Hi Craig, On Sat, May 02, 2020 at 10:31:24AM +1000, Craig Small wrote: > This is the analysis of the latest WordPress security bugs. > Is it awesome upstream already has CVE IDs and (almost) clear patches of > the fixes? Yes, it is! > > Sid: 5.4 > All vulnerabilities, use upstream 5.4.1 > > Bullseye: 5.3.2 > https://github.com/WordPress/wordpress-develop/commit/42cbfc76f87add1853996730c587ea66aa8fdc28 > SVN references: 47633 47634 47635 47636 47637 47638 > https://core.trac.wordpress.org/changeset/47633 Customizer - CVE-2020-11025 > https://core.trac.wordpress.org/changeset/47634 password update - > CVE-2020-11027 > https://core.trac.wordpress.org/changeset/47635 single post on query - > CVE-2020-11028 > https://core.trac.wordpress.org/changeset/47636 block editor escape - > CVE-2020-11030 > https://core.trac.wordpress.org/changeset/47637 escaping around stats - > CVE-2020-11029 > https://core.trac.wordpress.org/changeset/47638 sanitize file name - > CVE-2020-11026 > All vulnerable, use aggregated GH commit
Thanks for this btw, and I have synced the security-tracker information with it now (plus trying to add respective isolated commits from the git hub repository a swell). For a respective update in the other branches it makes obviously sense as you say to use the aggregted commit from GH. Regards, Salvatore
