Hi Thank you for quick response.
The check I did for wheezy was simply to grep for ghe validation function and it was missing. Thins is whag I mean with clearly vulnerable. I should have said clearly not patched. I have not seen a patch that works for eheezy yet. I will investigate this more if noone beats me to it. / Ola Sent from a phone Den 6 jun 2017 23:26 skrev "Craig Small" <csm...@debian.org>: > On Wed, 7 Jun. 2017, 06:33 Ola Lundqvist, <o...@inguza.com> wrote: > >> I can see the following comments from you: >> + * Backport patches from 4.7.5 Closes: #862816 >> + CVEs to be added once issued >> + - CVE-2017-XXX >> + Insufficient redirect validation in the HTTP class. >> > The changelog now reads: > * CVE-2017-9066 not fixed as the relevant code has changed dramatically > and there is no upstream patch for it. > Insufficient redirect validation in the HTTP class. > > There was no upstream patch for it in the wordpress 4.1 stream. There > didn't seem to be a way of making a patch for it either. > > The patch is available here: >> https://github.com/WordPress/WordPress/commit/ >> 76d77e927bb4d0f87c7262a50e28d84e01fd2b11 > > > Do this mean that the package is vulnerable? > >> >> Wheezy is clearly vulnerable at least. >> > It means I am unsure. I'd like to know what you did to say it was clearly > vulnerable. There is a request method, but it is radically different to > wordpress 4.5 > The patch referenced is for 4.5 and would not come close to working; for > example the hooks construct seems to be missing or used very differently. > > However, if you have a patch that works on wordpress 4.1, I'd be glad to > see it! > > - Craig > >> >> -- > Craig Small https://dropbear.xyz/ csmall at : enc.com.au > Debian GNU/Linux https://www.debian.org/ csmall at : debian.org > Mastodon: @smalls...@social.dropbear.xyz Twitter: @smallsees > GPG fingerprint: 5D2F B320 B825 D939 04D2 0519 3938 F96B DF50 FEA5 >
