Bug#880528: marked as done (wordpress: Unsafe queries with wpdb->prepare)

[Debian Bug Tracking System]

Your message dated Thu, 02 Nov 2017 11:36:33 +0000
with message-id <e1eadnv-0004mz...@fasolo.debian.org>
and subject line Bug#880528: fixed in wordpress 4.8.3+dfsg-1
has caused the Debian Bug report #880528,
regarding wordpress: Unsafe queries with wpdb->prepare
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
880528: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880528
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: wordpress
Version: 4.8.2+dfsg-2
Severity: grave
Tags: upstream security
Justification: user security hole

WordPress versions 4.8.2 and earlier are affected by an issue where
$wpdb->prepare() can create unexpected and unsafe queries leading to
potential SQL injection (SQLi). WordPress core is not directly vulnerable
to this issue, but we’ve added hardening to prevent plugins and themes from
accidentally causing a vulnerability.

I have attempted to get a CVE id for it but the Mitre website is
throwing errors again on the submit button.


References:
https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/
https://wpvulndb.com/vulnerabilities/8941
https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d
https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.12.0-2-amd64 (SMP w/6 CPU cores)
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8), 
LANGUAGE=en_AU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---

--- Begin Message ---

Source: wordpress
Source-Version: 4.8.3+dfsg-1

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 880...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Craig Small <csm...@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 02 Nov 2017 22:16:15 +1100
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentysixteen 
wordpress-theme-twentyfifteen wordpress-theme-twentyseventeen
Architecture: source all
Version: 4.8.3+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Craig Small <csm...@debian.org>
Changed-By: Craig Small <csm...@debian.org>
Description:
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
 wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files
 wordpress-theme-twentyseventeen - weblog manager - twentyseventeen theme files
 wordpress-theme-twentysixteen - weblog manager - twentysixteen theme files
Closes: 880528
Changes:
 wordpress (4.8.3+dfsg-1) unstable; urgency=high
 .
   * New upstream security release Closes: #880528
Checksums-Sha1:
 26fd195e7d192e05261ca1ecaeb718320aaf2e52 2539 wordpress_4.8.3+dfsg-1.dsc
 b136ec6f0f6f04cd424804b11b3a1ebb03aa5c94 6384456 
wordpress_4.8.3+dfsg.orig.tar.xz
 f05e1c3d6244f332b97a5213efc8c7ddc5ba996a 6780324 
wordpress_4.8.3+dfsg-1.debian.tar.xz
 8dd937fb7d7a7708c367c4cb1f0612548a4a5215 4381612 
wordpress-l10n_4.8.3+dfsg-1_all.deb
 8ec26e43507d64e4942849b8e25acf8deb9d061c 700404 
wordpress-theme-twentyfifteen_4.8.3+dfsg-1_all.deb
 a24beab20d9cdb6bd205c46e02d758014079b057 940476 
wordpress-theme-twentyseventeen_4.8.3+dfsg-1_all.deb
 9328e6033c3095736709f7a1fc9839b9c5a279f6 589144 
wordpress-theme-twentysixteen_4.8.3+dfsg-1_all.deb
 d351224f0773fe2eeff141185113497b5618442e 4137328 wordpress_4.8.3+dfsg-1_all.deb
 e4f946cf09f3db5d83ddfe4f9c9bb384a2b6b113 7231 
wordpress_4.8.3+dfsg-1_amd64.buildinfo
Checksums-Sha256:
 6d683b5aba7cdf7f142ff1d58c031f6a81e3be1adde0863fb743d28fecb283a1 2539 
wordpress_4.8.3+dfsg-1.dsc
 3f224d4b2e8c0574b130ee95a9838d6f79ba428bba5cffeadf031769c1777da2 6384456 
wordpress_4.8.3+dfsg.orig.tar.xz
 c3c843c0b0428e5a99fac2e9b1e16a92379145188ed0af3cfb5d78b2c29f315e 6780324 
wordpress_4.8.3+dfsg-1.debian.tar.xz
 b3a7873470da056dc8f878241f4e7506dd533d7335b414004cee74c6d8707e07 4381612 
wordpress-l10n_4.8.3+dfsg-1_all.deb
 7948a01171465a7c42a120c002666fb319fc6635c609c01ac5b5766c521a93fa 700404 
wordpress-theme-twentyfifteen_4.8.3+dfsg-1_all.deb
 d00a768886e3d8e1752774e4b8e12cd4dfeaba50785c70dbeaf934a9ca888f46 940476 
wordpress-theme-twentyseventeen_4.8.3+dfsg-1_all.deb
 a51f36397a22afe17b63d58a8282ad5055a48434bac46bf34b3721b26a271fff 589144 
wordpress-theme-twentysixteen_4.8.3+dfsg-1_all.deb
 0356bc89b7d28713b7e44d5a1c4e2d0343ad237f8ff9d2f27478cd0abc245e93 4137328 
wordpress_4.8.3+dfsg-1_all.deb
 6f2596f8192115c7642c649d77f4dddbc17c83be3b53595dc4f6bafa6b1cbcd7 7231 
wordpress_4.8.3+dfsg-1_amd64.buildinfo
Files:
 817e891bbcf46332f7455587067fed81 2539 web optional wordpress_4.8.3+dfsg-1.dsc
 20bbd6538c45487abafc9492ca5590b7 6384456 web optional 
wordpress_4.8.3+dfsg.orig.tar.xz
 eecddb02b4230e25c7c9a28230a9148f 6780324 web optional 
wordpress_4.8.3+dfsg-1.debian.tar.xz
 1fd45c51b3a431ee9bb6ced54c719989 4381612 localization optional 
wordpress-l10n_4.8.3+dfsg-1_all.deb
 0a86ea0950263a43cf9c329af0f534b6 700404 web optional 
wordpress-theme-twentyfifteen_4.8.3+dfsg-1_all.deb
 44714c2cab1d1ce9e6108592824602e5 940476 web optional 
wordpress-theme-twentyseventeen_4.8.3+dfsg-1_all.deb
 b43baf409e9f6b4e567fabee3dbed2e2 589144 web optional 
wordpress-theme-twentysixteen_4.8.3+dfsg-1_all.deb
 e89e2be55489e3bbc9570823cb36416c 4137328 web optional 
wordpress_4.8.3+dfsg-1_all.deb
 61c3cdf0660769a1f34015c9f1292eb3 7231 web optional 
wordpress_4.8.3+dfsg-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAln6/1YACgkQAiFmwP88
hONt/BAAj1klDb1avuZCUw6iUAm/7ZJjkWa75xSSx9ygXK48HyRkTohZKVUbneG9
QF2XoeHQQ5X5ivxZU8AFdoVIM3NtSD9N5DLWH148ouM3VvmifuYdDDUKfgajbXAw
Tta7wLpJoNrJrcGUJAimhPdM+1x4XgBsYcnwtwf3VLJdswsNrfLzO+d4sZnU0TWF
XiZAVaAbGYN+c3OPgMxKSHXCr3Otz7stoSgdEopmWxJ8qk+pI2jEBiOGLg+fOruK
6qzER5Rm3gXYN3jZv2zWw05P2PPZEhpN16IjMR3t/QIlOHwNVwmnLALAwU3RlLNH
WfRysK3irrMiFKROmLPDH5zAaecguP/xHLNUmjUxsDpX7xijmUe5uXN1aLYMeBUh
0kwR0MKDR7iji9h0YzI9vRTyWsiKtkAmbwZfqwFPpx4k/Qd5xayjvGMXrpiUrIb3
06JqZ37teDjwVljPg80yqhX/71Nq5Lz5x3ytk95F4Mnggh1ssvQMY0KWI8tzH0mQ
ZcdKjJIh+/dpSe9x+37qWW8GMgAm0XFimUEMo6bpihgF7kx0DcZJhSM6C6tLNtg+
6h0Y7WnIyt8iA0RsAgJzElios+ZlXCSSOV424s4jpRsDzEO2P/2Xv84UBNkqlBkI
Wom7b/iq5XAr6NQ8ck/c/SCC+UfQXd57h5iwIEJup9qX8OexQz8=
=yRjc
-----END PGP SIGNATURE-----

--- End Message ---