Bug#876274: marked as done (wordpress: 9 security bugs in wordpress 4.8.1 and earlier)

Thu, 19 Oct 2017 10:37:33 -0700 

Your message dated Thu, 19 Oct 2017 17:32:51 +0000
with message-id <e1e5egd-000arx...@fasolo.debian.org>
and subject line Bug#876274: fixed in wordpress 4.7.5+dfsg-2+deb9u1
has caused the Debian Bug report #876274,
regarding wordpress: 9 security bugs in wordpress 4.8.1 and earlier
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
876274: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876274
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Source: wordpress
Version: 4.8.1+dfsg-1
Severity: grave
Tags: security
Justification: user security hole

Wordpress 4.8.2 is out which fixes 9 security issues[1]

$wpdb->prepare() can create unexpected and unsafe queries leading to
potential SQL injection (SQLi). WordPress core is not directly
vulnerable to this issue, but we’ve added hardening to prevent plugins
and themes from accidentally causing a vulnerability. Reported by Slavco
A cross-site scripting (XSS) vulnerability was discovered in the oEmbed
discovery. Reported by xknown of the WordPress Security Team.
A cross-site scripting (XSS) vulnerability was discovered in the visual
editor. Reported by Rodolfo Assis (@brutelogic) of Sucuri Security.
A path traversal vulnerability was discovered in the file unzipping
code. Reported by Alex Chapman (noxrnet).
A cross-site scripting (XSS) vulnerability was discovered in the plugin
editor. Reported by 陈瑞琦 (Chen Ruiqi).
An open redirect was discovered on the user and term edit screens.
Reported by Yasin Soliman (ysx).
A path traversal vulnerability was discovered in the customizer.
Reported by Weston Ruter of the WordPress Security Team.
A cross-site scripting (XSS) vulnerability was discovered in template
names. Reported by Luka (sikic).
A cross-site scripting (XSS) vulnerability was discovered in the link
modal. Reported by Anas Roubi (qasuar).



1: 
https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/


-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.12.0-1-amd64 (SMP w/6 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---
--- Begin Message --- 
Source: wordpress
Source-Version: 4.7.5+dfsg-2+deb9u1

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 876...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Craig Small <csm...@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 07 Oct 2017 07:11:32 +1100
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentysixteen 
wordpress-theme-twentyfifteen wordpress-theme-twentyseventeen
Architecture: source all
Version: 4.7.5+dfsg-2+deb9u1
Distribution: stretch-security
Urgency: medium
Maintainer: Craig Small <csm...@debian.org>
Changed-By: Craig Small <csm...@debian.org>
Description:
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
 wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files
 wordpress-theme-twentyseventeen - weblog manager - twentyseventeen theme files
 wordpress-theme-twentysixteen - weblog manager - twentysixteen theme files
Closes: 876274 877629
Changes:
 wordpress (4.7.5+dfsg-2+deb9u1) stretch-security; urgency=medium
 .
   * Backport patches from 4.8.2 Closes: #876274
      - CVE-2017-14723
        $wpdb->prepare() can create unexpected and unsafe queries leading to
        potential SQL injection (SQLi)
        Changeset 41472, 41498
      - CVE-2017-14724
        Cross-site scripting (XSS) vulnerability in the oEmbed discovery
        Changeset 41451
      - CVE-2017-14726
        Cross-site scripting (XSS) vulnerability in the visual editor
        Changeset 41436
      - CVE-2017-14719
        Path traversal vulnerability in the file unzipping code
        Changeset 41459
      - CVE-2017-14721
        Cross-site scripting (XSS) vulnerability in the plugin editor
        Changeset 41413
      - CVE-2017-14725
        Open redirect in the user and term edit screens
        Changeset 41418
      - CVE-2017-14722
        Path traversal vulnerability in the customizer
        Changeset 41430
      - CVE-2017-14720
        Cross-site scripting (XSS) vulnerability in template names
        Changeset 41413 (same as plugin editor)
      - CVE-2017-14718
        Cross-site scripting (XSS) vulnerability in the link modal
   * Hash user activation key Closes: #877629
     Fixes CVE-2017-14990
Checksums-Sha1:
 a9e488c4df0b36dd39b41d462f810102f26435df 2567 wordpress_4.7.5+dfsg-2+deb9u1.dsc
 edf2c207b6c6c173d8958c0d9191e1e0d532e042 6240440 
wordpress_4.7.5+dfsg.orig.tar.xz
 e0417f8708cc10ca56041e972fb4ca083bdac5e4 6785340 
wordpress_4.7.5+dfsg-2+deb9u1.debian.tar.xz
 014d493c433949581827abb22faad2d3f6297844 4382638 
wordpress-l10n_4.7.5+dfsg-2+deb9u1_all.deb
 99a9c6e1853fc992fb8645dedc7fe1302353cbbf 700472 
wordpress-theme-twentyfifteen_4.7.5+dfsg-2+deb9u1_all.deb
 db0d15595516b0867938d9fe49b7bd15bbd64ef0 940094 
wordpress-theme-twentyseventeen_4.7.5+dfsg-2+deb9u1_all.deb
 35adf0a11c5958aac424850a4e4304f019fced52 589188 
wordpress-theme-twentysixteen_4.7.5+dfsg-2+deb9u1_all.deb
 1a1fe93a389e4ae808187c824014fc2f01d57eca 4000422 
wordpress_4.7.5+dfsg-2+deb9u1_all.deb
 f86f46fb5375b65b7438360b44583563fab1ec26 7445 
wordpress_4.7.5+dfsg-2+deb9u1_amd64.buildinfo
Checksums-Sha256:
 37ba9d3c65c8f242019ab92e1c896c8bbb7f6ef376f4805eff8f233ab82d869b 2567 
wordpress_4.7.5+dfsg-2+deb9u1.dsc
 a21bc1f4042bbd77eb1ddef2cdcd3fb60f121835cf5d219a6e12a2d06a839b7f 6240440 
wordpress_4.7.5+dfsg.orig.tar.xz
 b610d6c3784f29ce1344c107d0b39029bef293c08adbad357263d2d6bf7f4f6d 6785340 
wordpress_4.7.5+dfsg-2+deb9u1.debian.tar.xz
 441b2b00c7cb3f223a6881f0054f94f91f02c93ac0dc209bf8b1d5c653ec9be8 4382638 
wordpress-l10n_4.7.5+dfsg-2+deb9u1_all.deb
 b06298da79ea789b0765b248359100fb0807a3a24249e7c126726ab21bb537a8 700472 
wordpress-theme-twentyfifteen_4.7.5+dfsg-2+deb9u1_all.deb
 572dffe8d5adc67d54bc69dde3b1dfa4c917d7549d2c1594ef802bd124d8735f 940094 
wordpress-theme-twentyseventeen_4.7.5+dfsg-2+deb9u1_all.deb
 ff42d848ff38035275ab9dbe524fe8f819cf0477ac63b88d8c95e9c0b5f8e501 589188 
wordpress-theme-twentysixteen_4.7.5+dfsg-2+deb9u1_all.deb
 2a0097fcf5d66f912e70f36ed27f0ad9d2888b3e08ac638f3d0a6ac66e420b53 4000422 
wordpress_4.7.5+dfsg-2+deb9u1_all.deb
 5da5441b9c3aa36ecbe618a003d703eb2a610d55648f6710feff4fe52182cf0e 7445 
wordpress_4.7.5+dfsg-2+deb9u1_amd64.buildinfo
Files:
 21a555aa4c57f04d5bc92477481b9063 2567 web optional 
wordpress_4.7.5+dfsg-2+deb9u1.dsc
 acb0c5ca4df36e2eef3274d6adc4f8b8 6240440 web optional 
wordpress_4.7.5+dfsg.orig.tar.xz
 2ac4750281b13334542a7db72cacd80d 6785340 web optional 
wordpress_4.7.5+dfsg-2+deb9u1.debian.tar.xz
 da8441d62a0fc891beaf9e36137b032d 4382638 localization optional 
wordpress-l10n_4.7.5+dfsg-2+deb9u1_all.deb
 3d21c554d514bcaa1cf9e30f2ce89294 700472 web optional 
wordpress-theme-twentyfifteen_4.7.5+dfsg-2+deb9u1_all.deb
 51cdc6b546ec088cb991cb9d0d8d49b7 940094 web optional 
wordpress-theme-twentyseventeen_4.7.5+dfsg-2+deb9u1_all.deb
 fea91b00203c8603998a988bbb55bcff 589188 web optional 
wordpress-theme-twentysixteen_4.7.5+dfsg-2+deb9u1_all.deb
 f05853250ca3347238d7acd3d908d766 4000422 web optional 
wordpress_4.7.5+dfsg-2+deb9u1_all.deb
 e27b814900766441f5aebbccefedafb6 7445 web optional 
wordpress_4.7.5+dfsg-2+deb9u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAlnagMQACgkQAiFmwP88
hOM/Kg//dgoidYMOvRzgc8qubXLtoCNufKwlDsXeVsn/7K0dQ/4lcOLIC3p3Li+o
GO3Bce8g1IRSN9R9PFWmkysEARpEhoLAmL7gbvIHyLbElwcraXhcbxwVj5CKlnu/
KXiH3HL+shvlpmA99vLlxv4RDN4OMBMVK/MPUtfHKxYOhfdWA2TOYVzKBaySj7AZ
YyItOFb3xQsHN86jDie3Fn420DJqvrtyBdZXuFT1VoOrmmnTdczM/kl0EqONy12g
vUIHNiZU++jo2gWl0ts08ncguKAvkjZ/LOJIz9L27bZQno0+s76xWpElnD8OV4QH
pKtOadUA9I7toxEoLcRwiRIisK12tz2U9Hc/vStR+MPTO9OYadsK9mzybzH34nmf
vrBxhLT7hdkt5OVSS4JamtSrTWCgI8yjQXRhYENMz85Asuz3dyLrdQlU12SfXt1r
NyLMWGL36tMiaOMklfSwr7q7CYI1xVuyX0UIhiqg016wIzQJgb+CVGViCEfHcYMi
s0+XHyCxej4d6m6cb3Rh/h6XImTMcXVGllCOHfED5U/oRdHE/LnN+B5S/Oo6X647
bgawRzSNJv+VnQasIK+9RQBBh8fRjnz4Ww9FFH3d8LyUYr09Ei1N7hitcOJR9yBC
b6vJSDKMBTJhPkUaWLJFNAg5sqwZHuttbu1DkV+APCTTCRJh9+E=
=G7IE
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to