Debian Bug report logs -
#744018
Wordpress 3.8.2 fixes two vulnerabilities [CVE-2014-0165 CVE-2014-0166]
Reported by: Thijs Kinkhorst <thijs@debian.org>
Date: Wed, 9 Apr 2014 09:09:07 UTC
Severity: serious
Tags: fixed-upstream, patch, security, upstream
Found in versions wordpress/3.6.1+dfsg-1~deb6u1, wordpress/3.8.1+dfsg1-2, wordpress/3.6.1+dfsg-1~deb7u1
Fixed in versions wordpress/3.8.2+dfsg-1, wordpress/3.6.1+dfsg-1~deb7u2, wordpress/3.6.1+dfsg-1~deb6u2
Done: Craig Small <csmall@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Craig Small <csmall@debian.org>:
Bug#744018; Package wordpress.
(Wed, 09 Apr 2014 09:09:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Thijs Kinkhorst <thijs@debian.org>:
New Bug report received and forwarded. Copy sent to Craig Small <csmall@debian.org>.
(Wed, 09 Apr 2014 09:09:11 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: wordpress
Severity: serious
Tags: security fixed-upstream patch
Hi,
Wordpress 3.8.2 was released which fixes two security issues and several more
bugs.
http://wordpress.org/news/2014/04/wordpress-3-8-2/
CVE-2014-0165
Wordpress privilege escalation: prevent contributors from publishing posts
CVE-2014-0166
Wordpress potential authentication cookie forgery
Can you see to it that this is fixed in unstable? I'm not sure if these
vulnerabilities warrant an update to stable on their own, can you advise?
Thanks,
Thijs
[signature.asc (application/pgp-signature, inline)]
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 09 Apr 2014 12:06:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#744018; Package wordpress.
(Wed, 09 Apr 2014 13:00:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Craig Small <csmall@debian.org>:
Extra info received and forwarded to list.
(Wed, 09 Apr 2014 13:00:08 GMT) (full text, mbox, link).
Message #12 received at 744018@bugs.debian.org (full text, mbox, reply):
On Wed, Apr 09, 2014 at 11:06:18AM +0200, Thijs Kinkhorst wrote:
> Wordpress 3.8.2 was released which fixes two security issues and several more
> bugs.
Thanks for the heads up Thijs, I have uploaded 3.8.2 to the ftp-master
just then.
- Craig
--
Craig Small (@smallsees) http://enc.com.au/ csmall at : enc.com.au
Debian GNU/Linux http://www.debian.org/ csmall at : debian.org
GPG fingerprint: 5D2F B320 B825 D939 04D2 0519 3938 F96B DF50 FEA5
Reply sent
to Craig Small <csmall@debian.org>:
You have taken responsibility.
(Wed, 09 Apr 2014 13:24:14 GMT) (full text, mbox, link).
Notification sent
to Thijs Kinkhorst <thijs@debian.org>:
Bug acknowledged by developer.
(Wed, 09 Apr 2014 13:24:15 GMT) (full text, mbox, link).
Message #17 received at 744018-done@bugs.debian.org (full text, mbox, reply):
Package: wordpress
Version: 3.8.2+dfsg-1
The changelog had the wrong bug number in it.
New upstream release Fixes CVE-2014-0165, CVE-2014-0166
and Closes: #744018
Can't believe I typoed that.
--
Craig Small (@smallsees) http://enc.com.au/ csmall at : enc.com.au
Debian GNU/Linux http://www.debian.org/ csmall at : debian.org
GPG fingerprint: 5D2F B320 B825 D939 04D2 0519 3938 F96B DF50 FEA5
Information forwarded
to debian-bugs-dist@lists.debian.org, Craig Small <csmall@debian.org>:
Bug#744018; Package wordpress.
(Wed, 09 Apr 2014 14:45:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Maximiliano Curia <maxy@debian.org>:
Extra info received and forwarded to list. Copy sent to Craig Small <csmall@debian.org>.
(Wed, 09 Apr 2014 14:45:08 GMT) (full text, mbox, link).
Message #22 received at 744018@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
Would it be possible to have this issue fixed in stable?
Thanks,
--
"Programming today is a race between software engineers striving to build
bigger and better idiot-proof programs, and the Universe trying to produce
bigger and better idiots. So far, the Universe is winning."
-- Rich Cook
Saludos /\/\ /\ >< `/
[signature.asc (application/pgp-signature, inline)]
Added tag(s) pending.
Request was from Craig Small <csmall@debian.org>
to control@bugs.debian.org.
(Thu, 10 Apr 2014 12:12:10 GMT) (full text, mbox, link).
Message sent on
to Thijs Kinkhorst <thijs@debian.org>:
Bug#744018.
(Thu, 10 Apr 2014 12:12:14 GMT) (full text, mbox, link).
Message #27 received at 744018-submitter@bugs.debian.org (full text, mbox, reply):
tag 744018 pending
thanks
Hello,
Bug #744018 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
http://git.debian.org/?p=collab-maint/wordpress.git;a=commitdiff;h=ac47fca
---
commit ac47fcabf625f21a2065ec34c286bb9e0122c5f0
Author: Craig Small <csmall@debian.org>
Date: Thu Apr 10 22:10:05 2014 +1000
Fixed bug number in changelog
diff --git a/debian/changelog b/debian/changelog
index 06d6dba..927d409 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,7 +1,7 @@
wordpress (3.8.2+dfsg-1) unstable; urgency=high
* New upstream release Fixes CVE-2014-0165, CVE-2014-0166
- and Closes: #744019
+ and Closes: #744018
-- Craig Small <csmall@debian.org> Wed, 09 Apr 2014 22:13:54 +1000
Marked as found in versions wordpress/3.6.1+dfsg-1~deb6u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 10 Apr 2014 20:45:05 GMT) (full text, mbox, link).
Marked as found in versions wordpress/3.6.1+dfsg-1~deb7u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 10 Apr 2014 20:45:06 GMT) (full text, mbox, link).
Marked as found in versions wordpress/3.8.1+dfsg1-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 10 Apr 2014 20:45:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Craig Small <csmall@debian.org>:
Bug#744018; Package wordpress.
(Thu, 10 Apr 2014 21:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Paul Muster <paul@muster.net>:
Extra info received and forwarded to list. Copy sent to Craig Small <csmall@debian.org>.
(Thu, 10 Apr 2014 21:21:04 GMT) (full text, mbox, link).
Message #38 received at 744018@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
https://enc.com.au/2014/04/10/wordpress-update-needed-for-stable-too/
| Yesterday I mentioned that wordpress had an important security update
| to 3.8.2 The particular security bugs also impact the stable Debian
| version of wordpress, so those patches have been backported. I’ve
| uploaded the changes to the security team so hopefully there will new
| package soon.
|
| The version you are looking for will be 3.6.1+dfsg-1~deb7u2 and will
| be on the Debian security mirrors.
Greetings,
Paul
[smime.p7s (application/pkcs7-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#744018; Package wordpress.
(Fri, 11 Apr 2014 11:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Craig Small <csmall@debian.org>:
Extra info received and forwarded to list.
(Fri, 11 Apr 2014 11:45:04 GMT) (full text, mbox, link).
Message #43 received at 744018@bugs.debian.org (full text, mbox, reply):
On Wed, Apr 09, 2014 at 04:43:06PM +0200, Maximiliano Curia wrote:
> Would it be possible to have this issue fixed in stable?
It's getting worked on. The fixes went to the security team a few
minutes ago. old-stable too, if you care about that too.
- Craig
--
Craig Small (@smallsees) http://enc.com.au/ csmall at : enc.com.au
Debian GNU/Linux http://www.debian.org/ csmall at : debian.org
GPG fingerprint: 5D2F B320 B825 D939 04D2 0519 3938 F96B DF50 FEA5
Reply sent
to Craig Small <csmall@debian.org>:
You have taken responsibility.
(Sun, 13 Apr 2014 17:24:39 GMT) (full text, mbox, link).
Notification sent
to Thijs Kinkhorst <thijs@debian.org>:
Bug acknowledged by developer.
(Sun, 13 Apr 2014 17:24:40 GMT) (full text, mbox, link).
Message #48 received at 744018-close@bugs.debian.org (full text, mbox, reply):
Source: wordpress
Source-Version: 3.6.1+dfsg-1~deb7u2
We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 744018@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated wordpress package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 12 Apr 2014 19:49:18 +1000
Source: wordpress
Binary: wordpress wordpress-l10n
Architecture: source all
Version: 3.6.1+dfsg-1~deb7u2
Distribution: wheezy-security
Urgency: high
Maintainer: Giuseppe Iuculano <iuculano@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Description:
wordpress - weblog manager
wordpress-l10n - weblog manager - language files
Closes: 744018
Changes:
wordpress (3.6.1+dfsg-1~deb7u2) wheezy-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Import Wordpress some changesets from 3.8.2 from Jessie to fix
the two security issues present Closes: #744018
- Changeset 27976 - CVE-2014-0165: Wordpress privilege escalation:
prevent contributors from publishing posts - Changeset 27976
- Changeset 28054 - CVE-2015-0166: Wordpress potential authentication
cookie forgery
- Changeset 27873 - Hardening to Forward pingback IP during pingback
verification.
Checksums-Sha1:
5ba7b92f753fd90422156102143509a510c40f7e 2319 wordpress_3.6.1+dfsg-1~deb7u2.dsc
a505126b819acccbd8ff0bc85266ccaeca5242c5 5155140 wordpress_3.6.1+dfsg-1~deb7u2.debian.tar.xz
53a351c215bd055eddb6569a3ecb588282799212 3198710 wordpress_3.6.1+dfsg-1~deb7u2_all.deb
cb1200b9c4101b004058de41462ec2a4fcb57fc6 3740264 wordpress-l10n_3.6.1+dfsg-1~deb7u2_all.deb
Checksums-Sha256:
49bc5e65a499bdf563b85afce19cba450dfa1d74ea4debdafc824cb84cf883de 2319 wordpress_3.6.1+dfsg-1~deb7u2.dsc
ad281b35456f45975df026a3a82776034a06aff59e2e85dae28ea5b28370cddb 5155140 wordpress_3.6.1+dfsg-1~deb7u2.debian.tar.xz
119dbc08bb5020e50d24b0a5888344735fc2733e2102f57754016bddea29612b 3198710 wordpress_3.6.1+dfsg-1~deb7u2_all.deb
032ff56479b4ef69e48fb4185914e79bce017e5e15fc794661f306d2c33db3aa 3740264 wordpress-l10n_3.6.1+dfsg-1~deb7u2_all.deb
Files:
a0593b8bab7878e338da82cb9988dcf7 2319 web optional wordpress_3.6.1+dfsg-1~deb7u2.dsc
edb3872eee6d246f8f28a7fcea689ef3 5155140 web optional wordpress_3.6.1+dfsg-1~deb7u2.debian.tar.xz
fb7c0dfa09e282f7c91fc421c531fc7c 3198710 web optional wordpress_3.6.1+dfsg-1~deb7u2_all.deb
44015aed62144f667d2f67ff3ffe0acb 3740264 localization optional wordpress-l10n_3.6.1+dfsg-1~deb7u2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJTSQzQAAoJEDk4+WvfUP6llXoP/0aM7i0yTq3qInCzNLGaVS9l
FvJZGM4WytHccdRD11U6+WJQAte2UjExiYuaKp8liDbUHWoChDtGtQOmAzlFt0of
DGBHIbItAYF8CAvl234FkBiqGflwSOM5eU2dJtxd81YWckwH+DgBIRxC8RQ8bRRO
tnxVUk6hCrrD7eESFc/FPD/dFdXxJ1oH/qowx0A+qXxJuSX84ivJswcXG5e2vpmx
OgL3H0TEQK3MuMi2F1Pnl4rX6ZRSUd1z8bAywgjavSzrixpGibUEXmIeR5ZYEJuu
1xeqzu1CIneXBfBaGOeA21xV0R3pLM1IeNew9L8ab4FFw61ewL5n4r6zZaqw0ox9
YnXBqQhq59liezJtLrug/TkMdp0Mi42viO4P76SwuBep1jN86lACkZzbb2VsPjhe
PluyQBeanH/rx1iVwfm7oleGxcsfNlEY1rsoGoQpsBWs3hGXLYZ7/W1hjhI13dqV
R8fe644gVboZY6HRq2f6oOGZykobBsvqZANXgoeHTw1VKtsiSL+DZ/2cUwgar+V+
PuBAPlqdATA1fBqYzELKjXKIBRoPrOlIOrt4yZH3FimfgJIUhP+EmJtyleVIgCUm
yD+X6/wTAPj1H3QMU/J8JZxzrSYTwRPkdASuZ/jMV04dswzD/keRRQFG7C0xWnKf
1DFfFfS9RKAvduMH/2vu
=jbVF
-----END PGP SIGNATURE-----
Reply sent
to Craig Small <csmall@debian.org>:
You have taken responsibility.
(Sun, 13 Apr 2014 17:24:44 GMT) (full text, mbox, link).
Notification sent
to Thijs Kinkhorst <thijs@debian.org>:
Bug acknowledged by developer.
(Sun, 13 Apr 2014 17:24:44 GMT) (full text, mbox, link).
Message #53 received at 744018-close@bugs.debian.org (full text, mbox, reply):
Source: wordpress
Source-Version: 3.6.1+dfsg-1~deb6u2
We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 744018@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated wordpress package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 10 Apr 2014 22:12:48 +1000
Source: wordpress
Binary: wordpress wordpress-l10n
Architecture: source all
Version: 3.6.1+dfsg-1~deb6u2
Distribution: squeeze-security
Urgency: high
Maintainer: Giuseppe Iuculano <iuculano@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Description:
wordpress - weblog manager
wordpress-l10n - weblog manager - language files
Closes: 744018
Changes:
wordpress (3.6.1+dfsg-1~deb6u2) squeeze-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Import some changesets from Wordpress 3.8.2 to fix the two security issues
present (Closes: #744018)
- Changeset 27976 - CVE-2014-0165: Wordpress privilege escalation:
prevent contributors from publishing posts - Changeset 27976
- Changeset 28054 - CVE-2015-0166: Wordpress potential authentication
cookie forgery
- Changeset 27873 - Hardening to Forward pingback IP during pingback
verification.
Checksums-Sha1:
b2ecf1ba4556d21076c7cb1e4280d1d06721e572 2109 wordpress_3.6.1+dfsg-1~deb6u2.dsc
734c4769dd28fc70ac9bc2da3b1b04f374674b58 11016086 wordpress_3.6.1+dfsg-1~deb6u2.debian.tar.gz
a4ca8f45ff2d5b2cef751514eb6d1c942d50f9d1 3988970 wordpress_3.6.1+dfsg-1~deb6u2_all.deb
599b5db6c53456bceafaa962f114ec597d21759f 8880744 wordpress-l10n_3.6.1+dfsg-1~deb6u2_all.deb
Checksums-Sha256:
af1244e447b1cd0841a56e872c6c4a88b207de6bc801c85dfdec59bf1186bf4c 2109 wordpress_3.6.1+dfsg-1~deb6u2.dsc
9b59c086a49b64ddc898ecfc6ea7771728fbc1eacc61a7adbac15692fdf0d5bf 11016086 wordpress_3.6.1+dfsg-1~deb6u2.debian.tar.gz
1acd92be106deab9e08ef6f342c2a833ffc722684813ce5fa1db9c9c20c99f52 3988970 wordpress_3.6.1+dfsg-1~deb6u2_all.deb
71c30ff8b8c7e6508a0b0ef9d37e468531fc6680cdb01dbaf24007f243a0887a 8880744 wordpress-l10n_3.6.1+dfsg-1~deb6u2_all.deb
Files:
56714fe9a3205842c94219d262ac5b56 2109 web optional wordpress_3.6.1+dfsg-1~deb6u2.dsc
8154a5c61fece4937c34f685e66a5992 11016086 web optional wordpress_3.6.1+dfsg-1~deb6u2.debian.tar.gz
35e71824c35ceeef3ef724de8a6e4fb3 3988970 web optional wordpress_3.6.1+dfsg-1~deb6u2_all.deb
b82b1d374968586f5c748bc83b25d9d5 8880744 localization optional wordpress-l10n_3.6.1+dfsg-1~deb6u2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJTSXqmAAoJEAVMuPMTQ89EhakP/2HO5B3GSoNZRtXAsACm0fXj
8I3H+rzxJDhetL+sIh9xeTmLM3SHiJUfSo3AZoOaI/cKD8Z/Z/Zy8uZZ77C7UPe6
FKxKCwzEeo+RVBJ44750x7FK+sb25K5sYrPZp0pSgczK1pPx6Ka6Yng3J+Ga5v8w
p58tB9y9GiuCYIvUclCeh9f2JtjvuV3W8H2ziILhZOVD/x8HDYEVEt+Pw3/7TQKe
rUnBI0rDenbCqCowWi49CPCyCjnsGkmo8uCxJsYaLnsVtFscMoWB989PPqzhTVEc
Pm+Y2DC6hYDYvZ/ArucL8lQKqE2BzZ0UUWgLiBB8yjpUEx5EekjrUyAu8KOuhi3q
ghWPlzAmZHM/iXIaPKNtdzKQ2qAygeOnwvRU8o3jyZqX42gcJr42CY0xLUI39A1X
qhpBLEcSbBDtViy/Ms+ZSP2Bq5bfHEFhMbX6Y+U/I6sVvEtbE5cRQbLjk+KNDRlr
ggfcFUhXankalobyR7bDwzoP+wDrl3LD6+uTEJl50astDDj60No3qVOXupsz8V4r
un2VD9sIymxQe96/4zAyr5oVpfVaNCj5nuyANofCElRkoZEYVF8M1R0pXHlsMzwV
a+4yWFN4NKLRw761n1kTcNWoMvPi6dhFzI2J24PpVT95XicvFRVQ5EFnxMEhe3kz
SiWfj2bZmDdXhIYTH6m6
=LPkn
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 12 May 2014 07:26:44 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:47:04 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon