-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 11 Feb 2019 12:13:40 +0100 Source: wordpress Binary: wordpress wordpress-l10n wordpress-theme-twentyfifteen wordpress-theme-twentyfourteen wordpress-theme-twentythirteen Architecture: source all Version: 4.1.25+dfsg-1+deb8u1 Distribution: jessie-security Urgency: high Maintainer: Craig Small <csm...@debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: wordpress - weblog manager wordpress-l10n - weblog manager - language files wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files wordpress-theme-twentyfourteen - weblog manager - twentyfourteen theme files wordpress-theme-twentythirteen - weblog manager - twentythirteen theme files Changes: wordpress (4.1.25+dfsg-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the LTS team. * Fix CVE-2018-20147: Authors could modify metadata to bypass intended restrictions on deleting files. * Fix CVE-2018-20148: Contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php. * Fix CVE-2018-20149: When the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data. * Fix CVE-2018-20150: Crafted URLs could trigger XSS for certain use cases involving plugins. * Fix CVE-2018-20151: The user-activation page could be read by a search engine's web crawler if an unusual configuration were chosen. The search engine could then index and display a user's e-mail address and (rarely) the password that was generated by default. * Fix CVE-2018-20152: Authors could bypass intended restrictions on post types via crafted input. * Fix CVE-2018-20153: Contributors could modify new comments made by users with greater privileges, possibly causing XSS. Checksums-Sha1: 0ca0da43ce7d929aa522771e1d2c3ead15e4aecb 2719 wordpress_4.1.25+dfsg-1+deb8u1.dsc 389202ec93bf5f4c19864ea7e3fde92f63902927 4654708 wordpress_4.1.25+dfsg.orig.tar.xz f7a828a8a0acff1a58557147309ecf8893e46dd1 6001556 wordpress_4.1.25+dfsg-1+deb8u1.debian.tar.xz e5c1700dae5e13187597818139ba4ec78e5ec3cd 3071998 wordpress_4.1.25+dfsg-1+deb8u1_all.deb 3fb4c7337249a5628f5114769542a4cc1b7e88b2 4247354 wordpress-l10n_4.1.25+dfsg-1+deb8u1_all.deb 3da794d467ec338bfab7178339a44a4014beb0b7 505168 wordpress-theme-twentyfifteen_4.1.25+dfsg-1+deb8u1_all.deb 4463d3f08aeb2283055ed13cab5628f24cd42279 804258 wordpress-theme-twentyfourteen_4.1.25+dfsg-1+deb8u1_all.deb 5d6b5bb106ae709b9f0aaffa1fca4790aea0b494 323604 wordpress-theme-twentythirteen_4.1.25+dfsg-1+deb8u1_all.deb Checksums-Sha256: 4ed07610705779ba6e7b7b3366b070f603d48e096e22ba1ac571cdcca848e19f 2719 wordpress_4.1.25+dfsg-1+deb8u1.dsc 8672b14c8b657ac6fe8c758a01a53e7cc877ab7c25efe9f00fb851730aa9f70d 4654708 wordpress_4.1.25+dfsg.orig.tar.xz 29c72f77f65eb48ed669786fe904ce4b66eeee448f6582c387473e99cabc4d12 6001556 wordpress_4.1.25+dfsg-1+deb8u1.debian.tar.xz 9d6e0ff1f6569e910bf4128462adfeb57426f0abff6feac94e5658966000b884 3071998 wordpress_4.1.25+dfsg-1+deb8u1_all.deb d31852b3652cbf1f56884caa51ddb44ad4a6863da75e976808c88f0a3af92ab9 4247354 wordpress-l10n_4.1.25+dfsg-1+deb8u1_all.deb f99a316ab5965b741db6c524fcbf84fb5c840c2a54f22a7254985314296a11ba 505168 wordpress-theme-twentyfifteen_4.1.25+dfsg-1+deb8u1_all.deb 167bd69ba279f0e9b5ab5f8943c3109d8701c8086cea46b0158d95c634ae06d4 804258 wordpress-theme-twentyfourteen_4.1.25+dfsg-1+deb8u1_all.deb e2a9e0ddaddb79e2381c099348744aad718f52da263382d9645b094b87d91eee 323604 wordpress-theme-twentythirteen_4.1.25+dfsg-1+deb8u1_all.deb Files: d9bb7f64a9d8d8a6d7e8e46e8863faca 2719 web optional wordpress_4.1.25+dfsg-1+deb8u1.dsc 3108f8890179a86bd8b8af59a078b1f5 4654708 web optional wordpress_4.1.25+dfsg.orig.tar.xz 63016705a1b2f22cf3ab0c848c32ec59 6001556 web optional wordpress_4.1.25+dfsg-1+deb8u1.debian.tar.xz ca108c3419bc17ccce299e30aeb852d6 3071998 web optional wordpress_4.1.25+dfsg-1+deb8u1_all.deb 8199d83df897971e7a0e93c976b905b7 4247354 localization optional wordpress-l10n_4.1.25+dfsg-1+deb8u1_all.deb acb74bc9c967ae3eb87ed47b5ee09b13 505168 web optional wordpress-theme-twentyfifteen_4.1.25+dfsg-1+deb8u1_all.deb 34d620c8601de515905286cf7bbfa019 804258 web optional wordpress-theme-twentyfourteen_4.1.25+dfsg-1+deb8u1_all.deb dc4ebb93ba63f2264d4f6a50574fd0c9 323604 web optional wordpress-theme-twentythirteen_4.1.25+dfsg-1+deb8u1_all.deb
-----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlxh4U9fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1Hk3IoP/iBv/S3e0Ou3R6vYg48LirtJQRtOcKPfT6gg 8wFPELjhS8PKgbHnAaeG2ozKF+jTbHmdXa6ageSdDbjRQBSN9cL4KCcfyeYSWGun hsE1sAF4D0xasrsQeonFVPZ9LGlSZ/t8H5IahaJtLdAXJK7OmZs9LVhNSa5LmpZD sCAGZ19PSs++0VOcXHT/h0kqteVZf5c6fBDY0pwCywOHb+GTIYpCwJdDmhA3mIzp CSZBkOQ6xSAkwmxhNAz0my+iOr3Lc703pY1pU0AxNn3e4WCgdg0lbVNonxJrTMYj 4bM/ymCpudI2zhtVnuuS1uDK9+mRjgdeNU1ja5XsnyqXOzALUjaOT2+T4N+smjkl ZQ7oVZIZBixlol2V13k67c75nXL7AFIHexMBxVnfuCYfox08EbBUUaOQRxnAVMhp 9OvUQD1b9YzBLcsl4wtbnia3ow1FT4EHvVfCKGTANS/7dw4DTKSSG3Tk8AJ7KeiT rguKU/wWVBwZU0XYmb5avH4ybiCf6fMq6oEt2jkz9MHBfEAtRwfMhdniV6FcZ9cI 3jlEoLNAoV/FFfNhJwIOXIIRJfG/eQiHWzTzOqNYWGNuXSIw6DsfVV3mXPrqOcLw SdMXR22oyW15c2eHG27K9d9RQfNj3hj/8HB5z6yy16Y8ktmYucaYNd9lU09czHEl cLIOyN/9 =JNMY -----END PGP SIGNATURE-----