Your message dated Sat, 24 Jun 2017 21:19:24 +0000 with message-id <e1dossi-0000aw...@fasolo.debian.org> and subject line Bug#862053: fixed in wordpress 4.1+dfsg-1+deb8u14 has caused the Debian Bug report #862053, regarding wordpress: CVE-2017-8295 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 862053: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862053 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: wordpress X-Debbugs-CC: t...@security.debian.org secure-testing-t...@lists.alioth.debian.org Severity: important Tags: security Hi, the following vulnerability was published for wordpress. CVE-2017-8295[0]: | WordPress through 4.7.4 relies on the Host HTTP header for a | password-reset e-mail message, which makes it easier for remote | attackers to reset arbitrary passwords by making a crafted | wp-login.php?action=lostpassword request and then arranging for this | message to bounce or be resent, leading to transmission of the reset | key to a mailbox on an attacker-controlled SMTP server. This is | related to problematic use of the SERVER_NAME variable in | wp-includes/pluggable.php in conjunction with the PHP mail function. | Exploitation is not achievable in all cases because it requires at | least one of the following: (1) the attacker can prevent the victim | from receiving any e-mail messages for an extended period of time | (such as 5 days), (2) the victim's e-mail system sends an autoresponse | containing the original message, or (3) the victim manually composes a | reply containing the original message. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. No official patch has been published yet but there is an interesting assessment at http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html I think it makes sense to wait for an official Wordpress response but we could also try to avoid the SERVER_NAME variable in this case. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-8295 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295 Please adjust the affected versions in the BTS as needed.
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---Source: wordpress Source-Version: 4.1+dfsg-1+deb8u14 We believe that the bug you reported is fixed in the latest version of wordpress, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 862...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Craig Small <csm...@debian.org> (supplier of updated wordpress package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 24 May 2017 22:24:48 +1000 Source: wordpress Binary: wordpress wordpress-l10n wordpress-theme-twentyfifteen wordpress-theme-twentyfourteen wordpress-theme-twentythirteen Architecture: source all Version: 4.1+dfsg-1+deb8u14 Distribution: stable Urgency: medium Maintainer: Craig Small <csm...@debian.org> Changed-By: Craig Small <csm...@debian.org> Description: wordpress - weblog manager wordpress-l10n - weblog manager - language files wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files wordpress-theme-twentyfourteen - weblog manager - twentyfourteen theme files wordpress-theme-twentythirteen - weblog manager - twentythirteen theme files Closes: 862053 862816 Changes: wordpress (4.1+dfsg-1+deb8u14) jessie-security; urgency=medium . * Backport patches from 4.7.5 Closes: #862816 - CVE-2017-9062 Improper handling of post meta data values in the XML-RPC API. Changeset 40699 - CVE-2017-9065 Lack of capability checks for post meta data in the XML-RPC API. Changeset 40684 - CVE-2017-9064 A Cross Site Request Forgery (CRSF) vulnerability was discovered in the filesystem credentials dialog. Changeset 40730 - CVE-2017-9061 A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files. Changeset 40743 - CVE-2017-9063 A cross-site scripting (XSS) vulnerability was discovered related to the Customizer. Changeset 40711 * CVE-2017-9066 not fixed as the relevant code has changed dramatically and there is no upstream patch for it. Insufficient redirect validation in the HTTP class. * CVE-2017-8295 Don't use client-provided data to form password reset from email address, from WordPress ticket #23239 Closes: #862053 Checksums-Sha1: 6992e217144edb572b91420cf4668a316d2f6cce 2206 wordpress_4.1+dfsg-1+deb8u14.dsc aecf3343a5b0b3b5e559a7e1eb41b32f2259414e 6129728 wordpress_4.1+dfsg-1+deb8u14.debian.tar.xz d38e38a68b1eebba094e6863764e0350522fa5ef 3195086 wordpress_4.1+dfsg-1+deb8u14_all.deb 0f926ddb33adc4287708dae4bd44c642bf3351c8 4246876 wordpress-l10n_4.1+dfsg-1+deb8u14_all.deb eae5ee49eb7f94e86ad7b6cb8e42da58305a7d54 502928 wordpress-theme-twentyfifteen_4.1+dfsg-1+deb8u14_all.deb 709520bd322ec40b57181c6074e83f7887ce85f9 803836 wordpress-theme-twentyfourteen_4.1+dfsg-1+deb8u14_all.deb 751ddcab0d9a5c616d1e838c5aa2db9cee195e79 321408 wordpress-theme-twentythirteen_4.1+dfsg-1+deb8u14_all.deb Checksums-Sha256: 609a1a1e165605c45aed4374962112511f5d2b51c2a22c3a4c2db39247bdcfa2 2206 wordpress_4.1+dfsg-1+deb8u14.dsc 3e661549549ed624dcae24c794f95e61d3092edcb8e8676fdfb045a7ba1ddead 6129728 wordpress_4.1+dfsg-1+deb8u14.debian.tar.xz 0ae928df0c24a663e804ae4a23c60e98f58552b54b7e862e7bb6d844382bead7 3195086 wordpress_4.1+dfsg-1+deb8u14_all.deb 81d990e84c19a7a981b562ea175ad7680d37c769b942ec9fe37bdf1bc19c044f 4246876 wordpress-l10n_4.1+dfsg-1+deb8u14_all.deb de1a849613a7e8eea5a91437757afdccc9aca5781cb8d2fcc73be212fb3a7f10 502928 wordpress-theme-twentyfifteen_4.1+dfsg-1+deb8u14_all.deb 02614dc4be3f5214ac033aabcfb3a9c4e17647436a8f69a22be7b67d5cbb0cc5 803836 wordpress-theme-twentyfourteen_4.1+dfsg-1+deb8u14_all.deb d9a4d329f75e8697af88d58462a58b66266986037a65e3cfb160d904a71c4fda 321408 wordpress-theme-twentythirteen_4.1+dfsg-1+deb8u14_all.deb Files: 27c20ffff81220e8d626f73689bc86ea 2206 web optional wordpress_4.1+dfsg-1+deb8u14.dsc b035d001eccb9ca647ae135aff1b205a 6129728 web optional wordpress_4.1+dfsg-1+deb8u14.debian.tar.xz 12b570d668be90fc5b85e3915e7b4525 3195086 web optional wordpress_4.1+dfsg-1+deb8u14_all.deb 2c138c159b53cd36cc37bea33b33996f 4246876 localization optional wordpress-l10n_4.1+dfsg-1+deb8u14_all.deb 05e24fb8304a6540b527dff44640ef6c 502928 web optional wordpress-theme-twentyfifteen_4.1+dfsg-1+deb8u14_all.deb 0f0b708a3cec3edd2373392f3366a4ec 803836 web optional wordpress-theme-twentyfourteen_4.1+dfsg-1+deb8u14_all.deb 018961b042c46458dd381507f3f2c6cd 321408 web optional wordpress-theme-twentythirteen_4.1+dfsg-1+deb8u14_all.deb -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAlkvoS4ACgkQEL6Jg/PV nWTDSAf/TjNiSUUbm0y53KsLziBpR7m1pqJlessKgPLRkeyEq9TetzMfDk34DkpV uJndrX6cvof4236MZkm7TwcqwtQZLfk0ZInYW9DTkmIs+tw0KdXDTA5WuYcmDqmb n+JZFCDbChbqQJrm5DDxccBAtbvSrg1eTO5pSanKJ1c7tOfIzsUOgRdM8FHVnZb2 MEZ74OZOqrWrtPcgJ9cOAYlu6Pbu7YBukoL2lcvEsr3gnQicRnE0QQBNYPnPs6iA KxPQ4rPuzWWozxg4/oVUFFWmVF26a2vCCKKSRrKClrb1BKw7JLZijzan1l6jWj+q WPbWcywFvnIWxAohT45u5JM8dZ3deQ== =r4Ra -----END PGP SIGNATURE-----
--- End Message ---
