wordpress: Wordpress 5.5.2 security release

Debian Bug report logs - #973562
wordpress: Wordpress 5.5.2 security release

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: wordpress: Wordpress 5.5.2 security release

Date: Mon, 02 Nov 2020 08:01:44 +1100

Package: wordpress
Version: 5.5.1+dfsg1-2
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Wordpress versions less than 5.5.2 have the following security
vulnerabilities:

CVE-2020-28039: Protected meta that could lead to arbitrary file deletion.
CVE-2020-28035: XML-RPC privilege escalation.
CVE-2020-28036: XML-RPC privilege escalation.
CVE-2020-28032: Hardening deserialization requests.
CVE-2020-28037: DoS attack could lead to RCE.
CVE-2020-28038: Stored XSS in post slugs.
CVE-2020-28033: Disable spam embeds from disabled sites on a multisite network.
CVE-2020-28034: Cross-Site Scripting (XSS) via global variables.
CVE-2020-28040: CSRF attacks that change a theme's background image.

Debian LTS have released 4.7.19 which fixes this already.

I note the security tracker has these CVEs already.

- -- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.8.0-3-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages wordpress depends on:
pn  apache2 | httpd                                        <none>
ii  ca-certificates                                        20200601
pn  default-mysql-client | virtual-mysql-client            <none>
pn  libapache2-mod-php | libapache2-mod-php5 | php | php5  <none>
pn  libjs-cropper                                          <none>
ii  libjs-underscore                                       1.9.1~dfsg-1
pn  php-gd | php5-gd                                       <none>
pn  php-getid3                                             <none>
pn  php-mysql | php5-mysql | php-mysqlnd | php5-mysqlnd    <none>

Versions of packages wordpress recommends:
pn  wordpress-l10n                <none>
pn  wordpress-theme-twentytwenty  <none>

Versions of packages wordpress suggests:
pn  default-mysql-server | virtual-mysql-server  <none>
pn  php-ssh4                                     <none>

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCgAwFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAl+fIi8SHGNzbWFsbEBk
ZWJpYW4ub3JnAAoJEAIhZsD/PITjlZYQAJuQiDH0ATXjGn65FuJp8VxFEqlKbvNk
DDo+df4H17W1+SwVsnp6SGHvumHOuOOieKVMgzKoAsCWwOsjWBBuRjP91Fo4ASMv
sdn191skMJVIubNMUc3PA+NZFiljrHiYroA5YhElTka8YSJKxYQKHayxXh4genVg
0aMZdH9lq9XkiqTfCKMjdLZ/PnhlE0e1M6K21AVznW2PuoyLDLtgqwONUpT3Qm+d
Vu4LCczwh4/M8gxXH5UIF9BvswCk+4QHybuLwdVsUFpN5OPdmeIel5bPAglwRicY
OVUocLHMZkgZ+wRyjV79rehRHpy6/ZIUsNgZAyiNtE2OE20s9HW157dLfIxmWRfN
+lp84dAfJVHWm6BRHhL8W9KNLTyOFzbaVqtpOIMaCJIwTtBt/GHABRsUTqFOD7Cv
vWPd1F/YvgnOKSQ5NHcYUAyXDtSqFwHvuTgLpZs+xHLDPapo8Um8bGlww6rv78b0
SBVtfCkkuJs7uGQeFP4KUU+U9IDzruwRVhJE7LN9ZxOIv9F2qAQHMnR5ZdXa61qo
S82bIEX5YRhyIXApvsZwP08IiouNV/p7Y7p6cuH99y1FqT/nmQVYIQD/kmlF+wdz
2lhLXKrRjFlFaMIWrJpfMuOOAB5QYpg8pYEQHN9mRzbxWYE/RpfT2ceqHuS9Q7dX
hGEQ1blXwwWp
=lRON
-----END PGP SIGNATURE-----

Message #10 received at 973562@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Craig Small <csmall@debian.org>, 973562@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#973562: wordpress: Wordpress 5.5.2 security release

Date: Mon, 2 Nov 2020 06:56:29 +0100

Hi Craig,

On Mon, Nov 02, 2020 at 08:01:44AM +1100, Craig Small wrote:
> Package: wordpress
> Version: 5.5.1+dfsg1-2
> Severity: important
> Tags: security
> X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Wordpress versions less than 5.5.2 have the following security
> vulnerabilities:
> 
> CVE-2020-28039: Protected meta that could lead to arbitrary file deletion.
> CVE-2020-28035: XML-RPC privilege escalation.
> CVE-2020-28036: XML-RPC privilege escalation.
> CVE-2020-28032: Hardening deserialization requests.
> CVE-2020-28037: DoS attack could lead to RCE.
> CVE-2020-28038: Stored XSS in post slugs.
> CVE-2020-28033: Disable spam embeds from disabled sites on a multisite network.
> CVE-2020-28034: Cross-Site Scripting (XSS) via global variables.
> CVE-2020-28040: CSRF attacks that change a theme's background image.
> 
> Debian LTS have released 4.7.19 which fixes this already.
> 
> I note the security tracker has these CVEs already.

And thanks for filling the BTS tracking bug!

Regards,
Salvatore

Message #15 received at submit@bugs.debian.org (full text, mbox, reply):

From: Sébastien Delafond <seb@debian.org>

To: Craig Small <csmall@debian.org>, 973562@bugs.debian.org

Cc: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Re: Bug#973562: wordpress: Wordpress 5.5.2 security release

Date: Mon, 2 Nov 2020 12:52:47 +0100

On 02/11 08:01, Craig Small wrote:
> Wordpress versions less than 5.5.2 have the following security
> vulnerabilities:
> 
> CVE-2020-28039: Protected meta that could lead to arbitrary file deletion.
> CVE-2020-28035: XML-RPC privilege escalation.
> CVE-2020-28036: XML-RPC privilege escalation.
> CVE-2020-28032: Hardening deserialization requests.
> CVE-2020-28037: DoS attack could lead to RCE.
> CVE-2020-28038: Stored XSS in post slugs.
> CVE-2020-28033: Disable spam embeds from disabled sites on a multisite network.
> CVE-2020-28034: Cross-Site Scripting (XSS) via global variables.
> CVE-2020-28040: CSRF attacks that change a theme's background image.

Hi Craig,

are you planning on backporting the fixes for those on top of buster's
5.0.10+dfsg1-0+deb10u1?

Cheers,

-- 
Seb

Message #25 received at 973562@bugs.debian.org (full text, mbox, reply):

From: Utkarsh Gupta <utkarsh@debian.org>

To: 973562@bugs.debian.org

Cc: Salvatore Bonaccorso <carnil@debian.org>, seb@debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: wordpress: Wordpress 5.5.2 security release

Date: Tue, 3 Nov 2020 11:30:56 +0530

Hi Craig, Seb, Salvatore,

On Mon, 02 Nov 2020 08:01:44 +1100 Craig Small <csmall@debian.org> wrote:
> Debian LTS have released 4.7.19 which fixes this already.

Yep, I have already bumped the version and fixed these CVEs in stretch LTS.

Please let me know in case I can help with any of the other updates?
I don't mean to interfere, of course, but will be happy to prepare an
update for buster or sid, if you need me to! :)


- u

Message #28 received at 973562-submitter@bugs.debian.org (full text, mbox, reply):

From: Craig Small <noreply@salsa.debian.org>

To: 973562-submitter@bugs.debian.org

Subject: Bug#973562 marked as pending in SOURCENAME

Date: Tue, 03 Nov 2020 06:26:25 +0000

Control: tag -1 pending

Hello,

Bug #973562 in SOURCENAME reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/debian/wordpress/-/commit/402aadbe527fa0c059138dcc1bfa992134ffdadd

------------------------------------------------------------------------
Update to wordpress version 5.5.3-dfsg1-1

Security release, fixes 8 bugs Closes: #973562

* Security release, fixes 8 bugs Closes: #973562
   - CVE-2020-28039: Protected meta that could lead to arbitrary
                     file deletion.
   - CVE-2020-28035: XML-RPC privilege escalation.
   - CVE-2020-28036: XML-RPC privilege escalation.
   - CVE-2020-28032: Hardening deserialization requests.
   - CVE-2020-28037: DoS attack could lead to RCE.
   - CVE-2020-28038: Stored XSS in post slugs.
   - CVE-2020-28033: Disable spam embeds from disabled sites
                     on a multisite network.
   - CVE-2020-28034: Cross-Site Scripting (XSS) via global variables.
   - CVE-2020-28040: CSRF attacks that change a theme's background image.
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/973562

Message #33 received at 973562-submitter@bugs.debian.org (full text, mbox, reply):

From: Craig Small <noreply@salsa.debian.org>

To: 973562-submitter@bugs.debian.org

Subject: Bug#973562 marked as pending in SOURCENAME

Date: Tue, 03 Nov 2020 06:26:25 +0000

Control: tag -1 pending

Hello,

Bug #973562 in SOURCENAME reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/debian/wordpress/-/commit/402aadbe527fa0c059138dcc1bfa992134ffdadd

------------------------------------------------------------------------
Update to wordpress version 5.5.3-dfsg1-1

Security release, fixes 8 bugs Closes: #973562

* Security release, fixes 8 bugs Closes: #973562
   - CVE-2020-28039: Protected meta that could lead to arbitrary
                     file deletion.
   - CVE-2020-28035: XML-RPC privilege escalation.
   - CVE-2020-28036: XML-RPC privilege escalation.
   - CVE-2020-28032: Hardening deserialization requests.
   - CVE-2020-28037: DoS attack could lead to RCE.
   - CVE-2020-28038: Stored XSS in post slugs.
   - CVE-2020-28033: Disable spam embeds from disabled sites
                     on a multisite network.
   - CVE-2020-28034: Cross-Site Scripting (XSS) via global variables.
   - CVE-2020-28040: CSRF attacks that change a theme's background image.
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/973562

Message #38 received at 973562@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: Sébastien Delafond <seb@debian.org>, Utkarsh Gupta <utkarsh@debian.org>

Cc: 973562@bugs.debian.org

Subject: Re: Bug#973562: wordpress: Wordpress 5.5.2 security release

Date: Tue, 3 Nov 2020 17:29:46 +1100

[Message part 1 (text/plain, inline)]

Hi Seb,
  Sure are planning on doing that. I'll be using tracking the 5.0.x branch
from upstream, as discussed last time. Thanks to Utkarsh I've got all the
CVEs and descriptions right in front of me!

Hi Utkarsh, I've got Sid uploading now and will start on Buster in a moment.

 - Craig


On Mon, 2 Nov 2020 at 22:52, Sébastien Delafond <seb@debian.org> wrote:

> On 02/11 08:01, Craig Small wrote:
> > Wordpress versions less than 5.5.2 have the following security
> > vulnerabilities:
> >
> > CVE-2020-28039: Protected meta that could lead to arbitrary file
> deletion.
> > CVE-2020-28035: XML-RPC privilege escalation.
> > CVE-2020-28036: XML-RPC privilege escalation.
> > CVE-2020-28032: Hardening deserialization requests.
> > CVE-2020-28037: DoS attack could lead to RCE.
> > CVE-2020-28038: Stored XSS in post slugs.
> > CVE-2020-28033: Disable spam embeds from disabled sites on a multisite
> network.
> > CVE-2020-28034: Cross-Site Scripting (XSS) via global variables.
> > CVE-2020-28040: CSRF attacks that change a theme's background image.
>
> Hi Craig,
>
> are you planning on backporting the fixes for those on top of buster's
> 5.0.10+dfsg1-0+deb10u1?
>
> Cheers,
>
> --
> Seb
>

[Message part 2 (text/html, inline)]

Message #43 received at 973562@bugs.debian.org (full text, mbox, reply):

From: Utkarsh Gupta <utkarsh@debian.org>

To: Craig Small <csmall@debian.org>

Cc: Sébastien Delafond <seb@debian.org>, 973562@bugs.debian.org

Subject: Re: Bug#973562: wordpress: Wordpress 5.5.2 security release

Date: Tue, 3 Nov 2020 12:47:48 +0530

Hi Craig,

On Tue, Nov 3, 2020 at 12:00 PM Craig Small <csmall@debian.org> wrote:
> Hi Utkarsh, I've got Sid uploading now and will start on Buster in a moment.

Perfect! Thanks for your great work on wordpress!


 - u

Message #46 received at 973562-submitter@bugs.debian.org (full text, mbox, reply):

From: Craig Small <noreply@salsa.debian.org>

To: 973562-submitter@bugs.debian.org

Subject: Bug#973562 marked as pending in SOURCENAME

Date: Tue, 03 Nov 2020 22:00:43 +0000

Control: tag -1 pending

Hello,

Bug #973562 in SOURCENAME reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/debian/wordpress/-/commit/ffc5cae67bd119964fd9d1912a5f6c9187261d79

------------------------------------------------------------------------
d/changelog import 5.0.11

Security release, fixes 8 bugs Closes: #973562

* Security release, fixes 8 bugs Closes: #973562
   - CVE-2020-28039: Protected meta that could lead to arbitrary
                     file deletion.
   - CVE-2020-28035: XML-RPC privilege escalation.
   - CVE-2020-28036: XML-RPC privilege escalation.
   - CVE-2020-28032: Hardening deserialization requests.
   - CVE-2020-28037: DoS attack could lead to RCE.
   - CVE-2020-28038: Stored XSS in post slugs.
   - CVE-2020-28033: Disable spam embeds from disabled sites
                     on a multisite network.
   - CVE-2020-28034: Cross-Site Scripting (XSS) via global variables.
   - CVE-2020-28040: CSRF attacks that change a theme's background image.
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/973562

Message #49 received at 973562-submitter@bugs.debian.org (full text, mbox, reply):

From: Craig Small <noreply@salsa.debian.org>

To: 973562-submitter@bugs.debian.org

Subject: Bug#973562 marked as pending in SOURCENAME

Date: Tue, 03 Nov 2020 22:00:43 +0000

Control: tag -1 pending

Hello,

Bug #973562 in SOURCENAME reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/debian/wordpress/-/commit/ffc5cae67bd119964fd9d1912a5f6c9187261d79

------------------------------------------------------------------------
d/changelog import 5.0.11

Security release, fixes 8 bugs Closes: #973562

* Security release, fixes 8 bugs Closes: #973562
   - CVE-2020-28039: Protected meta that could lead to arbitrary
                     file deletion.
   - CVE-2020-28035: XML-RPC privilege escalation.
   - CVE-2020-28036: XML-RPC privilege escalation.
   - CVE-2020-28032: Hardening deserialization requests.
   - CVE-2020-28037: DoS attack could lead to RCE.
   - CVE-2020-28038: Stored XSS in post slugs.
   - CVE-2020-28033: Disable spam embeds from disabled sites
                     on a multisite network.
   - CVE-2020-28034: Cross-Site Scripting (XSS) via global variables.
   - CVE-2020-28040: CSRF attacks that change a theme's background image.
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/973562

Message #54 received at 973562-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 973562-close@bugs.debian.org

Subject: Bug#973562: fixed in wordpress 5.5.3+dfsg1-1

Date: Thu, 05 Nov 2020 21:49:25 +0000

Source: wordpress
Source-Version: 5.5.3+dfsg1-1
Done: Craig Small <csmall@debian.org>

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 973562@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 03 Nov 2020 17:23:49 +1100
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentynineteen wordpress-theme-twentyseventeen wordpress-theme-twentytwenty
Architecture: source all
Version: 5.5.3+dfsg1-1
Distribution: unstable
Urgency: high
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Description:
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
 wordpress-theme-twentynineteen - weblog manager - twentynineteen theme files
 wordpress-theme-twentyseventeen - weblog manager - twentyseventeen theme files
 wordpress-theme-twentytwenty - weblog manager - twentytwenty theme files
Closes: 973562
Changes:
 wordpress (5.5.3+dfsg1-1) unstable; urgency=high
 .
   * Security release, fixes 8 bugs Closes: #973562
      - CVE-2020-28039: Protected meta that could lead to arbitrary
                        file deletion.
      - CVE-2020-28035: XML-RPC privilege escalation.
      - CVE-2020-28036: XML-RPC privilege escalation.
      - CVE-2020-28032: Hardening deserialization requests.
      - CVE-2020-28037: DoS attack could lead to RCE.
      - CVE-2020-28038: Stored XSS in post slugs.
      - CVE-2020-28033: Disable spam embeds from disabled sites
                        on a multisite network.
      - CVE-2020-28034: Cross-Site Scripting (XSS) via global variables.
      - CVE-2020-28040: CSRF attacks that change a theme's background image.
   * Removed TinyMCE build dependency as its very old
   * d/dirs: Add two more language directories
Checksums-Sha1:
 9f0e840181f419418ee1b47f777696d306cc065d 2400 wordpress_5.5.3+dfsg1-1.dsc
 a8ea7d911022e025144274d495c82cf97d1d4caf 8920328 wordpress_5.5.3+dfsg1.orig.tar.xz
 4bfcb37da8866a30551fc0049ab8e210516cd98e 6823732 wordpress_5.5.3+dfsg1-1.debian.tar.xz
 f7647519a725b32e7ed2dea54a3fa5dc69d26eb1 4383344 wordpress-l10n_5.5.3+dfsg1-1_all.deb
 824cae1d4563bcbe9031ef2459257fd5baf55824 315596 wordpress-theme-twentynineteen_5.5.3+dfsg1-1_all.deb
 c183de2ab258723fe357861626e874209cce2199 948240 wordpress-theme-twentyseventeen_5.5.3+dfsg1-1_all.deb
 2fc5c6251c538886e89c178604bb2a65388c7a58 755352 wordpress-theme-twentytwenty_5.5.3+dfsg1-1_all.deb
 e5d4d6ba0290a1693011ac131f189f2f8ad08d3c 7003388 wordpress_5.5.3+dfsg1-1_all.deb
 b41512e188a05c49634fb241b3b2ade35df3931d 7193 wordpress_5.5.3+dfsg1-1_amd64.buildinfo
Checksums-Sha256:
 29b3570bb7c8d3125adb7e63cfa6a83ef84f9578f5e5d51adda3caaf1768ae7f 2400 wordpress_5.5.3+dfsg1-1.dsc
 8ad4d5c2e103beededfcb09e2f94de8f276191ee630f2fa5c53d2158a81ecebb 8920328 wordpress_5.5.3+dfsg1.orig.tar.xz
 219c7cb1701026c76c84c3d51dcab87ba078b438dc5a029c9afaa2a1937bc6c3 6823732 wordpress_5.5.3+dfsg1-1.debian.tar.xz
 d01807760da034f178c93731f7110a6bbf11542fba6e354b17ea12c870b43140 4383344 wordpress-l10n_5.5.3+dfsg1-1_all.deb
 f5c2412b8cf4f45bf30ea183802064a7d40689f4f09282557816c3c6788fac67 315596 wordpress-theme-twentynineteen_5.5.3+dfsg1-1_all.deb
 b322b52ba146e1921d1e8db03bddc29c3a6e73e69b68e2440be2d7319ac3a7a9 948240 wordpress-theme-twentyseventeen_5.5.3+dfsg1-1_all.deb
 2c05ed5b42a743c0cdac14fe3882d6221f638941ee699fc3412180580275ebf6 755352 wordpress-theme-twentytwenty_5.5.3+dfsg1-1_all.deb
 d9fae8239b1b1cc8e850cdd8147bcfc69ed2b7f0cdebeb45f6e5fb9f15224323 7003388 wordpress_5.5.3+dfsg1-1_all.deb
 7118fce8acad9e6f09256eeb0e7ae99063e652fe541e71f6c53b27c7fee3bc31 7193 wordpress_5.5.3+dfsg1-1_amd64.buildinfo
Files:
 6d6678bd747505d8822ea7611869217b 2400 web optional wordpress_5.5.3+dfsg1-1.dsc
 c8dc794f7669f0bb2bc74fbd65aae001 8920328 web optional wordpress_5.5.3+dfsg1.orig.tar.xz
 7acd39ed650da63afc729b2f1a7ce9a0 6823732 web optional wordpress_5.5.3+dfsg1-1.debian.tar.xz
 a34cf0d1cd5953a441238421988da1c0 4383344 localization optional wordpress-l10n_5.5.3+dfsg1-1_all.deb
 442aab930993e3e7cfa6ea9b022f121d 315596 web optional wordpress-theme-twentynineteen_5.5.3+dfsg1-1_all.deb
 d4e75a99c5f4dc7431f9859c250ad891 948240 web optional wordpress-theme-twentyseventeen_5.5.3+dfsg1-1_all.deb
 43a2ba131ef46b75950c1bd186d345c1 755352 web optional wordpress-theme-twentytwenty_5.5.3+dfsg1-1_all.deb
 97ef1ecd586dcf858eeb4d84daaa94e9 7003388 web optional wordpress_5.5.3+dfsg1-1_all.deb
 06689de25bd29f0f9b442f8891c64940 7193 web optional wordpress_5.5.3+dfsg1-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAl+g9/YACgkQAiFmwP88
hOMC3xAAjTpowKWwl+xlFT0R5A/prSuefuw+9FDLFg6yJp0cIaTy9+CVKTHFcktU
xNjV9dtsJ7aF1zDaKEKiRi1/CVTQyj63XmRmzzeACrFWX0lSRJSBe0msJhVKdn4U
X/nRUC/M2vlFP8dQW3FJGgR6lFRM23Z1VXOJkdePTNfzAaChCB+4TkvteMDT78Pp
6Fh80FKr4zFHaQTfIxH++zMifUTYYkgNKvbVoGEgxRgF+3IQVGKGhQnvW3bIbWdq
UbtTwIYxFCBMYUe5pQMYcGbakQb+6CT+dxT5Cp416qIZueO5r0h7wv6eJWsPe5/Z
JFtxcyRqLt+HXG7dE+ZphohqXmKykCsRo+YSD+kj/toy8Py/A1rzseOxETni96iw
K12mLLyx7cD1h+vHTUtaXnHw6TlpvBNVlfqSq2Yn2R4kKYYPpL4aoWAoNuGdD7qP
mbBbpD+uXbbSKbPisE+B2RdQm1Ew8BXz0q5Lg26MMMWKaPu89wx2jrTkq5lHJnKh
mTRrhtsQtkAVWyxYJilqh6Cx+fOdD6Rv4b/81RRDuIyCwH5wG5v3Ww36DJV5JIz8
WUT7O3CppUj8P7b9TcDZYcScdQE7Z2cO+sIfNPGcp8Ta/sXqRS5ZdvbQVraPlQ2H
nPB5jlN5G+FaJIcojzWmTPPjXAPNElV3DGCsVxpBv+DDc/8FU3w=
=utqj
-----END PGP SIGNATURE-----

Message #59 received at 973562-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 973562-close@bugs.debian.org

Subject: Bug#973562: fixed in wordpress 5.0.11+dfsg1-0+deb10u1

Date: Fri, 13 Nov 2020 11:03:41 +0000

Source: wordpress
Source-Version: 5.0.11+dfsg1-0+deb10u1
Done: Craig Small <csmall@debian.org>

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 973562@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 03 Nov 2020 18:02:39 +1100
Source: wordpress
Architecture: source
Version: 5.0.11+dfsg1-0+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Closes: 971914 973562
Changes:
 wordpress (5.0.11+dfsg1-0+deb10u1) buster-security; urgency=high
 .
   * Security release, fixes 8 bugs Closes: #973562
      - CVE-2020-28039: Protected meta that could lead to arbitrary
                        file deletion.
      - CVE-2020-28035: XML-RPC privilege escalation.
      - CVE-2020-28036: XML-RPC privilege escalation.
      - CVE-2020-28032: Hardening deserialization requests.
      - CVE-2020-28037: DoS attack could lead to RCE.
      - CVE-2020-28038: Stored XSS in post slugs.
      - CVE-2020-28033: Disable spam embeds from disabled sites
                        on a multisite network.
      - CVE-2020-28034: Cross-Site Scripting (XSS) via global variables.
      - CVE-2020-28040: CSRF attacks that change a theme's background image.
   * Remove duplicated changeset 45974 Closes: #971914
Checksums-Sha1:
 e4820375381b46020335517ed946d58ef166a9dc 2481 wordpress_5.0.11+dfsg1-0+deb10u1.dsc
 393f5377f30a34e141bee96392674d0dddfe72cb 7844528 wordpress_5.0.11+dfsg1.orig.tar.xz
 2d28ee9fee963d10c36613067b2f54211ba0ce88 6818260 wordpress_5.0.11+dfsg1-0+deb10u1.debian.tar.xz
 e3cf34ad23e5ba40e6ac83be4ce95195a9b762fb 7368 wordpress_5.0.11+dfsg1-0+deb10u1_amd64.buildinfo
Checksums-Sha256:
 9ea6e6f2c2cb2317dbda94baa0e6f990f32138000a9e99c4dbee65530af46925 2481 wordpress_5.0.11+dfsg1-0+deb10u1.dsc
 5331feb3ba5447e4c86b6a7ebaf35ed75761856b0723da4d680d64a45386ec41 7844528 wordpress_5.0.11+dfsg1.orig.tar.xz
 b205064bd8f2268b93e0d885546693cc833b3a9e9523aeab54dad62c137cf8bc 6818260 wordpress_5.0.11+dfsg1-0+deb10u1.debian.tar.xz
 2bffda02eae47ee378e729eac0460c1240fb7cbddded535f4104f4c69004657b 7368 wordpress_5.0.11+dfsg1-0+deb10u1_amd64.buildinfo
Files:
 b582367e5a236bca37fc160a5c8cae7f 2481 web optional wordpress_5.0.11+dfsg1-0+deb10u1.dsc
 b9dde1e40049404358bf090594558e46 7844528 web optional wordpress_5.0.11+dfsg1.orig.tar.xz
 9faba375a89a796e4b371850b2983735 6818260 web optional wordpress_5.0.11+dfsg1-0+deb10u1.debian.tar.xz
 21c647c462bfea3103be6a1674925927 7368 web optional wordpress_5.0.11+dfsg1-0+deb10u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAl+jx2UACgkQAiFmwP88
hOO5Wg//evL37DK25tuF71R0NAn43KtMLds+SFE9/xft7NYijVPA0zpVcBkeb7KX
hsOZlXepvBFvXxtu83PCsGlteCBvkE3I4cx/q0nWFKpPpDZN4lBeaRgIKEXaY3iS
kDzSjl2G9CpIdZVz4kSTOGt3likeMvUvgpWToX9bT0qluJfhCrDv7VjXnzMjylWz
i1r9uhNGYfuW6gLHUbxLTtTT1AAL2frSy/b2KfothJbUQrBLiuLVsZ9BP/eeoaUJ
E6NPFB0PEBsb8IBdrfmjgHkilXTIyRlxbpb8dwY07b4BdQWGnK4pHmRB/jqaEoq9
k6W7dUeUukZq4D8k9FAD6mEZP6sVce104N+RRbUHrjSj3YB/sWdV/l43+7vXT5/9
OBgJy9xGzbeOKqC01lArVj1hBepK9T7dXY5+xMJSn9w/jcZhuHGBoBoD0rui1iIP
GTnY6Q3+rthcHDW3x4zy/xK07knhGCbzjktKIZr4Fgt0xyx+aZi+RyDBE8gEeuOj
xoBggye+dNVmClJKzWZOlhTSu/7qFGbQjK/V7EPLmk8+73xkNQhgPY50SKcDCuiJ
9pheEQJQtn7xuDIztsVmQTqWLNS/S07W+1dMIoBY05YjJ4ZCbhDNBdtZKeomUeSm
wBCvsEj2b3nTp7QnjZMddd7BWniehY+wDmP1FloWMh0FfHe2ccY=
=J/wJ
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.