Hi, Attached is a debdiff between 5.0.3 to 5.04 which is essentially the changesets I previously reference from the upstream SVN repository.
Option 1 is my preference, the main difference between #1 and #2 was the changelog version. - Craig
diff -Nru wordpress-5.0.3+dfsg1/debian/changelog wordpress-5.0.4+dfsg1/debian/changelog --- wordpress-5.0.3+dfsg1/debian/changelog 2019-02-05 22:23:39.000000000 +1100 +++ wordpress-5.0.4+dfsg1/debian/changelog 2019-03-24 09:20:02.000000000 +1100 @@ -1,3 +1,10 @@ +wordpress (5.0.4+dfsg1-1) testing-proposed-updates; urgency=medium + + * Backport of 5.1.1 patches + * Fix XSS security hole in comments Closes: #924546 CVE-2019-9787 + + -- Craig Small <csm...@debian.org> Sun, 24 Mar 2019 09:20:02 +1100 + wordpress (5.0.3+dfsg1-1) unstable; urgency=medium * New upstream release diff -Nru wordpress-5.0.3+dfsg1/wp-admin/about.php wordpress-5.0.4+dfsg1/wp-admin/about.php --- wordpress-5.0.3+dfsg1/wp-admin/about.php 2019-02-05 21:54:35.000000000 +1100 +++ wordpress-5.0.4+dfsg1/wp-admin/about.php 2019-03-24 09:14:11.000000000 +1100 @@ -65,6 +65,26 @@ <p> <?php printf( + /* translators: %s: WordPress version number */ + __( '<strong>Version %s</strong> addressed some security issues.' ), + '5.0.4' + ); + ?> + <?php + printf( + /* translators: %s: HelpHub URL */ + __( 'For more information, see <a href="%s">the release notes</a>.' ), + sprintf( + /* translators: %s: WordPress version */ + esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ), + sanitize_title( '5.0.4' ) + ) + ); + ?> + </p> + <p> + <?php + printf( /* translators: 1: WordPress version number, 2: plural number of bugs. */ _n( '<strong>Version %1$s</strong> addressed %2$s bug.', diff -Nru wordpress-5.0.3+dfsg1/wp-admin/includes/ajax-actions.php wordpress-5.0.4+dfsg1/wp-admin/includes/ajax-actions.php --- wordpress-5.0.3+dfsg1/wp-admin/includes/ajax-actions.php 2019-02-05 21:54:35.000000000 +1100 +++ wordpress-5.0.4+dfsg1/wp-admin/includes/ajax-actions.php 2019-03-24 09:14:11.000000000 +1100 @@ -1070,6 +1070,8 @@ if ( wp_create_nonce( 'unfiltered-html-comment' ) != $_POST['_wp_unfiltered_html_comment'] ) { kses_remove_filters(); // start with a clean slate kses_init_filters(); // set up the filters + remove_filter( 'pre_comment_content', 'wp_filter_post_kses' ); + add_filter( 'pre_comment_content', 'wp_filter_kses' ); } } } else { diff -Nru wordpress-5.0.3+dfsg1/wp-includes/comment.php wordpress-5.0.4+dfsg1/wp-includes/comment.php --- wordpress-5.0.3+dfsg1/wp-includes/comment.php 2019-02-05 21:54:35.000000000 +1100 +++ wordpress-5.0.4+dfsg1/wp-includes/comment.php 2019-03-24 09:14:11.000000000 +1100 @@ -3098,6 +3098,8 @@ ) { kses_remove_filters(); // start with a clean slate kses_init_filters(); // set up the filters + remove_filter( 'pre_comment_content', 'wp_filter_post_kses' ); + add_filter( 'pre_comment_content', 'wp_filter_kses' ); } } } else { diff -Nru wordpress-5.0.3+dfsg1/wp-includes/formatting.php wordpress-5.0.4+dfsg1/wp-includes/formatting.php --- wordpress-5.0.3+dfsg1/wp-includes/formatting.php 2019-02-05 21:54:35.000000000 +1100 +++ wordpress-5.0.4+dfsg1/wp-includes/formatting.php 2019-03-24 09:14:11.000000000 +1100 @@ -2750,10 +2750,12 @@ $atts = shortcode_parse_atts( $matches[1] ); $rel = 'nofollow'; - if ( preg_match( '%href=["\'](' . preg_quote( set_url_scheme( home_url(), 'http' ) ) . ')%i', $text ) || - preg_match( '%href=["\'](' . preg_quote( set_url_scheme( home_url(), 'https' ) ) . ')%i', $text ) - ) { - return "<a $text>"; + if ( ! empty( $atts['href'] ) ) { + if ( in_array( strtolower( wp_parse_url( $atts['href'], PHP_URL_SCHEME ) ), array( 'http', 'https' ), true ) ) { + if ( strtolower( wp_parse_url( $atts['href'], PHP_URL_HOST ) ) === strtolower( wp_parse_url( home_url(), PHP_URL_HOST ) ) ) { + return "<a $text>"; + } + } } if ( ! empty( $atts['rel'] ) ) { @@ -2766,11 +2768,11 @@ $html = ''; foreach ( $atts as $name => $value ) { - $html .= "{$name}=\"$value\" "; + $html .= "{$name}=\"" . esc_attr( $value ) . "\" "; } $text = trim( $html ); } - return "<a $text rel=\"$rel\">"; + return "<a $text rel=\"" . esc_attr( $rel ) . "\">"; } /** diff -Nru wordpress-5.0.3+dfsg1/wp-includes/version.php wordpress-5.0.4+dfsg1/wp-includes/version.php --- wordpress-5.0.3+dfsg1/wp-includes/version.php 2019-02-05 21:54:35.000000000 +1100 +++ wordpress-5.0.4+dfsg1/wp-includes/version.php 2019-03-24 09:14:11.000000000 +1100 @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '5.0.3'; +$wp_version = '5.0.4'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. @@ -33,3 +33,4 @@ * @global string $required_mysql_version */ $required_mysql_version = '5.0'; + \ No newline at end of file