wordpress-shibboleth: CVE-2017-14313: XSS due to add_query_arg

Debian Bug report logs - #874416
wordpress-shibboleth: CVE-2017-14313: XSS due to add_query_arg

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: submit@bugs.debian.org

Subject: wordpress-shibboleth: XSS due to add_query_arg

Date: Tue, 5 Sep 2017 22:01:52 +0100

Package: wordpress-shibboleth
Version: 1.4-2
Severity: important
X-Debbugs-Cc: csmall@debian.org
Tags: security

I have just become aware of an old security issue that was fixed
in upstream:

https://github.com/michaelryanmcneill/shibboleth/commit/1d65ad6786282d23ba1865f5
6e2fd19188e7c26a

As far as I understand, this is 

https://make.wordpress.org/plugins/2015/04/20/fixing-add_query_arg-and-remove_q
uery_arg-usage/

Given that noone has noticed and reported this as an issue for a year
in the Debian package, and I'm not completely sure of how easy it is
to exploit, I'm not exactly sure of the correct severity or whether
this warrants a DSA or just a point release update. I'm CCing
the Wordpress maintainer in case they have any ideas.

This bug will be fixed in unstable shortly.

Message #12 received at 874416-close@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: 874416-close@bugs.debian.org

Subject: Bug#874416: fixed in wordpress-shibboleth 1.8-1

Date: Tue, 05 Sep 2017 21:51:21 +0000

Source: wordpress-shibboleth
Source-Version: 1.8-1

We believe that the bug you reported is fixed in the latest version of
wordpress-shibboleth, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 874416@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated wordpress-shibboleth package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 05 Sep 2017 22:17:59 +0100
Source: wordpress-shibboleth
Binary: wordpress-shibboleth
Architecture: source
Version: 1.8-1
Distribution: unstable
Urgency: medium
Maintainer: Dominic Hargreaves <dom@earth.li>
Changed-By: Dominic Hargreaves <dom@earth.li>
Description:
 wordpress-shibboleth - Shibboleth plugin for WordPress
Closes: 874416
Changes:
 wordpress-shibboleth (1.8-1) unstable; urgency=medium
 .
   * Correct Vcs-* fields
   * Switch to minimal dh style packaging
   * Update watch file and Homepage to https
   * Update Standards-Version (no changes)
   * Switch to dpkg-source 3.0 (quilt) format
   * New upstream release (Closes: #874416)
   * Relax versioned dependency on wordpress, as the minimum supported
     version 3.3 is satisfied even in oldoldstable
Checksums-Sha1:
 e11231f04539f8c739669118b7060e299bab1092 1956 wordpress-shibboleth_1.8-1.dsc
 9888b9976ab907080e4e321ce543ae64456e9cad 20161 wordpress-shibboleth_1.8.orig.tar.gz
 f6abebc742357032ac95b9db7cca34a0c1fb93c9 2244 wordpress-shibboleth_1.8-1.debian.tar.xz
Checksums-Sha256:
 7f9dd64d511e11cf907afb1b2358e0dede98b7105eaed035f4d75c78c1d3f0c9 1956 wordpress-shibboleth_1.8-1.dsc
 693cb24233e3ff8c5bd221fc9da3df410b7871902836d5f23a8c840c6f001e55 20161 wordpress-shibboleth_1.8.orig.tar.gz
 3c10c5113aee1b23b503b6aeed13b871368cc05df302681ea36ef16d4cec0e41 2244 wordpress-shibboleth_1.8-1.debian.tar.xz
Files:
 46b33e9c647aac06a24198463a6bbd2f 1956 php optional wordpress-shibboleth_1.8-1.dsc
 2b6a62916bdf9a0a26d17a54c27bca48 20161 php optional wordpress-shibboleth_1.8.orig.tar.gz
 027613c870d92c587ff31359a7184730 2244 php optional wordpress-shibboleth_1.8-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJZrxUaAAoJEMAFfnFNaU+ykH4QAJrfIQSTg92ilrxtmdX1uK64
2+fvSrHw7F9zG5tJSHjOSMIQuO7nxAclBNtCPOtgVlz8CHmy3hf1bp+nPncmKa3+
Ep0EEALCItHBIKG0B74JfpKyfe/liRtqew/4MvKgJ4IvI78AFQ3RcL20vQ+mnnPe
Aq2FiTodQYDatzALg/PExpJRTuCo1uR/I53Gde7k264L2qKq2UfWYuulKdIn29HO
Xq4s4pV2g37M0bwK98ScUKuYzk6UBA+XpmKSxxkujNrwcS2B7AG3fdLOfRsL+Ti2
U37/Ex9tuApj/Xtoogas07/jT4p0mgq1f3pnrWXzr+Sp/HBNc5SjjUs1GsxPTbah
4m4AIkE6mXq9NKBYbnh46GDuWjAZxMxQvH3X/2Yzlv7giJIWCcLqZSx+yjApQMA/
ahAgHxpGcLm3qgfHRwelWH09v9zxKM5YsKpW95wVgYoVIsh4vlr21kxkenwqC3EH
UndyplhSG61q8qW5w3N7BwO73+l1Ao/5o4TxP/jH3rUiDY2RibI3RGwvAJihu5rD
/qFfJq7YVydgD9PKEed2gQIcK9Ab/xtUhAnOXcgWLpeN2M1LDWK7wl+JlHzQkAOQ
g6N3gAdmRWHoNfJ26XKHtaFCf7GPVKv8YENBF2qOjAA821bdOtB2Tjn7f4Y5L6Wz
Vql0KU76SzkbKJxn4D0M
=Nfmq
-----END PGP SIGNATURE-----

Message #17 received at 874416@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: Dominic Hargreaves <dom@earth.li>, 874416@bugs.debian.org

Subject: Re: Bug#874416: wordpress-shibboleth: XSS due to add_query_arg

Date: Mon, 11 Sep 2017 03:21:08 +0000

[Message part 1 (text/plain, inline)]

On Wed, 6 Sep. 2017, 07:03 Dominic Hargreaves <dom@earth.li> wrote:

> I have just become aware of an old security issue that was fixed
> in upstream:
>
>
> https://github.com/michaelryanmcneill/shibboleth/commit/1d65ad6786282d23ba1865f5
> 6e2fd19188e7c26a
> <https://github.com/michaelryanmcneill/shibboleth/commit/1d65ad6786282d23ba1865f56e2fd19188e7c26a>
>
>
> Given that noone has noticed and reported this as an issue for a year
> in the Debian package, and I'm not completely sure of how easy it is
> to exploit, I'm not exactly sure of the correct severity or whether
> this warrants a DSA or just a point release update. I'm CCing
> the Wordpress maintainer in case they have any ideas.
>
> This bug will be fixed in unstable shortly.
>
Hi,
  Probably a security team question but the un-patched plugin permits a XSS
attack so it should be a DSA I think.


 - Craig

> --
Craig Small             https://dropbear.xyz/     csmall at : enc.com.au
Debian GNU/Linux        https://www.debian.org/   csmall at : debian.org
Mastodon: @smallsees@social.dropbear.xyz             Twitter: @smallsees
GPG fingerprint:      5D2F B320 B825 D939 04D2  0519 3938 F96B DF50 FEA5

[Message part 2 (text/html, inline)]

Message #22 received at 874416@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: Craig Small <csmall@debian.org>

Cc: 874416@bugs.debian.org, team@security.debian.org, Michael McNeill <michael@michaelryanmcneill.com>

Subject: Re: Bug#874416: wordpress-shibboleth: XSS due to add_query_arg

Date: Mon, 11 Sep 2017 11:19:59 +0100

On Mon, Sep 11, 2017 at 03:21:08AM +0000, Craig Small wrote:
> On Wed, 6 Sep. 2017, 07:03 Dominic Hargreaves <dom@earth.li> wrote:
> 
> > I have just become aware of an old security issue that was fixed
> > in upstream:
> >
> >
> > https://github.com/michaelryanmcneill/shibboleth/commit/1d65ad6786282d23ba1865f5
> > 6e2fd19188e7c26a
> > <https://github.com/michaelryanmcneill/shibboleth/commit/1d65ad6786282d23ba1865f56e2fd19188e7c26a>
> >
> >
> > Given that noone has noticed and reported this as an issue for a year
> > in the Debian package, and I'm not completely sure of how easy it is
> > to exploit, I'm not exactly sure of the correct severity or whether
> > this warrants a DSA or just a point release update. I'm CCing
> > the Wordpress maintainer in case they have any ideas.
> >
> > This bug will be fixed in unstable shortly.
> >
> Hi,
>   Probably a security team question but the un-patched plugin permits a XSS
> attack so it should be a DSA I think.

I'm just confirming the status of the bug in 1.4 with the upstream
maintainer prior to a fix. Also looping in the security team.

Cheers,
Dominic.

Message #27 received at 874416@bugs.debian.org (full text, mbox, reply):

From: Michael McNeill <michael@michaelryanmcneill.com>

To: Dominic Hargreaves <dom@earth.li>, Craig Small <csmall@debian.org>

Cc: 874416@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#874416: wordpress-shibboleth: XSS due to add_query_arg

Date: Mon, 11 Sep 2017 14:14:05 +0000

[Message part 1 (text/plain, inline)]

Dominic,

After reviewing, it does appear that 1.4 is vulnerable to the XSS attack
and should be patched using the same patch made here:
https://github.com/michaelryanmcneill/shibboleth/blob/1d65ad6786282d23ba1865f56e2fd19188e7c26a/shibboleth.php#L463

Please let me know if you have additional questions.

Best regards,
Michael McNeill

On Mon, Sep 11, 2017 at 6:20 AM Dominic Hargreaves <dom@earth.li> wrote:

> On Mon, Sep 11, 2017 at 03:21:08AM +0000, Craig Small wrote:
> > On Wed, 6 Sep. 2017, 07:03 Dominic Hargreaves <dom@earth.li> wrote:
> >
> > > I have just become aware of an old security issue that was fixed
> > > in upstream:
> > >
> > >
> > >
> https://github.com/michaelryanmcneill/shibboleth/commit/1d65ad6786282d23ba1865f5
> > > 6e2fd19188e7c26a
> > > <
> https://github.com/michaelryanmcneill/shibboleth/commit/1d65ad6786282d23ba1865f56e2fd19188e7c26a
> >
> > >
> > >
> > > Given that noone has noticed and reported this as an issue for a year
> > > in the Debian package, and I'm not completely sure of how easy it is
> > > to exploit, I'm not exactly sure of the correct severity or whether
> > > this warrants a DSA or just a point release update. I'm CCing
> > > the Wordpress maintainer in case they have any ideas.
> > >
> > > This bug will be fixed in unstable shortly.
> > >
> > Hi,
> >   Probably a security team question but the un-patched plugin permits a
> XSS
> > attack so it should be a DSA I think.
>
> I'm just confirming the status of the bug in 1.4 with the upstream
> maintainer prior to a fix. Also looping in the security team.
>
> Cheers,
> Dominic.
>

[Message part 2 (text/html, inline)]

Message #32 received at 874416@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Dominic Hargreaves <dom@earth.li>, 874416@bugs.debian.org

Cc: Craig Small <csmall@debian.org>, team@security.debian.org, Michael McNeill <michael@michaelryanmcneill.com>

Subject: Re: Bug#874416: wordpress-shibboleth: XSS due to add_query_arg

Date: Tue, 12 Sep 2017 06:33:02 +0200

Control: retitle -1 wordpress-shibboleth: CVE-2017-14313: XSS due to add_query_arg

Hi Dominic, Craig, Michael,

FTR, I requested a CVE for this issue and it got assigned
CVE-2017-14313.

Regards,
Salvatore

Message #39 received at 874416@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: Michael McNeill <michael@michaelryanmcneill.com>, 874416@bugs.debian.org

Cc: Craig Small <csmall@debian.org>, team@security.debian.org

Subject: Re: Bug#874416: wordpress-shibboleth: XSS due to add_query_arg

Date: Tue, 12 Sep 2017 13:43:43 +0100

Great, thanks for confirming Michael.

Dominic.

On Mon, Sep 11, 2017 at 02:14:05PM +0000, Michael McNeill wrote:
> Dominic,
> 
> After reviewing, it does appear that 1.4 is vulnerable to the XSS attack
> and should be patched using the same patch made here:
> https://github.com/michaelryanmcneill/shibboleth/blob/1d65ad6786282d23ba1865f56e2fd19188e7c26a/shibboleth.php#L463
> 
> Please let me know if you have additional questions.
> 
> Best regards,
> Michael McNeill
> 
> On Mon, Sep 11, 2017 at 6:20 AM Dominic Hargreaves <dom@earth.li> wrote:
> 
> > On Mon, Sep 11, 2017 at 03:21:08AM +0000, Craig Small wrote:
> > > On Wed, 6 Sep. 2017, 07:03 Dominic Hargreaves <dom@earth.li> wrote:
> > >
> > > > I have just become aware of an old security issue that was fixed
> > > > in upstream:
> > > >
> > > >
> > > >
> > https://github.com/michaelryanmcneill/shibboleth/commit/1d65ad6786282d23ba1865f5
> > > > 6e2fd19188e7c26a
> > > > <
> > https://github.com/michaelryanmcneill/shibboleth/commit/1d65ad6786282d23ba1865f56e2fd19188e7c26a
> > >
> > > >
> > > >
> > > > Given that noone has noticed and reported this as an issue for a year
> > > > in the Debian package, and I'm not completely sure of how easy it is
> > > > to exploit, I'm not exactly sure of the correct severity or whether
> > > > this warrants a DSA or just a point release update. I'm CCing
> > > > the Wordpress maintainer in case they have any ideas.
> > > >
> > > > This bug will be fixed in unstable shortly.
> > > >
> > > Hi,
> > >   Probably a security team question but the un-patched plugin permits a
> > XSS
> > > attack so it should be a DSA I think.
> >
> > I'm just confirming the status of the bug in 1.4 with the upstream
> > maintainer prior to a fix. Also looping in the security team.
> >
> > Cheers,
> > Dominic.
> >

Message #44 received at 874416@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: Salvatore Bonaccorso <carnil@debian.org>, 874416@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#874416: wordpress-shibboleth: XSS due to add_query_arg

Date: Tue, 12 Sep 2017 16:34:14 +0100

[Message part 1 (text/plain, inline)]

On Tue, Sep 12, 2017 at 06:33:02AM +0200, Salvatore Bonaccorso wrote:
> Control: retitle -1 wordpress-shibboleth: CVE-2017-14313: XSS due to add_query_arg
> 
> Hi Dominic, Craig, Michael,
> 
> FTR, I requested a CVE for this issue and it got assigned
> CVE-2017-14313.

Thanks. I assume you would like a security upload? Here is the minimal
fix which should apply to stretch and jessie.

I am waiting for some real world testing from a colleague.

Let me know if I'm okay to upload.

Cheers,
Dominic.

[wordpress-shibboleth_1.4-2+deb9u1.debdiff (text/plain, attachment)]

Message #49 received at 874416@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Dominic Hargreaves <dom@earth.li>

Cc: 874416@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#874416: wordpress-shibboleth: XSS due to add_query_arg

Date: Tue, 12 Sep 2017 21:30:19 +0200

[Message part 1 (text/plain, inline)]

Hi Dominic,

On Tue, Sep 12, 2017 at 04:34:14PM +0100, Dominic Hargreaves wrote:
> On Tue, Sep 12, 2017 at 06:33:02AM +0200, Salvatore Bonaccorso wrote:
> > Control: retitle -1 wordpress-shibboleth: CVE-2017-14313: XSS due to add_query_arg
> > 
> > Hi Dominic, Craig, Michael,
> > 
> > FTR, I requested a CVE for this issue and it got assigned
> > CVE-2017-14313.
> 
> Thanks. I assume you would like a security upload? Here is the minimal
> fix which should apply to stretch and jessie.
> 
> I am waiting for some real world testing from a colleague.
> 
> Let me know if I'm okay to upload.

Once you have got feedback from real world testing, can you finalize
the changelogs and then please upload. Since both jessie-security and
stretch-security share the same orig tarball, please do build the
first one with -sa, upload, wait for the ACCEPTED mail after some
minutes to you, then upload the second without -sa.

Thanks already. If you have a proposed DSA text, that would be
welcome.

Regards,
Salvatore

[signature.asc (application/pgp-signature, inline)]

Message #54 received at 874416@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: Salvatore Bonaccorso <carnil@debian.org>, 874416@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#874416: wordpress-shibboleth: XSS due to add_query_arg

Date: Thu, 14 Sep 2017 14:13:32 +0100

On Tue, Sep 12, 2017 at 09:30:19PM +0200, Salvatore Bonaccorso wrote:
> Hi Dominic,
> 
> On Tue, Sep 12, 2017 at 04:34:14PM +0100, Dominic Hargreaves wrote:
> > On Tue, Sep 12, 2017 at 06:33:02AM +0200, Salvatore Bonaccorso wrote:
> > > Control: retitle -1 wordpress-shibboleth: CVE-2017-14313: XSS due to add_query_arg
> > > 
> > > Hi Dominic, Craig, Michael,
> > > 
> > > FTR, I requested a CVE for this issue and it got assigned
> > > CVE-2017-14313.
> > 
> > Thanks. I assume you would like a security upload? Here is the minimal
> > fix which should apply to stretch and jessie.
> > 
> > I am waiting for some real world testing from a colleague.
> > 
> > Let me know if I'm okay to upload.
> 
> Once you have got feedback from real world testing, can you finalize
> the changelogs and then please upload. Since both jessie-security and
> stretch-security share the same orig tarball, please do build the
> first one with -sa, upload, wait for the ACCEPTED mail after some
> minutes to you, then upload the second without -sa.
> 
> Thanks already. If you have a proposed DSA text, that would be
> welcome.

Now uploaded. You can use the same text as Chris Lamb wrote in the
LTS update.

Thanks,
Dominic.

Message #59 received at 874416-close@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: 874416-close@bugs.debian.org

Subject: Bug#874416: fixed in wordpress-shibboleth 1.4-2+deb9u1

Date: Sat, 23 Sep 2017 10:03:41 +0000

Source: wordpress-shibboleth
Source-Version: 1.4-2+deb9u1

We believe that the bug you reported is fixed in the latest version of
wordpress-shibboleth, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 874416@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated wordpress-shibboleth package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 14 Sep 2017 11:20:16 +0100
Source: wordpress-shibboleth
Binary: wordpress-shibboleth
Architecture: source
Version: 1.4-2+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Dominic Hargreaves <dom@earth.li>
Changed-By: Dominic Hargreaves <dom@earth.li>
Description:
 wordpress-shibboleth - Shibboleth plugin for WordPress
Closes: 874416
Changes:
 wordpress-shibboleth (1.4-2+deb9u1) stretch-security; urgency=high
 .
   * [CVE-2017-14313]: Fix XSS in login form (Closes: #874416)
Checksums-Sha1:
 4e65eec81b28c885f77bfdf3de4fe62a1ee3bcea 1978 wordpress-shibboleth_1.4-2+deb9u1.dsc
 0e8d76e555797fae6b8b153cd94e96bb3abaaed0 491213 wordpress-shibboleth_1.4.orig.tar.gz
 7656667523fbee086df58bd86fe3d2b6675374e6 2104 wordpress-shibboleth_1.4-2+deb9u1.diff.gz
 9220cba82e941262c14e2c8ebaf31dd6e93ad301 5809 wordpress-shibboleth_1.4-2+deb9u1_source.buildinfo
Checksums-Sha256:
 81d2edaa9959baa27a4fbf8b2efad73ed6f39acf20ed5cc7de5ea88821d2cb19 1978 wordpress-shibboleth_1.4-2+deb9u1.dsc
 3905264005217524127a856a0f0b924ebc49c8f63c1d825df5c541af9cfa5b49 491213 wordpress-shibboleth_1.4.orig.tar.gz
 e3019500aa0208ed0b1ade0303a0a8e2dc2506e5a6bd4855bc089fc9a8d9c025 2104 wordpress-shibboleth_1.4-2+deb9u1.diff.gz
 43faec357b9cad62f905441abd3577f1aa4053cc07a1d9c4aacec78ee2ee1abb 5809 wordpress-shibboleth_1.4-2+deb9u1_source.buildinfo
Files:
 793201040186bac754a95c9ce7db7d70 1978 php optional wordpress-shibboleth_1.4-2+deb9u1.dsc
 7b38a0d32e352afb644bcdef5bdd512c 491213 php optional wordpress-shibboleth_1.4.orig.tar.gz
 88f56ba6e7b0c70392c66e2596aa2891 2104 php optional wordpress-shibboleth_1.4-2+deb9u1.diff.gz
 03abc2cadde161d59216346f6184881c 5809 php optional wordpress-shibboleth_1.4-2+deb9u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJBBAEBCAArFiEEy0llJ/kAnyscGnbawAV+cU1pT7IFAlm6XPINHGRvbUBlYXJ0
aC5saQAKCRDABX5xTWlPst6PD/9XGJpzv1eUscoDGsuwMp9iDrgZOtNgYe27IYPY
e9hjLHLhrzQtZ37EiIy0gkey14j/o0d0OpHxKzGD/S8Y/FVJROe8RmgnUmmVH0Yt
YG5kjOlZMdhXwGv9jtGWgVdgjhgPhynxz4QPJBlLZ3Me6zak9IX2ZP7h+N0Dchdb
lLb2rT7kEAPsArpGBEeV9YSfJl7GMzp4imVYcRk7z0pO4p5W3mFZwm+V4c4qjFPI
RI+9an3KUDEJbq6d/AtRjxVcWgERVnpIHqKYsJ9JIO6x6UVpZhefP3u4ByGUZu91
/RX6Ji1jNJ0AUrq3paOB+hqdQR0Ph4qhiIRIVwkz/0h4khnYQUHv+cOjC/3rKi44
BgxxpuOQAQji7459UEMODB5SfMceBhV6g6HLj1DPRovoAwoKdpiznDdROxjIc1j5
N4DhyTPjrqn07QOMovzTOEMZGmztiAK88YI05HzWcDIiBmxf3x0+Pf8hjFkLN7VX
AujjeyHwmqJ/3e8ckgoWiWraeMcYB6BtylabgyyUE8733jJmI25ggmc4W5HEluXr
lsrRPqKmDOuAA9rSAPRsB1B0pLZ8+FOCO6e7lBLkbeD8imrvk1U/H6XtrcVUNHe7
Kodil/rd/10hptaPXSyPsVCKIgpAEwPAQqTEmBnnviTU4ZV4/NGefOPhuktUJzEQ
nTn1OA==
=NyU+
-----END PGP SIGNATURE-----

Message #64 received at 874416-close@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: 874416-close@bugs.debian.org

Subject: Bug#874416: fixed in wordpress-shibboleth 1.4-2+deb8u1

Date: Sat, 23 Sep 2017 20:02:51 +0000

Source: wordpress-shibboleth
Source-Version: 1.4-2+deb8u1

We believe that the bug you reported is fixed in the latest version of
wordpress-shibboleth, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 874416@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated wordpress-shibboleth package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 14 Sep 2017 11:39:51 +0100
Source: wordpress-shibboleth
Binary: wordpress-shibboleth
Architecture: all source
Version: 1.4-2+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Dominic Hargreaves <dom@earth.li>
Changed-By: Dominic Hargreaves <dom@earth.li>
Closes: 874416
Description: 
 wordpress-shibboleth - Shibboleth plugin for WordPress
Changes:
 wordpress-shibboleth (1.4-2+deb8u1) jessie-security; urgency=high
 .
   * [CVE-2017-14313]: Fix XSS in login form (Closes: #874416)
Checksums-Sha1: 
 7d30a98757cc8f5164cf4085af4ff38f4582fd75 1978 wordpress-shibboleth_1.4-2+deb8u1.dsc
 b2737ded5f53a45187d8ad79d6dbbcfc83b81308 2105 wordpress-shibboleth_1.4-2+deb8u1.diff.gz
 a931727ba6c163ec1a3ddf5d1883ed5b192a4e3c 5809 wordpress-shibboleth_1.4-2+deb8u1_source.buildinfo
 087c42e829ea89c3cd24206a65f540e458c8d35e 19202 wordpress-shibboleth_1.4-2+deb8u1_all.deb
Checksums-Sha256: 
 f98faf2f010efd5429b8b677e358943c8ecc1a450c446d1ddd41805fa728a43e 1978 wordpress-shibboleth_1.4-2+deb8u1.dsc
 23db1bc9894eb670a36859fafd6647079c5fbbf73ebe345061728dc0563aef6e 2105 wordpress-shibboleth_1.4-2+deb8u1.diff.gz
 66754f82213c42039a34049560699b3852c50b13790cf7467e8db1b78d160331 5809 wordpress-shibboleth_1.4-2+deb8u1_source.buildinfo
 073f3d78f6ba56e56f1abfbdd6f33e9cbb877d8437479e1dcfe87529606b4ce9 19202 wordpress-shibboleth_1.4-2+deb8u1_all.deb
Files: 
 f98107a4fb81c2c4738dba6917593ac3 1978 php optional wordpress-shibboleth_1.4-2+deb8u1.dsc
 fe7f268d1323796e3a681e0d66b3f614 2105 php optional wordpress-shibboleth_1.4-2+deb8u1.diff.gz
 b29ad07329b1263af2f36988e9523bd3 5809 php optional wordpress-shibboleth_1.4-2+deb8u1_source.buildinfo
 f7531d6ce5f3a21ed15ce5a4f4519ad9 19202 php optional wordpress-shibboleth_1.4-2+deb8u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQJBBAEBCAArFiEEy0llJ/kAnyscGnbawAV+cU1pT7IFAlm6XhcNHGRvbUBlYXJ0
aC5saQAKCRDABX5xTWlPshFZD/9egrUlqq2iGp/lSkjJ4eY5nvd1NK2tFG2TfPYi
iJkJT75/P0kaOpCA4rPtVm5AAdKywCkpTF3NSiMLSF78bmyXOZzEJqQ2cjAa32uM
ufHtp/vzvmKyXpbs7uTuyPM+fLx51DKT/4oNph8XtDQaW1PWEPWP+8C4TnG9mTN6
SeJ0ZP8N2D5e5++P6AgzPdDPT+sZ1NbwKg9frpDbJY51iA1rs0+qv0wfMs+LCWE2
2oni4wgYq67a6R3T7tNLiwP7CIQ6gTqSbukTC5Wht7l8z/e/5jbuJ6a+hO4Q4xah
EMtf/nS1vSJOrq5Ls3HupWnU1Z8xQ5FPOPTAHURWgcDbGiQoyiWIB+hVQ9+skyqZ
kjcqnNUfUFGnbBOd+l02ptbGkX00zLGUe6vmaycNsGoCzCyaYprWhfYXX28VqF/U
dhaJh8lr7sO0WdBGTUz0iwwbFr+EXxmz4bSpbzswfUHNFouyIEYp69NurG3kdV58
6umo6EL5T9ywTf+3FFthWZ3sfSiFQaSxMeYm8Yahuyj4fV+C/08GTcaxR5DLEOXN
HhiDP8jazeLifPnOM1YszKTjS18/1vkdKJ3ByNla+stp4fukYa/MTQKRZf6GghKv
pDNpXCvGf6HcZihg9btu/dHdgFvyAxdPmUveAuNZ7hW2/0Zi7+Jx2/mD6u69/BSZ
GXCkAQ==
=jP7I
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.