Bug#862816: marked as done (wordpress: Six security bugs in wordpress 4.7.4 and earlier)
Your message dated Sat, 24 Jun 2017 21:19:24 + with message-id and subject line Bug#862816: fixed in wordpress 4.1+dfsg-1+deb8u14 has caused the Debian Bug report #862816, regarding wordpress: Six security bugs in wordpress 4.7.4 and earlier to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 862816: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862816 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: wordpress Version: 4.7.4+dfsg-1 Severity: grave Tags: upstream security Justification: user security hole Wordpress 4.7.4 and earlier has 6 security holes that are fixed in 4.7.5[1] * 2.7.0 - 4.7.4 Insufficient redirect validation in the HTTP class. * 2.5.0 - 4.7.4 Improper handling of post meta data values in the XML-RPC API. * 3.4.0 - 4.7.4 Lack of capability checks for post meta data in the XML-RPC API. * 2.5.0 - 4.7.4 A Cross Site Request Forgery (CRSF) vulnerability was discovered in the filesystem credentials dialog. * 3.3 - 4.7.4 A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files. * 3.4.0 - 4.6.4 A cross-site scripting (XSS) vulnerability was discovered related to the Customizer. Looking at the versions, all distributions are vulnerable to all bugs, yay me! I'll request the CVEs and update when I get them. 1: https://wordpress.org/news/2017/05/wordpress-4-7-5/ -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-2-amd64 (SMP w/6 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) --- End Message --- --- Begin Message --- Source: wordpress Source-Version: 4.1+dfsg-1+deb8u14 We believe that the bug you reported is fixed in the latest version of wordpress, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 862...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Craig Small (supplier of updated wordpress package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 24 May 2017 22:24:48 +1000 Source: wordpress Binary: wordpress wordpress-l10n wordpress-theme-twentyfifteen wordpress-theme-twentyfourteen wordpress-theme-twentythirteen Architecture: source all Version: 4.1+dfsg-1+deb8u14 Distribution: stable Urgency: medium Maintainer: Craig Small Changed-By: Craig Small Description: wordpress - weblog manager wordpress-l10n - weblog manager - language files wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files wordpress-theme-twentyfourteen - weblog manager - twentyfourteen theme files wordpress-theme-twentythirteen - weblog manager - twentythirteen theme files Closes: 862053 862816 Changes: wordpress (4.1+dfsg-1+deb8u14) jessie-security; urgency=medium . * Backport patches from 4.7.5 Closes: #862816 - CVE-2017-9062 Improper handling of post meta data values in the XML-RPC API. Changeset 40699 - CVE-2017-9065 Lack of capability checks for post meta data in the XML-RPC API. Changeset 40684 - CVE-2017-9064 A Cross Site Request Forgery (CRSF) vulnerability was discovered in the filesystem credentials dialog. Changeset 40730 - CVE-2017-9061 A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files. Changeset 40743 - CVE-2017-9063 A cross-site scripting (XSS) vulnerability was discovered related to the Customizer. Changeset 40711 * CVE-2017-9066 not fixed as the relevant code has changed dramatically and there is no upstream patch for it. Insufficient redirect validation in the HTTP class. * CVE-2017-8295 Don't use client-provided data to form password reset from email address, from WordPress ticket #23239 Closes: #862053 Checksums-Sha1: 6992e217144edb572b91420cf4668a316d2f6cce 2206 wordpress_4.1+dfsg-1+deb8u14.dsc aecf3343a5b0b3b5e559a7e1eb41b32f2259414e 6129728 wordpress_4.1+dfsg-1+deb8u14.debian.
Bug#862816: marked as done (wordpress: Six security bugs in wordpress 4.7.4 and earlier)
Your message dated Wed, 17 May 2017 13:04:10 + with message-id and subject line Bug#862816: fixed in wordpress 4.7.5+dfsg-1 has caused the Debian Bug report #862816, regarding wordpress: Six security bugs in wordpress 4.7.4 and earlier to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 862816: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862816 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: wordpress Version: 4.7.4+dfsg-1 Severity: grave Tags: upstream security Justification: user security hole Wordpress 4.7.4 and earlier has 6 security holes that are fixed in 4.7.5[1] * 2.7.0 - 4.7.4 Insufficient redirect validation in the HTTP class. * 2.5.0 - 4.7.4 Improper handling of post meta data values in the XML-RPC API. * 3.4.0 - 4.7.4 Lack of capability checks for post meta data in the XML-RPC API. * 2.5.0 - 4.7.4 A Cross Site Request Forgery (CRSF) vulnerability was discovered in the filesystem credentials dialog. * 3.3 - 4.7.4 A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files. * 3.4.0 - 4.6.4 A cross-site scripting (XSS) vulnerability was discovered related to the Customizer. Looking at the versions, all distributions are vulnerable to all bugs, yay me! I'll request the CVEs and update when I get them. 1: https://wordpress.org/news/2017/05/wordpress-4-7-5/ -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-2-amd64 (SMP w/6 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) --- End Message --- --- Begin Message --- Source: wordpress Source-Version: 4.7.5+dfsg-1 We believe that the bug you reported is fixed in the latest version of wordpress, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 862...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Craig Small (supplier of updated wordpress package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 17 May 2017 22:28:18 +1000 Source: wordpress Binary: wordpress wordpress-l10n wordpress-theme-twentysixteen wordpress-theme-twentyfifteen wordpress-theme-twentyseventeen Architecture: source all Version: 4.7.5+dfsg-1 Distribution: unstable Urgency: high Maintainer: Craig Small Changed-By: Craig Small Description: wordpress - weblog manager wordpress-l10n - weblog manager - language files wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files wordpress-theme-twentyseventeen - weblog manager - twentyseventeen theme files wordpress-theme-twentysixteen - weblog manager - twentysixteen theme files Closes: 862816 Changes: wordpress (4.7.5+dfsg-1) unstable; urgency=high . * New upstream release fixes 6 security issues Closes: #862816 CVEs to be added once issued - CVE-2017-XXX Insufficient redirect validation in the HTTP class. - CVE-2017-XXX Improper handling of post meta data values in the XML-RPC API. - CVE-2017-XXX Lack of capability checks for post meta data in the XML-RPC API. - CVE-2017-XXX A Cross Site Request Forgery (CRSF) vulnerability was discovered in the filesystem credentials dialog. - CVE-2017-XXX A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files. - CVE-2017-XXX A cross-site scripting (XSS) vulnerability was discovered related to the Customizer. Checksums-Sha1: 43813bb1a7c89df5077e262e77f11e27a51d2663 2539 wordpress_4.7.5+dfsg-1.dsc edf2c207b6c6c173d8958c0d9191e1e0d532e042 6240440 wordpress_4.7.5+dfsg.orig.tar.xz 764f75cdd54d93519680f85a407eea41d70993ce 6777608 wordpress_4.7.5+dfsg-1.debian.tar.xz 98a70f81755b076a260a2003a38cb3147a15e3b7 4381400 wordpress-l10n_4.7.5+dfsg-1_all.deb ae89a16efb8c65e3fd990aa6129e3fcd4a6ce313 74 wordpress-theme-twentyfifteen_4.7.5+dfsg-1_all.deb 8555d8b32fcd5ee610ecc6c9aa4dab030055008e 939768 wordpress-them