Bug#1007145: marked as done (wordpress: WordPress 5.9.2 security and maintenance release)

Debian Bug Tracking System Sat, 12 Mar 2022 02:03:31 -0800

Your message dated Sat, 12 Mar 2022 10:00:18 +0000
with message-id <e1nsyxq-000hwc...@fasolo.debian.org>
and subject line Bug#1007145: fixed in wordpress 5.9.2+dfsg1-1
has caused the Debian Bug report #1007145,
regarding wordpress: WordPress 5.9.2 security and maintenance release
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1007145: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007145
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: wordpress
Version: 5.8.3+dfsg1-1
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>

WordPress has released version 5.9.2 that has one bug fix and three
security fixes[1]. They state the security fixes are required back
to 3.7 so all releases are vulnerable.

It is difficult to see what has actually changed between 5.9.1 and
5.9.2[2] WordPress gives no details except:
 Prototype Pollution Vulnerability in a jQuery dependency
 Stored Cross Site Scripting Vulnerability

Besides version string changes, the two actual changes I can see
are:
 * Adding another conditional to the theme installer
 * Updating jquery from 2.1.7 to 2.2.3

The theme installer change[3] references upstream bug 54578[4]
which is also linked in [1] as the bug fix (separate to the
3 security fixes).

My conclusion is the three security issues must live in
jquery and upgrading from 2.1.7 to 2.2.3 fixes this.

Prototype pollution mentioned in the wordpress announcement 
sounds a lot like CVE-2022-23395[5] or CVE-2019-11358[6]
Looking at the patches, it looks like the latter.

I'm not sure about the other two, they could be
CVE-2020-11022 and CVE-2020-11023 but cannot confirm this.

 - Craig

1: 
https://wordpress.org/news/2022/03/wordpress-5-9-2-security-maintenance-release/
2: 
https://core.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=52874%40branches%2F5.9&old=52786%40branches%2F5.9&sfp_email=&sfph_mail=
3: https://core.trac.wordpress.org/changeset/52803/branches/5.9
4: https://core.trac.wordpress.org/ticket/54578
5: https://nvd.nist.gov/vuln/detail/CVE-2022-23395
6: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

-- System Information:
Debian Release: bookworm/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.15.0-2-amd64 (SMP w/6 CPU threads)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages wordpress depends on:
pn  apache2 | httpd                              <none>
ii  ca-certificates                              20211016
pn  default-mysql-client | virtual-mysql-client  <none>
pn  libapache2-mod-php | php                     <none>
pn  libjs-cropper                                <none>
ii  libjs-underscore                             1.13.2~dfsg-2
pn  php-gd                                       <none>
pn  php-getid3                                   <none>
pn  php-mysql | php-mysqlnd                      <none>

Versions of packages wordpress recommends:
pn  wordpress-l10n                   <none>
pn  wordpress-theme-twentytwentyone  <none>

Versions of packages wordpress suggests:
pn  default-mysql-server | virtual-mysql-server  <none>
pn  php-ssh2                                     <none>

--- End Message ---

--- Begin Message ---

Source: wordpress
Source-Version: 5.9.2+dfsg1-1
Done: Craig Small <csm...@debian.org>

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1007...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Craig Small <csm...@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 12 Mar 2022 14:31:34 +1100
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentytwenty 
wordpress-theme-twentytwentyone wordpress-theme-twentytwentytwo
Architecture: source all
Version: 5.9.2+dfsg1-1
Distribution: unstable
Urgency: medium
Maintainer: Craig Small <csm...@debian.org>
Changed-By: Craig Small <csm...@debian.org>
Description:
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
 wordpress-theme-twentytwenty - weblog manager - twentytwenty theme files
 wordpress-theme-twentytwentyone - weblog manager - twentytwentyone theme files
 wordpress-theme-twentytwentytwo - weblog manager - twentytwentytwo theme files
Closes: 1007005 1007145
Changes:
 wordpress (5.9.2+dfsg1-1) unstable; urgency=medium
 .
   * New security release Closes: #1007005, #1007145
   * Themes: 2019 removed, 2022 added
Checksums-Sha1:
 a1461d679d80c7b6515a3e8892f33894bcbf89ff 2394 wordpress_5.9.2+dfsg1-1.dsc
 65d8bb135830e4440dc04ae94376e1fb977136ca 14515848 
wordpress_5.9.2+dfsg1.orig.tar.xz
 0991b99cf125b301e6eb45dd9e241a43d4bae047 6824940 
wordpress_5.9.2+dfsg1-1.debian.tar.xz
 42005a7816f8f62ecf859aaecc5fd0f1a15f09d8 4384312 
wordpress-l10n_5.9.2+dfsg1-1_all.deb
 1fe177e1945963d05ac3fc77e03fd0e7cc298c47 776844 
wordpress-theme-twentytwenty_5.9.2+dfsg1-1_all.deb
 70581da16d5d8d35054a42a4654438da05209657 2593064 
wordpress-theme-twentytwentyone_5.9.2+dfsg1-1_all.deb
 1eb5c9670b24d1d67b2428675c02e48f44f37219 3500232 
wordpress-theme-twentytwentytwo_5.9.2+dfsg1-1_all.deb
 98c98eebbdccee0a4d1f380c957491b418001200 7601496 
wordpress_5.9.2+dfsg1-1_all.deb
 a4be3518a343cb8f84eda8085992123b9342fff1 7461 
wordpress_5.9.2+dfsg1-1_amd64.buildinfo
Checksums-Sha256:
 da172d3d394d2a441cdf448cc7e252d37376409396dd8c2b3c15153b3d3411e1 2394 
wordpress_5.9.2+dfsg1-1.dsc
 15161266ccd0b5746de83b7e487f6213c20687101960b5667e34fd01381dca5f 14515848 
wordpress_5.9.2+dfsg1.orig.tar.xz
 46935e4344d2deed184f2f856a560d2c20109f418033e3e3590df038d90e30fd 6824940 
wordpress_5.9.2+dfsg1-1.debian.tar.xz
 baf821b89977b694c028a95d42ba3bb2838b231e460f3a61b7d3cba3715d565b 4384312 
wordpress-l10n_5.9.2+dfsg1-1_all.deb
 9982d9148d70dc1aedf2a450cc25a7ed58cd74629e1e8448463df11efbdbed66 776844 
wordpress-theme-twentytwenty_5.9.2+dfsg1-1_all.deb
 7b870d0be8d01fd029472ff50f1d4633ab0697372eada653d681be9a30077fab 2593064 
wordpress-theme-twentytwentyone_5.9.2+dfsg1-1_all.deb
 c80f80dda595a0484db7ea7a98d553a7d048e4c9f419267e14a59d482a45d840 3500232 
wordpress-theme-twentytwentytwo_5.9.2+dfsg1-1_all.deb
 906a82b78e69083e3b9021a2add858d8f0b4ddbd21166b8874c134ae0ad695f7 7601496 
wordpress_5.9.2+dfsg1-1_all.deb
 50b4ade01ed6046f4057b719a0a1baa26a717e7d393c5b5138d1da6fa444b900 7461 
wordpress_5.9.2+dfsg1-1_amd64.buildinfo
Files:
 54c27074a5dfbc74e1859ab0e6ea5a0e 2394 web optional wordpress_5.9.2+dfsg1-1.dsc
 a8e74865c65d749555ca7916d356d1cc 14515848 web optional 
wordpress_5.9.2+dfsg1.orig.tar.xz
 e997628454fcf9c5819916c168f02bd7 6824940 web optional 
wordpress_5.9.2+dfsg1-1.debian.tar.xz
 4b7ad3857b54f2865056b98257f4d355 4384312 localization optional 
wordpress-l10n_5.9.2+dfsg1-1_all.deb
 cc68703080bfbbdfe0b919b7460a6145 776844 web optional 
wordpress-theme-twentytwenty_5.9.2+dfsg1-1_all.deb
 f3e73d4170062aaeab32c7cf5f508876 2593064 web optional 
wordpress-theme-twentytwentyone_5.9.2+dfsg1-1_all.deb
 23bf403700cf583ecbc7067a23c83771 3500232 web optional 
wordpress-theme-twentytwentytwo_5.9.2+dfsg1-1_all.deb
 acfb91caf039f67abda4e1d0beaa6a0f 7601496 web optional 
wordpress_5.9.2+dfsg1-1_all.deb
 1c88bc6fd17335ed757b9ee209b51b54 7461 web optional 
wordpress_5.9.2+dfsg1-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAmIsITkACgkQAiFmwP88
hONR7w/+O/nQU44YGfbok8Shgx4ZgAbcUkhJguLscBEmhz/7uPc/l1GnFfUlPJaA
2oMRZ7DNf7rIbOnzL6cVfFdGv0Y1fB2aEI+YQTrWZDloTCUMAFmB5yZudCcHlaN9
dC/+MlKTLjWvi377WUlxpiaatmpyPE5ZA69GinMlAhLwaMZYaiLzy9kwcMRN1J7O
d0gHqr4U4WjMeX3HNZVIFKYOAA2ysZCfSlOQPoL8Cu5PhYuvXZJy0Cy1BtWfEgGz
JwPtMWA7IYjlquleAwr7rB4YcsqRASUhx7NffHbqE2E1KvwAv5/3oNMdX560LTeV
Aun1PHQ3ztYJoh1GtyI+81nXs78cnpLnFZNOfGkURZkHc1ACybr/gqoImjxv6kKX
OYDmXDzNjDNkS1XjRtOe+Z6xgozYZxdalF9vgSMfAEEahz2UxYXFLqediIWXJ1ju
uF/SdHJxIWQ3F41zIvnxXWWVpQprjyz/3J5bu5crajHTqpPyggjOofVjGpBmGTQ5
ylU8mh9SevjEm7AchA6/x4N7LEvAgxulISrALoCfp8hOfI81pUsIPQFuM5fzcTnO
eWfNXUBEUYQ3kdLXqbG/xtXwkqFQNTUnDDSS8ueldbZzVTzrXnseKUMPlMtpxR6I
oeyZGStGafm6t+h1Fg+aFSDQtjRb9dhlfvMtsHwn0XcQ4f29j3o=
=Fy5a
-----END PGP SIGNATURE-----

--- End Message ---

Bug#1007145: marked as done (wordpress: WordPress 5.9.2 security and maintenance release)

Reply via email to