Your message dated Sat, 09 May 2020 15:33:48 +0000 with message-id <[email protected]> and subject line Bug#959391: fixed in wordpress 4.7.5+dfsg-2+deb9u6 has caused the Debian Bug report #959391, regarding wordpress: CVE-2020-11025 CVE-2020-11026 CVE-2020-11027 CVE-2020-11028 CVE-2020-11029 CVE-2020-11030 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 959391: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959391 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Source: wordpress Version: 5.4+dfsg1-1 Severity: grave Tags: security upstream Justification: user security hole Hi, The following vulnerabilities were published for wordpress. Fortunately this time additionally to [6], there are GHSA advisories associated with each of this CVEs (advantage of hosting a project on github I would say :)). Now they list some ranges of affected versions, and I'm interested to track which are actually not affecting buster and stretch. Could you check if those are actually acurate? For example CVE-2020-11030 lists via the GHSA as affected versions 5.2 to 5.4, and patched in 5.4.1, 5.3.3 and 5.2.6. Is this correct so which would mean buster and stretch are not affected? CVE-2020-11025[0]: | In affected versions of WordPress, a cross-site scripting (XSS) | vulnerability in the navigation section of Customizer allows | JavaScript code to be executed. Exploitation requires an authenticated | user. This has been patched in version 5.4.1, along with all the | previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, | 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, | 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). CVE-2020-11026[1]: | In affected versions of WordPress, files with a specially crafted name | when uploaded to the Media section can lead to script execution upon | accessing the file. This requires an authenticated user with | privileges to upload files. This has been patched in version 5.4.1, | along with all the previously affected versions via a minor release | (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, | 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). CVE-2020-11027[2]: | In affected versions of WordPress, a password reset link emailed to a | user does not expire upon changing the user password. Access would be | needed to the email account of the user by a malicious party for | successful execution. This has been patched in version 5.4.1, along | with all the previously affected versions via a minor release (5.3.3, | 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, | 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). CVE-2020-11028[3]: | In affected versions of WordPress, some private posts, which were | previously public, can result in unauthenticated disclosure under a | specific set of conditions. This has been patched in version 5.4.1, | along with all the previously affected versions via a minor release | (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, | 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). CVE-2020-11029[4]: | In affected versions of WordPress, a vulnerability in the stats() | method of class-wp-object-cache.php can be exploited to execute cross- | site scripting (XSS) attacks. This has been patched in version 5.4.1, | along with all the previously affected versions via a minor release | (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, | 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). CVE-2020-11030[5]: | In affected versions of WordPress, a special payload can be crafted | that can lead to scripts getting executed within the search block of | the block editor. This requires an authenticated user with the ability | to add content. This has been patched in version 5.4.1, along with all | the previously affected versions via a minor release (5.3.3, 5.2.6, | 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, | 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-11025 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11025 [1] https://security-tracker.debian.org/tracker/CVE-2020-11026 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11026 [2] https://security-tracker.debian.org/tracker/CVE-2020-11027 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11027 [3] https://security-tracker.debian.org/tracker/CVE-2020-11028 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11028 [4] https://security-tracker.debian.org/tracker/CVE-2020-11029 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11029 [5] https://security-tracker.debian.org/tracker/CVE-2020-11030 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11030 [6] https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: wordpress Source-Version: 4.7.5+dfsg-2+deb9u6 Done: Craig Small <[email protected]> We believe that the bug you reported is fixed in the latest version of wordpress, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Craig Small <[email protected]> (supplier of updated wordpress package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 02 May 2020 15:23:57 +1000 Source: wordpress Binary: wordpress wordpress-l10n wordpress-theme-twentysixteen wordpress-theme-twentyfifteen wordpress-theme-twentyseventeen Architecture: source Version: 4.7.5+dfsg-2+deb9u6 Distribution: stretch-security Urgency: high Maintainer: Craig Small <[email protected]> Changed-By: Craig Small <[email protected]> Description: wordpress - weblog manager wordpress-l10n - weblog manager - language files wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files wordpress-theme-twentyseventeen - weblog manager - twentyseventeen theme files wordpress-theme-twentysixteen - weblog manager - twentysixteen theme files Closes: 924546 939543 942459 946905 959391 Changes: wordpress (4.7.5+dfsg-2+deb9u6) stretch-security; urgency=high . * Importing Wordpress 4.7.17/5.4.1 updates Closes: #959391 - CVE-2020-11025 XSS vulnerability in the navigation section of Customizer allows JavaScript code to be executed. - CVE-2020-11026 uploaded files to Media section to lead to script execution - CVE-2020-11027 Password reset link does not expire - CVE-2020-11028 Private posts can be found through searching by date - CVE-2020-11029 XSS in stats() method in class-wp-object-cache Not vulnerable: - CVE-2020-11030 (feature introduced 5.0) Special payload can execute scripts in block editor * Importing Wordpress 4.7.16/5.3.1 updates Closes: #946905 - CVE-2019-20043 an unprivileged user could make a post sticky via the REST API. - CVE-2019-20041 hardening wp_kses_bad_protocol() to ensure that it is aware of the named colon attribute. Not vulnerable: - CVE-2019-20042 (function introduced 5.1.0) cross-site scripting (XSS) could be stored in well-crafted links - CVE-2019-16780 and CVE-2019-16781 (feature introduced 5.0) stored XSS vulnerability using block editor content. * Importing Wordpress 4.7.15/5.2.4 updates Closes: #942459 - CVE-2019-17674 Stored XSS in the Customizer - CVE-2019-17671 Viewing unauthenticated posts - CVE-2019-17672 Stored XSS to inject javascript into style tags - CVE-2019-17673 Poisoning JSON GET requests - CVE-2019-17669 SSRF in URL vaidation - CVE-2019-17675 Referer validation in admin screens * Importing Wordpress 4.7.14/5.2.3 updates Closes: #939543 - CVE-2019-16223 XSS in post previews - CVE-2019-16218 XSS in stored comments - CVE-2019-16220 Open redirect due to validation and sanitization - CVE-2019-16217 XSS in media uploads - CVE-2019-16219 XSS in shortcode previews - CVE-2019-16221 XSS in dashboard - CVE-2019-16222 XSS in URL sanitization * Security patches from 5.1.1/4.7.13 * Fixes XSS security hole in comments CVE-2019-9787 Closes: #924546 Checksums-Sha1: e578da770e89b37231e62beaf21167cd1a3bbcbb 2567 wordpress_4.7.5+dfsg-2+deb9u6.dsc dc36d0ebb054c9f215d8e5430d4ecb94c87ec34a 6834780 wordpress_4.7.5+dfsg-2+deb9u6.debian.tar.xz c1bd39b032c5edb941434e9a2e07150fe3f8fa59 7841 wordpress_4.7.5+dfsg-2+deb9u6_amd64.buildinfo Checksums-Sha256: ebf02bb97a238345edfa259e3a6197941efe70ba9ce53b21965317745277b414 2567 wordpress_4.7.5+dfsg-2+deb9u6.dsc b21523640b8854944f8239634d5695c7c9398421dd7a00b448c3ed43c42e78a1 6834780 wordpress_4.7.5+dfsg-2+deb9u6.debian.tar.xz afd3d9c96318763227ace066cba187fefd84e77b089a57cd1370efe3a9d20123 7841 wordpress_4.7.5+dfsg-2+deb9u6_amd64.buildinfo Files: 9d886fa75fef2d75da4aa64866487a65 2567 web optional wordpress_4.7.5+dfsg-2+deb9u6.dsc b01623c5fb1b5d2af3c1e46f434a57e1 6834780 web optional wordpress_4.7.5+dfsg-2+deb9u6.debian.tar.xz 3cef192f52b7480ba154fc29fd25710e 7841 web optional wordpress_4.7.5+dfsg-2+deb9u6_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAl6v7PwACgkQAiFmwP88 hONH9w/6A6Sj7vsemRIIE8Sj7bORELmy9ppoydgQ7TsGu29jHPJ/3c0i6RSU8Srb qXZNpj9yiQa7eF0AXfaFtr2mc1BL1KlmO5oXDjZq0/4+c/IQRC7ayijdFSLrqtbA skAuV3MCB79UWm6HP/6tmIOyhfAD+DRxEAPdBBYXoqqu+ePD3mlhS48bXCHQstR0 lAP204zmLr72/8lJaD5uM4Q8NGe7YsDY8TvZyakAfP0s4tOO4UegueKS1WSbQJ3s N7ou+uhP/9SrCmRCoevpW2nN2EIkW156VgnFHm2YF475ixmoszm53jEPxSU5Czs/ iTvflMN12IaZvN4JlFlsBeTSIIfVb/bFi7/8U0O74CF2nAvz9C7hfKhMCdWcmRf/ qJAMbuyxr/W9sCqUNjQ2/NTzWtwYIk/VYaAdO3PaVCrF/fGGISoMcB/GKO+wR3Yw 7+BnNDbB0vZbiKy7S+mCcVA8C0+kP2HUht4d0GykEyjz84BIxn1hLFv4n4UCr26w ++KWtV1MbPGW6JnAFt42KcNnXXUVpXULuZ9F1cWy7sEM3of7WoLZHpGRl1WE7hfP V/rcTGhDQtVqmK9RMSMRqIpGMx+UUzcfX04M5QlIFiOE+cw9eb6ES+eEx8oAvc+A 18WexQFUZckZKs0COpcEfejxLY4VCZ3/4eeaOD81yfdNMmK22uY= =wL1N -----END PGP SIGNATURE-----
--- End Message ---
