Your message dated Sat, 09 Dec 2017 06:34:26 +0000 with message-id <e1enyiq-0006ag...@fasolo.debian.org> and subject line Bug#883314: fixed in wordpress 4.9.1+dfsg-1 has caused the Debian Bug report #883314, regarding wordpress: CVE-2017-17091 CVE-2017-17092 CVE-2017-17093 CVE-2017-17094 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 883314: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883314 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: wordpress Version: 4.1+dfsg-1 X-Debbugs-CC: t...@security.debian.org secure-testing-t...@lists.alioth.debian.org Severity: grave Tags: security upstream fixed-upstream Hi, the following vulnerabilities were published for wordpress. CVE-2017-17091[0]: | wp-admin/user-new.php in WordPress before 4.9.1 sets the newbloguser | key to a string that can be directly derived from the user ID, which | allows remote attackers to bypass intended access restrictions by | entering this string. CVE-2017-17092[1]: | wp-includes/functions.php in WordPress before 4.9.1 does not require | the unfiltered_html capability for upload of .js files, which might | allow remote attackers to conduct XSS attacks via a crafted file. CVE-2017-17093[2]: | wp-includes/general-template.php in WordPress before 4.9.1 does not | properly restrict the lang attribute of an HTML element, which might | allow attackers to conduct XSS attacks via the language setting of a | site. CVE-2017-17094[3]: | wp-includes/feed.php in WordPress before 4.9.1 does not properly | restrict enclosures in RSS and Atom fields, which might allow attackers | to conduct XSS attacks via a crafted URL. Published at [4]. The respective commits are all referenced in the corresponding CVE page on the security-tracker and were used for the CVE request. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-17091 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17091 [1] https://security-tracker.debian.org/tracker/CVE-2017-17092 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17092 [2] https://security-tracker.debian.org/tracker/CVE-2017-17093 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17093 [3] https://security-tracker.debian.org/tracker/CVE-2017-17094 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17094 [4] https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: wordpress Source-Version: 4.9.1+dfsg-1 We believe that the bug you reported is fixed in the latest version of wordpress, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 883...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Craig Small <csm...@debian.org> (supplier of updated wordpress package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 09 Dec 2017 16:57:09 +1100 Source: wordpress Binary: wordpress wordpress-l10n wordpress-theme-twentysixteen wordpress-theme-twentyfifteen wordpress-theme-twentyseventeen Architecture: source all Version: 4.9.1+dfsg-1 Distribution: unstable Urgency: high Maintainer: Craig Small <csm...@debian.org> Changed-By: Craig Small <csm...@debian.org> Description: wordpress - weblog manager wordpress-l10n - weblog manager - language files wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files wordpress-theme-twentyseventeen - weblog manager - twentyseventeen theme files wordpress-theme-twentysixteen - weblog manager - twentysixteen theme files Closes: 883314 Changes: wordpress (4.9.1+dfsg-1) unstable; urgency=high . * New upstream release * Release 4.9 was never packaged due to licensing problems * This release fixes 6 security issues Closes: #883314 - CVE-2017-17091 Use a properly generated hash for the newbloguser key instead of a determinate substring. - CVE-2017-17092 Remove the ability to upload JavaScript files for users who do not have the unfiltered_html capability - CVE-2017-17093 Add escaping to the language attributes used on html elements - CVE-2017-17094 Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds * Updated to standards 4.1.1 * New linting for Javascript is disabled due to jshint.js licensing issues Checksums-Sha1: 66290bb6f7303e0de8893ce5ee34a77aa0c97d24 2539 wordpress_4.9.1+dfsg-1.dsc 51871a35fb17876e9a127c586f03e78e2e9c816b 7543940 wordpress_4.9.1+dfsg.orig.tar.xz 48c7257134771885293db1bead9ef1fc431af028 6780544 wordpress_4.9.1+dfsg-1.debian.tar.xz b256186bdf44d0cdad7198578251d6b5a353d7cb 4381960 wordpress-l10n_4.9.1+dfsg-1_all.deb e75ebb47a0cfe7fae0e410990190ebab20950c90 701008 wordpress-theme-twentyfifteen_4.9.1+dfsg-1_all.deb cf9d59ca506cf72f644c273a19c3bf117a2ed89d 941700 wordpress-theme-twentyseventeen_4.9.1+dfsg-1_all.deb 6b542602f46ace17db3af7166f1d1eef37635334 589600 wordpress-theme-twentysixteen_4.9.1+dfsg-1_all.deb e5f9838ab94c33b50bcf1bfe80b6334f0956c4ba 5291468 wordpress_4.9.1+dfsg-1_all.deb 5dd852a46eeedd11b90efbbb8701a2a1a0fe3114 7231 wordpress_4.9.1+dfsg-1_amd64.buildinfo Checksums-Sha256: 9254944cc6d052b7cf3b56c6391d1674266276e8299c69dfa310767a179918da 2539 wordpress_4.9.1+dfsg-1.dsc eec4bc81caed1fc9274870fc1e766ed1f4ad265af788662e72dcd644ff7f10b1 7543940 wordpress_4.9.1+dfsg.orig.tar.xz 50a00f3be6ed320a19b39b165ef9666931290e2cc064ca577bb1ccc657af5d15 6780544 wordpress_4.9.1+dfsg-1.debian.tar.xz 826fc8bf236473d23fca566215485d2b6019933fd65d0684acf029251f0f8243 4381960 wordpress-l10n_4.9.1+dfsg-1_all.deb aab07c6b30ef4c1d13575ec119e0c37e9d7e429934134c195c9b93fd08c7ad7a 701008 wordpress-theme-twentyfifteen_4.9.1+dfsg-1_all.deb 50dffbfd01114c8d5a7b9c28b0203e599595ae31717a352aa34b5964ed183073 941700 wordpress-theme-twentyseventeen_4.9.1+dfsg-1_all.deb afc5b71bd29a85bdc18f3fa37b990dd841c3890e60c9b0a1a1d9d23bd90c4d9a 589600 wordpress-theme-twentysixteen_4.9.1+dfsg-1_all.deb 3c07763932b4971d1a94b068f89b4aef01efb0feffca5dc81fc1563c54e7d115 5291468 wordpress_4.9.1+dfsg-1_all.deb ef5cbac029b172b68b82f0ce88d4a4a243698d25c4a1ec7cef12204514714aa8 7231 wordpress_4.9.1+dfsg-1_amd64.buildinfo Files: f33c7b1afe9ffdf2b43f6ae20df0994e 2539 web optional wordpress_4.9.1+dfsg-1.dsc ca9f295c4ea3c82a43d20f7bb988e99c 7543940 web optional wordpress_4.9.1+dfsg.orig.tar.xz b42bedab8101ca40e64dd61e2088c4a6 6780544 web optional wordpress_4.9.1+dfsg-1.debian.tar.xz 4de15590b9e316227e9c95b7c9ef04fd 4381960 localization optional wordpress-l10n_4.9.1+dfsg-1_all.deb 9efdbcf6c2aa3dcf6028ff404535f45d 701008 web optional wordpress-theme-twentyfifteen_4.9.1+dfsg-1_all.deb e0de8fd05ee5b3163ecf4a65cf346f09 941700 web optional wordpress-theme-twentyseventeen_4.9.1+dfsg-1_all.deb cd086d75cd1abdb3fb035c981663470d 589600 web optional wordpress-theme-twentysixteen_4.9.1+dfsg-1_all.deb 3a1e02bfdc251e0a9900b61707701d72 5291468 web optional wordpress_4.9.1+dfsg-1_all.deb 5f46f0ea6caa1cbafb0931f2636afbea 7231 web optional wordpress_4.9.1+dfsg-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAlorfF4ACgkQAiFmwP88 hOPcFg/9FWan1Dn+d3Xlj564m/X03ZqeOFDjXbyuh4H0MNCm+ifgOa3/jmZTKZyT +mkMqhC7EE9NGkWGAm+XANUJd8ZDT/aJ5WooSqUy1nUm0MiQyssbzJ7CQOe9T4xX BzL2E25J6MhAVKoECsh92L8mgCPqccfI3cz++o14hPA18kLyQM6CodJCr8QLw4// 6UFLQ/+oq2FH5eBcQNmNbdizCKESYj3mLqDIhErq8DOKoBAOWrRrH4k6uagxE/rV JTNcRyAFXC2VICQvVpZh71HowU8LpvyQpOPN+KBF/AUjVXxQzXtZfhuwxb3bG8Qi ap+uj2eJATOHDyl5nQv789n/VbQl7JpsKbFJV4vG1GNSGSO/k3fg4n21okVtTcn6 +pnoznxEIPXJ0Oh4vbeQRFdTHWSnIPrjoA5P9/xf3noeDAi5LVIaPp3Wnb2yd00y nPZW1CjLeHzCOiF8qpnzUeBXpqUPBcm4rnbGRsK1j3BPcTqGzE2YQtYRW6mnR8L7 YoYJHIl5KCWH5H58SnYrg7BwvdXWhIUJT9WDjziSysbvnubajndbL4XSpaux/0UU vupjapvLT/jQmueeZ4zLCzaxeU9tLh5ZZVvqPxXfYtm8jGVKWjg9gYkZuIOS6lLO BDsGCP4EIn/61xfs/KCDcddDERAOqXPyqvvxiwx4QOvkhUni19U= =28Iw -----END PGP SIGNATURE-----
--- End Message ---
