Bug#895034: marked as done (wordpress: CVE-2018-10100 CVE-2018-10101 CVE-2018-10102)

[Debian Bug Tracking System]

Your message dated Mon, 07 May 2018 11:36:01 +0000
with message-id <e1ffeqz-000j68...@fasolo.debian.org>
and subject line Bug#895034: fixed in wordpress 4.1+dfsg-1+deb8u17
has caused the Debian Bug report #895034,
regarding wordpress: CVE-2018-10100 CVE-2018-10101 CVE-2018-10102
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
895034: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895034
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: wordpress
Version: 4.9.4-1
Severity: grave
Tags: security upstream
Justification: user security hole

WordPress 4.9.5 fixes 3 security issues:
1) Don't treat localhost as same host by default.
2) Use safe redirects when redirecting the login page if SSL is forced.
3) Make sure the version string is correctly escaped for use in generator tags.

The patches are:
1) 42894 - https://core.trac.wordpress.org/changeset/42894
2) 42892 - https://core.trac.wordpress.org/changeset/42892
3) 42893 - https://core.trac.wordpress.org/changeset/42893

Sid, Buster, Stretch and Jessie all have these issues.

 - Craig

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.15.0-2-amd64 (SMP w/6 CPU cores)
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8), 
LANGUAGE=en_AU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

--- End Message ---

--- Begin Message ---

Source: wordpress
Source-Version: 4.1+dfsg-1+deb8u17

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 895...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <a...@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 28 Apr 2018 22:49:06 +0200
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentyfifteen 
wordpress-theme-twentyfourteen wordpress-theme-twentythirteen
Architecture: source all
Version: 4.1+dfsg-1+deb8u17
Distribution: jessie-security
Urgency: high
Maintainer: Craig Small <csm...@debian.org>
Changed-By: Markus Koschany <a...@debian.org>
Description:
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
 wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files
 wordpress-theme-twentyfourteen - weblog manager - twentyfourteen theme files
 wordpress-theme-twentythirteen - weblog manager - twentythirteen theme files
Closes: 895034
Changes:
 wordpress (4.1+dfsg-1+deb8u17) jessie-security; urgency=high
 .
   * Non-maintainer upload.
   * Fix CVE-2018-10100: the redirection URL for the login page was not
     validated or sanitized if forced to use HTTPS.
   * Fix CVE-2018-10102: the version string was not escaped in the
     get_the_generator function, and could lead to XSS in a generator tag.
     (Closes: #895034)
Checksums-Sha1:
 abd0524fe8c3da6b5be11b02a6515075c1411c73 2702 wordpress_4.1+dfsg-1+deb8u17.dsc
 52917f2617ac2c18013e11754f7211e923a99b0f 5897412 
wordpress_4.1+dfsg-1+deb8u17.debian.tar.xz
 b92f5568c353295720e720cb4e369a9e3d6fc477 3172772 
wordpress_4.1+dfsg-1+deb8u17_all.deb
 be26a67c4c5e56d6812506130e0013a29eac521d 4242184 
wordpress-l10n_4.1+dfsg-1+deb8u17_all.deb
 6d71758a4ddb6c51646b88cdaec4f7b474794b5d 504512 
wordpress-theme-twentyfifteen_4.1+dfsg-1+deb8u17_all.deb
 0bdb09fcf0cb44348c6bf375d18c2651dbf59673 805978 
wordpress-theme-twentyfourteen_4.1+dfsg-1+deb8u17_all.deb
 1377933c253119281765fbea5192f9e0115e9a57 322872 
wordpress-theme-twentythirteen_4.1+dfsg-1+deb8u17_all.deb
Checksums-Sha256:
 523e4e8a5b0f035f99735d0354bd5092e2a378e9ed0cb8e9380dec9a9b2b26d3 2702 
wordpress_4.1+dfsg-1+deb8u17.dsc
 e882087217f24a04133a847adbc66ea14b92ca92a6f1d1b01d0643046edb5618 5897412 
wordpress_4.1+dfsg-1+deb8u17.debian.tar.xz
 5803fe7d8d35256158bf1a6e1ba72b25b3d2eb8d686316b29f04eae3b451fb91 3172772 
wordpress_4.1+dfsg-1+deb8u17_all.deb
 427ff88fcc3cc8d3e180261195cd95fa49f171c9c7b28cfa8d8f71c72c47d4bb 4242184 
wordpress-l10n_4.1+dfsg-1+deb8u17_all.deb
 722a1d8953a32fbc04ca2ccc198f613dbf179477488a3b1d06524931db6c4995 504512 
wordpress-theme-twentyfifteen_4.1+dfsg-1+deb8u17_all.deb
 d61261e011437ff574780aa39e6c2e0b4806dce91eccf2849b8d9ed8ac87e5d1 805978 
wordpress-theme-twentyfourteen_4.1+dfsg-1+deb8u17_all.deb
 26fa626f4ca5d67f5b382ff3c5617a7978882ecc4585f46399e05d9635d9561e 322872 
wordpress-theme-twentythirteen_4.1+dfsg-1+deb8u17_all.deb
Files:
 bb303f51ad113ab31d300adb40da4460 2702 web optional 
wordpress_4.1+dfsg-1+deb8u17.dsc
 bfde339ba7d059062acffcf8778baa99 5897412 web optional 
wordpress_4.1+dfsg-1+deb8u17.debian.tar.xz
 4e2709f80a17c3a0855f79f5bfb18061 3172772 web optional 
wordpress_4.1+dfsg-1+deb8u17_all.deb
 bd989cf4405dab02574b7bb3536e83c1 4242184 localization optional 
wordpress-l10n_4.1+dfsg-1+deb8u17_all.deb
 8e4cdee77adc90f832fcc8443d7e3b60 504512 web optional 
wordpress-theme-twentyfifteen_4.1+dfsg-1+deb8u17_all.deb
 df61bff84f69b6fe312fed157e2bd9bf 805978 web optional 
wordpress-theme-twentyfourteen_4.1+dfsg-1+deb8u17_all.deb
 0b5c5fc23d0e350c520c738aed0b9171 322872 web optional 
wordpress-theme-twentythirteen_4.1+dfsg-1+deb8u17_all.deb

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlrlzvJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hkuw4P/joXeCGNOMpLL5/BnBhGZ18t7n3UbmOPXGLC
G4OehkWZX8/t/AAC89FzLQ66HN1zgDjp4Y6fC0EIlXgqKlX6f5wLaIkjCvaErR6v
ebBkkckaIdOwQdDtg0JBp6hTg+d1UxuV3nDle6AyBXjnoUfXdc7KIaSkmw5DIPgH
8yPNxmcjs8ECp2h1C0l4RxxG+fSe20of/GsVgBrY+J2Sxh2IeGrLjWZbT4Gdb4Vn
nEgZd7Xe3CzjJsmEFnJZAEXlMsIlJ21JuZictVZYcQNBaYdFuNGstC9+efO+nZ8d
sk0TBWLCldgXnkcVSXcHHsoTl51vp3hKlJ7NuQy8vWpQzswMHdT7kKLuf7mip947
aR4Ks0v8sK7tXSc5I6FSPmN1Zr8X1IJ0gXCuHdp7SkXtmIwyXgjWmCkRQd4kPyTK
vdGcCBBx+lYX0kSp+qhkrG/CRjKsJsJzmh0SbixsUJfhpeaQI0qWnVv9dtlRcONi
N3m9VghAUP+hzTz1wAAMJB1X2xAwR96BsblNadiEORuLX+wVFLodvXWTYG9HuTTC
OKQF/M1rlIjal99Rb52Fnul0EvhvFdujIXNIOMRMIds+6NWA25mbMw0GgxoNj6sU
GwQLdYn7q7r0N7X5Pu6Izn9J3jnCcl2aXiR9kaunCnN0/xupGxfTa2QoyC5m14KQ
M5/BJN4Q
=lfdZ
-----END PGP SIGNATURE-----

--- End Message ---