12g
vUIHNiZU++jo2gWl0ts08ncguKAvkjZ/LOJIz9L27bZQno0+s76xWpElnD8OV4QH
pKtOadUA9I7toxEoLcRwiRIisK12tz2U9Hc/vStR+MPTO9OYadsK9mzybzH34nmf
vrBxhLT7hdkt5OVSS4JamtSrTWCgI8yjQXRhYENMz85Asuz3dyLrdQlU12SfXt1r
NyLMWGL36tMiaOMklfSwr7q7CYI1xVuyX0UIhiqg016wIzQJgb+CVGViCEfHcYMi
s0+XHyCxej4d6m6cb3Rh/h6XImTMcXVGllCOHfED5U/oRdHE/LnN+B5S/Oo6X647
bgawRzSNJv+VnQasIK+9RQBBh8fRjnz4Ww9FFH3d8LyUYr09Ei1N7hitcOJR9yBC
b6vJSDKMBTJhPkUaWLJFNAg5sqwZHuttbu1DkV+APCTTCRJh9+E=
=G7IE
-----END PGP SIGNATURE-----
--- End Message ---