Your message dated Fri, 09 Feb 2018 23:49:51 +0000 with message-id <e1ekiqr-0005l7...@fasolo.debian.org> and subject line Bug#883314: fixed in wordpress 4.7.5+dfsg-2+deb9u2 has caused the Debian Bug report #883314, regarding wordpress: CVE-2017-17091 CVE-2017-17092 CVE-2017-17093 CVE-2017-17094 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 883314: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883314 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: wordpress Version: 4.1+dfsg-1 X-Debbugs-CC: t...@security.debian.org secure-testing-t...@lists.alioth.debian.org Severity: grave Tags: security upstream fixed-upstream Hi, the following vulnerabilities were published for wordpress. CVE-2017-17091[0]: | wp-admin/user-new.php in WordPress before 4.9.1 sets the newbloguser | key to a string that can be directly derived from the user ID, which | allows remote attackers to bypass intended access restrictions by | entering this string. CVE-2017-17092[1]: | wp-includes/functions.php in WordPress before 4.9.1 does not require | the unfiltered_html capability for upload of .js files, which might | allow remote attackers to conduct XSS attacks via a crafted file. CVE-2017-17093[2]: | wp-includes/general-template.php in WordPress before 4.9.1 does not | properly restrict the lang attribute of an HTML element, which might | allow attackers to conduct XSS attacks via the language setting of a | site. CVE-2017-17094[3]: | wp-includes/feed.php in WordPress before 4.9.1 does not properly | restrict enclosures in RSS and Atom fields, which might allow attackers | to conduct XSS attacks via a crafted URL. Published at [4]. The respective commits are all referenced in the corresponding CVE page on the security-tracker and were used for the CVE request. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-17091 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17091 [1] https://security-tracker.debian.org/tracker/CVE-2017-17092 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17092 [2] https://security-tracker.debian.org/tracker/CVE-2017-17093 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17093 [3] https://security-tracker.debian.org/tracker/CVE-2017-17094 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17094 [4] https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: wordpress Source-Version: 4.7.5+dfsg-2+deb9u2 We believe that the bug you reported is fixed in the latest version of wordpress, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 883...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Craig Small <csm...@debian.org> (supplier of updated wordpress package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 04 Jan 2018 18:19:44 +1100 Source: wordpress Binary: wordpress wordpress-l10n wordpress-theme-twentysixteen wordpress-theme-twentyfifteen wordpress-theme-twentyseventeen Architecture: source all Version: 4.7.5+dfsg-2+deb9u2 Distribution: stretch-security Urgency: high Maintainer: Craig Small <csm...@debian.org> Changed-By: Craig Small <csm...@debian.org> Description: wordpress - weblog manager wordpress-l10n - weblog manager - language files wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files wordpress-theme-twentyseventeen - weblog manager - twentyseventeen theme files wordpress-theme-twentysixteen - weblog manager - twentysixteen theme files Closes: 880528 883314 Changes: wordpress (4.7.5+dfsg-2+deb9u2) stretch-security; urgency=high . * Backport security patches from 4.9.1 Closes: #883314 - CVE-2017-17091 Use a properly generated hash for the newbloguser key instead of a determinate substring. Changeset 42272 - CVE-2017-17092 Remove the ability to upload JavaScript files for users who do not have the unfiltered_html capability Changeset 42275 - CVE-2017-17093 Add escaping to the language attributes used on html elements Changeset 42273 - CVE-2017-17094 Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds Changeset 42274 * Also backport patch for $wpdb->prepare CVE-2017-16510 Closes: 880528 Checksums-Sha1: 55cb71b5cd94997ba75dbe7bb0e4e33396a6390e 2567 wordpress_4.7.5+dfsg-2+deb9u2.dsc df248276f0f664089b31893d2caada20e98dabf1 6789772 wordpress_4.7.5+dfsg-2+deb9u2.debian.tar.xz 385ea0764ef23cb7e7d1f6dc6760267c56480e70 4381066 wordpress-l10n_4.7.5+dfsg-2+deb9u2_all.deb 435025d32b6ec95a0bb1524d39f9deb87aaf657f 700666 wordpress-theme-twentyfifteen_4.7.5+dfsg-2+deb9u2_all.deb 4c042c43df8db620fbcb2d41c3e83ab8f2202a6d 940400 wordpress-theme-twentyseventeen_4.7.5+dfsg-2+deb9u2_all.deb b39181a1c44506e5ded048ff71bb71ec01f9a359 589388 wordpress-theme-twentysixteen_4.7.5+dfsg-2+deb9u2_all.deb e61f52bf9556463131077cd1dc45c4f6ce87a421 4001636 wordpress_4.7.5+dfsg-2+deb9u2_all.deb 85c59079a60f85004a4ac9e7c083efbc06775ea7 7445 wordpress_4.7.5+dfsg-2+deb9u2_amd64.buildinfo Checksums-Sha256: 1d2f5008528222dbf7c14a7f31ea487779adbc51b52bb73996b945566c72dcfd 2567 wordpress_4.7.5+dfsg-2+deb9u2.dsc a20936583082cdd5919e0b8c204c74007d8588ce2b60f96e07a6a7e843af1b74 6789772 wordpress_4.7.5+dfsg-2+deb9u2.debian.tar.xz b5b02cbfcf3c6b4c0ca14fe462dca7b55b12cc0fbbe0a062507c7aee7df6f36e 4381066 wordpress-l10n_4.7.5+dfsg-2+deb9u2_all.deb dfeb9ede00697bea5b2006d74d334e9a8c5c18b78e6ac1997ffcf25ed0870d25 700666 wordpress-theme-twentyfifteen_4.7.5+dfsg-2+deb9u2_all.deb 067fa464da20513c7b695eb2e62138161ee0f64710aa919cd117120941bf4648 940400 wordpress-theme-twentyseventeen_4.7.5+dfsg-2+deb9u2_all.deb fa8416e21f1b0bb940a541427b2ba7560f914dd165edf4b8a21bdff654e98f9d 589388 wordpress-theme-twentysixteen_4.7.5+dfsg-2+deb9u2_all.deb 2521a497c9461bf04cd5bceca1ea6cea641cbc8c7654c70c5f063b08b2c1b52a 4001636 wordpress_4.7.5+dfsg-2+deb9u2_all.deb a4e1690c432675a2944b561c5fdcca179ae95a15105d734a540ac6acdea6bfa1 7445 wordpress_4.7.5+dfsg-2+deb9u2_amd64.buildinfo Files: 2dbec2a04d3b82680024bda07e49d7e7 2567 web optional wordpress_4.7.5+dfsg-2+deb9u2.dsc 35709d7aef2653226f8ed7c338639a5e 6789772 web optional wordpress_4.7.5+dfsg-2+deb9u2.debian.tar.xz f874980bbf4286ec90b4a6bc11d0aacc 4381066 localization optional wordpress-l10n_4.7.5+dfsg-2+deb9u2_all.deb 96362e78e49b6d2f7bb8aedd42d070ec 700666 web optional wordpress-theme-twentyfifteen_4.7.5+dfsg-2+deb9u2_all.deb cd094c5961dcfc0b3fc0cefa0fb3cb98 940400 web optional wordpress-theme-twentyseventeen_4.7.5+dfsg-2+deb9u2_all.deb ac33f61cafadf2011b7f2a33df12c889 589388 web optional wordpress-theme-twentysixteen_4.7.5+dfsg-2+deb9u2_all.deb 61244d755847cfc450cb8491082f9be2 4001636 web optional wordpress_4.7.5+dfsg-2+deb9u2_all.deb e928e27308338f4bf61b08ee1a5cce70 7445 web optional wordpress_4.7.5+dfsg-2+deb9u2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAlpQDa0ACgkQAiFmwP88 hOOrpRAAkgFRFSEVJUQS5xf8CgYRU1IuneIWAEw9kwaZZuhuNglzhaO4jeXoTw0q m6uVbuBfsmonIqw8mTh9oMuGtVvaYs3+TjDnxPPbUo6hUM4qaOqvIP0vimI2fge0 zgqhG6i9hQUNDgONkZtzX4vWDjSuHfGFD+jOzrUKL9f6KCfbZbuSx1B5Y74S2mVG lPYug35oyRLWSjghwf3EJNSoq/5iY3LqQitShsxX3IAC6HEdWiijtYQIcW4NmMak JBtWn5/Y5yLflqubfscSddgWcaG0v4QDcGD89CMZ+QBzK6pc6PDCyBthzUszKXRZ Da5wHWi+OGO5PdGzANPUOeelr9zVr3jnTihIZrVYJybuYr0cUU6cB2JXzTP20yvT BzWzgrxrS2hz3hLOWIi+S5c9kn/8t7e7xCLQ8S5Wv7oiZ1GLgRmWqnFf4AjposGn KZrkX3bw02oAFmFbv1HMjhAgN3VfEqwgRLHb/UPAqq7HqRJ43v0gPuZVSOb7MBV4 h1Xzs4QFaScR0Cg7g8L1kHqccbgkmp4VLSDz3SY4hJj0hDIts/PwZtJve+NViTdc gKJqsbe4IjraBZhIilXjYi85OFVWKQdwQpm62U1NwsDhXcDWep48bV6olkHjvk3f 1eraIYm4YJ1WqGo2sjscqIcQTAnEtT3DE2frjtBXJONxgXvMQok= =SZzV -----END PGP SIGNATURE-----
--- End Message ---
