Bug#862816: marked as done (wordpress: Six security bugs in wordpress 4.7.4 and earlier)

Sat, 24 Jun 2017 14:22:36 -0700 

Your message dated Sat, 24 Jun 2017 21:19:24 +0000
with message-id <e1dossi-0000af...@fasolo.debian.org>
and subject line Bug#862816: fixed in wordpress 4.1+dfsg-1+deb8u14
has caused the Debian Bug report #862816,
regarding wordpress: Six security bugs in wordpress 4.7.4 and earlier
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
862816: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862816
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Source: wordpress
Version: 4.7.4+dfsg-1
Severity: grave
Tags: upstream security
Justification: user security hole

Wordpress 4.7.4 and earlier has 6 security holes that are fixed in
4.7.5[1]

 * 2.7.0 - 4.7.4
   Insufficient redirect validation in the HTTP class.
 * 2.5.0 - 4.7.4
   Improper handling of post meta data values in the XML-RPC API.
 * 3.4.0 - 4.7.4
   Lack of capability checks for post meta data in the XML-RPC API.
 * 2.5.0 - 4.7.4
   A Cross Site Request Forgery (CRSF) vulnerability was discovered in the
   filesystem credentials dialog.
 * 3.3 - 4.7.4
   A cross-site scripting (XSS) vulnerability was discovered when
   attempting to upload very large files.
 * 3.4.0 - 4.6.4
   A cross-site scripting (XSS) vulnerability was discovered related to the
   Customizer.

Looking at the versions, all distributions are vulnerable to all bugs,
yay me!

I'll request the CVEs and update when I get them.

1: https://wordpress.org/news/2017/05/wordpress-4-7-5/


-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/6 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---
--- Begin Message --- 
Source: wordpress
Source-Version: 4.1+dfsg-1+deb8u14

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 862...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Craig Small <csm...@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 24 May 2017 22:24:48 +1000
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentyfifteen 
wordpress-theme-twentyfourteen wordpress-theme-twentythirteen
Architecture: source all
Version: 4.1+dfsg-1+deb8u14
Distribution: stable
Urgency: medium
Maintainer: Craig Small <csm...@debian.org>
Changed-By: Craig Small <csm...@debian.org>
Description:
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
 wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files
 wordpress-theme-twentyfourteen - weblog manager - twentyfourteen theme files
 wordpress-theme-twentythirteen - weblog manager - twentythirteen theme files
Closes: 862053 862816
Changes:
 wordpress (4.1+dfsg-1+deb8u14) jessie-security; urgency=medium
 .
   * Backport patches from 4.7.5 Closes: #862816
    - CVE-2017-9062
      Improper handling of post meta data values in the XML-RPC API.
      Changeset 40699
    - CVE-2017-9065
      Lack of capability checks for post meta data in the XML-RPC API.
      Changeset 40684
    - CVE-2017-9064
      A Cross Site Request Forgery (CRSF) vulnerability was discovered
      in the filesystem credentials dialog.
      Changeset 40730
    - CVE-2017-9061
      A cross-site scripting (XSS) vulnerability was discovered when
      attempting to upload very large files.
      Changeset 40743
    - CVE-2017-9063
      A cross-site scripting (XSS) vulnerability was discovered related
      to the Customizer.
      Changeset 40711
   * CVE-2017-9066 not fixed as the relevant code has changed dramatically
     and there is no upstream patch for it.
     Insufficient redirect validation in the HTTP class.
   * CVE-2017-8295 Don't use client-provided data to form password reset
     from email address, from WordPress ticket #23239 Closes: #862053
Checksums-Sha1:
 6992e217144edb572b91420cf4668a316d2f6cce 2206 wordpress_4.1+dfsg-1+deb8u14.dsc
 aecf3343a5b0b3b5e559a7e1eb41b32f2259414e 6129728 
wordpress_4.1+dfsg-1+deb8u14.debian.tar.xz
 d38e38a68b1eebba094e6863764e0350522fa5ef 3195086 
wordpress_4.1+dfsg-1+deb8u14_all.deb
 0f926ddb33adc4287708dae4bd44c642bf3351c8 4246876 
wordpress-l10n_4.1+dfsg-1+deb8u14_all.deb
 eae5ee49eb7f94e86ad7b6cb8e42da58305a7d54 502928 
wordpress-theme-twentyfifteen_4.1+dfsg-1+deb8u14_all.deb
 709520bd322ec40b57181c6074e83f7887ce85f9 803836 
wordpress-theme-twentyfourteen_4.1+dfsg-1+deb8u14_all.deb
 751ddcab0d9a5c616d1e838c5aa2db9cee195e79 321408 
wordpress-theme-twentythirteen_4.1+dfsg-1+deb8u14_all.deb
Checksums-Sha256:
 609a1a1e165605c45aed4374962112511f5d2b51c2a22c3a4c2db39247bdcfa2 2206 
wordpress_4.1+dfsg-1+deb8u14.dsc
 3e661549549ed624dcae24c794f95e61d3092edcb8e8676fdfb045a7ba1ddead 6129728 
wordpress_4.1+dfsg-1+deb8u14.debian.tar.xz
 0ae928df0c24a663e804ae4a23c60e98f58552b54b7e862e7bb6d844382bead7 3195086 
wordpress_4.1+dfsg-1+deb8u14_all.deb
 81d990e84c19a7a981b562ea175ad7680d37c769b942ec9fe37bdf1bc19c044f 4246876 
wordpress-l10n_4.1+dfsg-1+deb8u14_all.deb
 de1a849613a7e8eea5a91437757afdccc9aca5781cb8d2fcc73be212fb3a7f10 502928 
wordpress-theme-twentyfifteen_4.1+dfsg-1+deb8u14_all.deb
 02614dc4be3f5214ac033aabcfb3a9c4e17647436a8f69a22be7b67d5cbb0cc5 803836 
wordpress-theme-twentyfourteen_4.1+dfsg-1+deb8u14_all.deb
 d9a4d329f75e8697af88d58462a58b66266986037a65e3cfb160d904a71c4fda 321408 
wordpress-theme-twentythirteen_4.1+dfsg-1+deb8u14_all.deb
Files:
 27c20ffff81220e8d626f73689bc86ea 2206 web optional 
wordpress_4.1+dfsg-1+deb8u14.dsc
 b035d001eccb9ca647ae135aff1b205a 6129728 web optional 
wordpress_4.1+dfsg-1+deb8u14.debian.tar.xz
 12b570d668be90fc5b85e3915e7b4525 3195086 web optional 
wordpress_4.1+dfsg-1+deb8u14_all.deb
 2c138c159b53cd36cc37bea33b33996f 4246876 localization optional 
wordpress-l10n_4.1+dfsg-1+deb8u14_all.deb
 05e24fb8304a6540b527dff44640ef6c 502928 web optional 
wordpress-theme-twentyfifteen_4.1+dfsg-1+deb8u14_all.deb
 0f0b708a3cec3edd2373392f3366a4ec 803836 web optional 
wordpress-theme-twentyfourteen_4.1+dfsg-1+deb8u14_all.deb
 018961b042c46458dd381507f3f2c6cd 321408 web optional 
wordpress-theme-twentythirteen_4.1+dfsg-1+deb8u14_all.deb

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAlkvoS4ACgkQEL6Jg/PV
nWTDSAf/TjNiSUUbm0y53KsLziBpR7m1pqJlessKgPLRkeyEq9TetzMfDk34DkpV
uJndrX6cvof4236MZkm7TwcqwtQZLfk0ZInYW9DTkmIs+tw0KdXDTA5WuYcmDqmb
n+JZFCDbChbqQJrm5DDxccBAtbvSrg1eTO5pSanKJ1c7tOfIzsUOgRdM8FHVnZb2
MEZ74OZOqrWrtPcgJ9cOAYlu6Pbu7YBukoL2lcvEsr3gnQicRnE0QQBNYPnPs6iA
KxPQ4rPuzWWozxg4/oVUFFWmVF26a2vCCKKSRrKClrb1BKw7JLZijzan1l6jWj+q
WPbWcywFvnIWxAohT45u5JM8dZ3deQ==
=r4Ra
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to