tag 713947 pending
thanks
Hello,
Bug #713947 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
http://git.debian.org/?p=collab-maint/wordpress.git;a=commitdiff;h=f41b795
---
commit f41b79577b0ac1e8af11660426d01e8a8c734597
Merge: cebb6cc ff40fa7
Author: Yves-Alexis Perez <[email protected]>
Date: Fri Jun 28 21:47:28 2013 +0200
Merge tag 'debian/3.5.2+dfsg-1' into squeeze
wordpress Debian release 3.5.2+dfsg-1
Conflicts:
debian/changelog
debian/control
debian/wordpress.linktrees
diff --cc debian/changelog
index 36156cb,0880d7b..5fd03c4
--- a/debian/changelog
+++ b/debian/changelog
@@@ -1,33 -1,237 +1,268 @@@
+ wordpress (3.5.2+dfsg-1) unstable; urgency=low
+
+ * New upstream release with many security fixes. Closes: #713947
+ * Server-Side Request Forgery (SSRF) via the HTTP API. CVE-2013-2199.
+ * Privilege Escalation: Contributors can publish posts, and users can
+ reassign authorship. CVE-2013-2200.
+ * Cross-Site Scripting (XSS) in SWFUpload. CVE-2013-2205.
+ * Denial of Service (DoS) via Post Password Cookies. CVE-2013-2173.
+ * Content Spoofing via Flash Applet in TinyMCE Media Plugin.
+ CVE-2013-2204.
+ * Cross-Site Scripting (XSS) when Uploading Media. CVE-2013-2201.
+ * Full Path Disclosure (FPD) during File Upload. CVE-2013-2203.
+ * Additional security hardening includes:
+ * Cross-Site Scripting (XSS) (Low Severity) when Editing Media.
+ CVE-2013-2201.
+ * Cross-Site Scripting (XSS) (Low Severity) when Installing/Updating
+ Plugins/Themes. CVE-2013-2201.
+ * XML External Entity Injection (XXE) via oEmbed. CVE-2013-2202.
+ * Update the Vcs-Git and Vcs-Browser URLs.
+ * Update Standards-Version to 3.9.4.
+
+ -- Raphaël Hertzog <[email protected]> Tue, 25 Jun 2013 15:52:07 +0200
+
+ wordpress (3.5.1+dfsg-2) unstable; urgency=low
+
+ * Only replace tinymce files by symlinks if the content is exactly the same.
+ Closes: #700289
+ * Update debian/get-upstream-i18n to include supplementary PO files
+ and use a more efficient method to update them. Closes: #697208
+
+ -- Raphaël Hertzog <[email protected]> Mon, 11 Feb 2013 13:56:18 +0100
+
+ wordpress (3.5.1+dfsg-1) unstable; urgency=low
+
+ * New upstream maintenance and security release. Closes: #698916
+
+ -- Raphaël Hertzog <[email protected]> Mon, 28 Jan 2013 17:15:27 +0100
+
+ wordpress (3.5+dfsg-1) unstable; urgency=low
+
+ * New upstream release.
+ * Fix sample apache.conf so that Alias directives are in the proper order
+ (from the most specific to the less specific). Closes: #693122
+ Thanks to Jérôme Marant for the report.
+ * Update debian/missing-sources/ with latest upstream changes.
+ * Update all translations.
+ * Try to deduplicate (i.e. replace with symlinks) backbone.js and
+ underscore.js too.
+ * Drop debian/patches/006rss_language.patch, the rss_language option
+ is no longer used.
+ * Update/refresh all other patches on top of the new release.
+ * Update lintian overrides and debian/wordpress.linktrees to match the
+ latest changes concerning javascript libraries shipped by WordPress.
+ * Document the loss of the twentyten theme.
+
+ -- Raphaël Hertzog <[email protected]> Fri, 21 Dec 2012 14:17:50 +0100
+
+ wordpress (3.4.2+dfsg-1) unstable; urgency=low
+
+ * New upstream security & bugfix release.
+ * Also setup languages symlink in setup-mysql. Closes: #684628
+ Thanks to Jun NOGATA <[email protected]> for the analysis.
+ * Add new patch 011support-symlinks-for-plugins.patch grabbed
+ in the upstream ticket to allow plugin directories to be
+ symlinks (which is required for the Debian package since
+ we put symlinks in /var/lib/wordpress/wp-content/plugins/).
+ Closes: #686228
+
+ -- Raphaël Hertzog <[email protected]> Wed, 12 Sep 2012 14:52:14 +0200
+
+ wordpress (3.4.1+dfsg-1) unstable; urgency=high
+
+ * New upstream security & bugfix release. Closes: #680721
+ Fixes CVE-2012-3383, CVE-2012-3384, CVE-2012-3385.
+
+ -- Raphaël Hertzog <[email protected]> Tue, 03 Jul 2012 08:36:08 +0200
+
+ wordpress (3.4+dfsg-3) unstable; urgency=low
+
+ * [f7a1c09] Drop useless postrm.
+ * [d92219b] Add a prerm script calling wp-setup --purge-wp-content on
+ remove. Closes: #678842
+ * [2fbf903] Allow wp-setup to symlink files as well as directories.
+ * [cef928f] Let wp-setup also manage
+ /var/lib/wordpress/wp-content/languages/.
+ * [ac86408] Densify output of wp-setup.
+
+ -- Raphaël Hertzog <[email protected]> Tue, 26 Jun 2012 10:47:25 +0200
+
+ wordpress (3.4+dfsg-2) unstable; urgency=low
+
+ * [2e63535] Merge unused debian/NEWS into debian/wordpress.NEWS so that
+ users are correctly informed of the latest changes.
+ * [e3b7b1c] Improve preinst to also move the
+ /usr/share/wordpress/wp-content/uploads directory to its new location in
+ /var/lib/wordpress/wp-content/. The package never created this directory
+ but many users probably created it and we need to do this to let dpkg
+ install the symlink that we put into place.
+ * [5c0a29b] Add a trigger that watches /usr/share/wordpress/wp-content.
+ When activated, it will execute wp-setup --sync-wp-content
+ which updates /var/lib/wordpress/wp-content/ with symlinks
+ to plugins/themes that have been added and it drops symlinks
+ to plugins/themes which have disappeared. (Closes: #677889)
+
+ -- Raphaël Hertzog <[email protected]> Thu, 21 Jun 2012 20:44:53 +0200
+
+ wordpress (3.4+dfsg-1) unstable; urgency=low
+
+ * New upstream release. Closes: #677534
+
+ [ Raphaël Hertzog ]
+ * [a1c0409] Refresh and update all patches to correctly apply on version
+ 3.4.
+ * [3804496] Update debian/missing-sources/ to match the current versions of
+ embedded javascript and flash files.
+ * [185b051] Drop the old "default" theme (and its French translation)
+ * [966ce6c] Grab latest translations
+ * [1983326] Update Standards-Version to 3.9.3 (no change).
+ * [29c48b6] Increase debhelper compat level to 9.
+ * [73e16d0] Replace debian/dh_linktree by the packaged version.
+ * [359b660] Update debian/wordpress.linktrees to match latest developments.
+ * [645b650] Let setup-mysql lowercase the FQDN since the configuration
+ scheme expects this. Thanks to Chris Butler <[email protected]> for the
+ report (Closes: #658395)
+ * [5433e90] Fix setup-mysql to avoid creating /srv/www with restricted
+ permissions (Closes: #616400)
+ * [dd2ef1d] Move back wp-config.php to /usr/share/wordpress/ since it's only
+ a dispatcher to the real configuration file (Closes: #592502)
+ * [b602372] Improve wp-config.php so that WordPress works behind an https
+ reverse-proxy.
+ * [ba0b729] Entirely update and rewrite README.debian. (Closes: #575985,
+ #639980)
+ * [683a908] Update wp-config.php to not redefine constants which have
+ already been set. Thanks to Richard van den Berg <[email protected]> for
+ the report. (Closes: #613283)
+ * [315eb68] Let wordpress-l10n depend on the same version than wordpress.
+ (Closes: #623557)
+ * [a6d0b9f] Default configuration now sets WP_CONTENT_DIR to
+ /var/lib/wordpress/wp-content. And the package provides this new directory
+ appropriately setup with write rights to www-data on blogs.dir and
+ uploads. themes and plugins are root-owned directories with symlinks
+ pointing back to the default themes and plugins. (Closes: #675469)
+ * [4db98c6] Update setup-mysql to use WP_CONTENT_DIR (and no longer use
+ $upload_dir). (Closes: #658508)
+ * [a1970da] Extend debian/wordpress.linktrees to cover swfobject.js.
+ * [8d46dab] Use dpkg-maintscript-helper to drop obsolete
+ /etc/wordpress/wp-config.php
+
+ [ Martin Bagge / brother ]
+ * [56d0a34] Improve the setup script to be able to use a remote MySQL
+ server.
+
+ -- Raphaël Hertzog <[email protected]> Sat, 16 Jun 2012 01:19:20 +0200
+
+wordpress (3.3.2+dfsg-1~squeeze1) stable-security; urgency=low
+
+ * Import wordpress from Wheezy to fix all the security issues present in
+ Squeeze. This fixes:
+ - CVE-2011-3122, CVE-2011-3125, CVE-2011-3126, CVE-2011-3127,
+ CVE-2011-3128, CVE-2011-3129, CVE-2011-3130 (multiple unspecified
+ vulnerabilities) which were allocated from
+ the Wordpress 3.1.3 / 3.2 beta2 release announcement
+ - CVE-2011-4956 (missing input sanitization) and CVE-2011-4957 (missing
+ URL length check in make_clickable() function) allocated from Wordpress
+ 3.1.1 release announcement.
+ - CVE-2012-2399 (unspecified vulnerability in
+ wp-includes/js/swfupload/swfupload.swf), CVE-2012-2400 (unspecified
+ vulnerability in wp-includes/js/swfobject.js), CVE-2012-2401
(Same-Origin
+ Policy bypass in Plupload plugin), CVE-2012-2402 (access restriction
+ bypass by authenticated site administrators), CVE-2012-2403 (Wordpress
+ supports clickable links inside attributes, making it easier to conduct
+ XSS attacks) CVE-2012-2404 (Wordpress supports offsite redirects,
+ making it easier to conduct XSS attacks), which were allocated from the
+ 3.3.2 release announcement. closes:
#670124
+ * debian/wordpress.linktrees:
+ - don't symlink TinyMCE, it's too old in Squeeze.
+ - don't deduplicate jquery, same thing.
+ - don't deduplicate jquery-form, doesn't exist in Squeeze.
+ * debian/control:
+ - drop build-dep on tinymce, libjs-jquery and libjs-jquery-form, we'll
use
+ the embedded versions.
+
+ -- Yves-Alexis Perez <[email protected]> Thu, 10 May 2012 23:00:46 +0200
+
+ wordpress (3.3.2+dfsg-1) unstable; urgency=high
+
+ * New upstream security release. Closes: #670124
+ * Use the embedded copy of SimplePie until #669054 is resolved.
+
+ -- Raphaël Hertzog <[email protected]> Tue, 24 Apr 2012 00:31:42 +0200
+
+ wordpress (3.3.1+dfsg-1) unstable; urgency=low
+
+ * New upstream security release. Fixes CVE-2012-0287.
+
+ -- Raphaël Hertzog <[email protected]> Wed, 04 Jan 2012 10:15:05 +0100
+
+ wordpress (3.3+dfsg-1) unstable; urgency=low
+
+ * New upstream release. Closes: #652041
+ * [4deb832] Add all the missing sources in debian/missing-sources/.
+ (Closes: #646729)
+ * [913eba5] Refresh all patches.
+ * [ae61778] Use xz compression for the debian tarball to save some space.
+
+ -- Raphaël Hertzog <[email protected]> Tue, 20 Dec 2011 01:01:50 +0100
+
+ wordpress (3.2.1+dfsg-3) unstable; urgency=medium
+
+ * Upload with urgency medium to speed up a bit the transition to testing
+ since the testing version is broken.
+ * [72d01a3] Improve dh_linktree.
+ It is now able to generate dependencies and to have different behaviour
+ for each file to replace. Modify wordpress.linktrees to ensure we have
+ the very same JQuery files but blindly replaces all the other files.
+ Drop the explicit dependencies in favor of the autogenerated dependencies.
+ As a side-effect this fixes installation of widgets which was broken
+ by the mismatch of some JQuery ui files.
+ * [bbce711] Add lintian overrides for warnings about the embedded copy of
JQuery.
+ We do a reasonable effort to replace it if it matches.
+
+ -- Raphaël Hertzog <[email protected]> Thu, 27 Oct 2011 16:01:49 +0200
+
+ wordpress (3.2.1+dfsg-2) unstable; urgency=low
+
+ * [af74ce2] Add a preinst to drop symlinks to directories for tinymce
+ and cropper. The new dh_linktree only symlinks files and hierarchies are
+ duplicated. So we have to drop symlinks to directories in the preinst,
+ otherwise dpkg installs the new symlinks in the tinymce/cropper
+ directories instead of in the wordpress ones.
+ Also drop the upgrade code in the postinst converting the same directories
+ into symlinks... (Closes: #639733)
+ * [0b51c4f] Invite users affected by #639733 to reinstall
+ tinymce/libjs-cropper.
+ * [55af033] Fix invalid test in postinst (upgrade → configure)
+ "upgrade" is not a valid parameter in the postinst. Instead
+ we get "configure".
+
+ -- Raphaël Hertzog <[email protected]> Sat, 22 Oct 2011 17:01:25 +0200
+
+ wordpress (3.2.1+dfsg-1) unstable; urgency=low
+
+ [ Paul Tagliamonte ]
+ * [c5e4b2c] Added a get-orig-source target to recreate the DFSG-clean
+ tarball. It drops all the sourceless flash files. Closes: #625773
+
+ [ Raphaël Hertzog ]
+ * [d1035bd] Imported Upstream version 3.2.1+dfsg
+ * [b968405] Update and refresh all patches.
+ * [10ab97c] Drop manifest.patch because the description in its header
+ doesn't make any sense.
+ * [87537db] Update dependencies as per new upstream requirements.
+ * [0c534ec] Update packaging to avoid using even more embedded PHP/JS
+ libraries.
+ * [ec5c11e] Use a new dh_linktree to replace embedded PHP/JS libraries.
+ * [8690719] Add lintian override for embedded-php-library streams.php since
+ it's a false positive.
+ * [83c15bc] Upgrade Standards-Version to 3.9.2 (no changes needed).
+ * [938fb15] Update internationalization files.
+ * [6ac0357] Install class-smtp.php and class-phpmailer.php so that they can
+ be replaced by dh_linktree.
+
+ -- Raphaël Hertzog <[email protected]> Mon, 08 Aug 2011 23:06:20 +0200
++>>>>>>> d5bfbc7f92e09879d1a1b7cd899fdbf69167272a
+
wordpress (3.0.5+dfsg-1) unstable; urgency=medium
* [077b77b] Imported Upstream version 3.0.5+dfsg
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
