wordpress: CVE-2017-8295

Debian Bug report logs - #862053
wordpress: CVE-2017-8295

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: wordpress: CVE-2017-8295

Date: Sun, 7 May 2017 21:53:32 +0200

[Message part 1 (text/plain, inline)]

Package: wordpress
X-Debbugs-CC: team@security.debian.org secure-testing-team@lists.alioth.debian.org
Severity: important
Tags: security

Hi,

the following vulnerability was published for wordpress.

CVE-2017-8295[0]:
| WordPress through 4.7.4 relies on the Host HTTP header for a
| password-reset e-mail message, which makes it easier for remote
| attackers to reset arbitrary passwords by making a crafted
| wp-login.php?action=lostpassword request and then arranging for this
| message to bounce or be resent, leading to transmission of the reset
| key to a mailbox on an attacker-controlled SMTP server. This is
| related to problematic use of the SERVER_NAME variable in
| wp-includes/pluggable.php in conjunction with the PHP mail function.
| Exploitation is not achievable in all cases because it requires at
| least one of the following: (1) the attacker can prevent the victim
| from receiving any e-mail messages for an extended period of time
| (such as 5 days), (2) the victim's e-mail system sends an autoresponse
| containing the original message, or (3) the victim manually composes a
| reply containing the original message.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

No official patch has been published yet but there is an interesting assessment
at http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html

I think it makes sense to wait for an official Wordpress response but we could also
try to avoid the SERVER_NAME variable in this case.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-8295
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295

Please adjust the affected versions in the BTS as needed.

[signature.asc (application/pgp-signature, attachment)]

Message #10 received at 862053@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: Markus Koschany <apo@debian.org>, 862053@bugs.debian.org

Subject: Re: Bug#862053: wordpress: CVE-2017-8295

Date: Sun, 07 May 2017 21:58:43 +0000

[Message part 1 (text/plain, inline)]

Hi Markus,
  Thankyou for the bug report. I was aware of this bug but haven't seen
anything from the WordPress upstream yet. I'll give them a few days to see
if they bring out an official patch or not.

This only seems to work for IP based virtual hosts. If your wordpress
server uses named virtual hosts, then it doesn't work unless it is the
default because the host header is used to work out what virtual server to
use.

 - Craig

>
> --
Craig Small (@smallsees)   http://dropbear.xyz/     csmall at : enc.com.au
Debian GNU/Linux           http://www.debian.org/   csmall at : debian.org
GPG fingerprint:        5D2F B320 B825 D939 04D2  0519 3938 F96B DF50 FEA5

[Message part 2 (text/html, inline)]

Message #19 received at 862053-submitter@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: 862053-submitter@bugs.debian.org

Subject: Bug#862053 marked as pending

Date: Wed, 24 May 2017 20:40:57 +0000

tag 862053 pending
thanks

Hello,

Bug #862053 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    https://anonscm.debian.org/cgit/collab-maint/wordpress.git/commit/?id=0630257

---
commit 0630257eb254566a6ee3e54904770c3b9a195f20
Author: Craig Small <csmall@debian.org>
Date:   Wed May 24 22:25:37 2017 +1000

    Added patch for from email address
    
    Address CVE-2017-8295 which describes how the from address
    of the password reset emails uses client-provided data.
    
    References:
     https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862053
     https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
     https://core.trac.wordpress.org/ticket/25239

diff --git a/debian/changelog b/debian/changelog
index 3e2a55c..9366144 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-wordpress (4.1+dfsg-1+deb8u14) UNRELEASED; urgency=medium
+wordpress (4.1+dfsg-1+deb8u14) jessie-security; urgency=medium
 
   * Backport patches from 4.7.5 Closes: #862816
    - CVE-2017-9062
@@ -22,8 +22,10 @@ wordpress (4.1+dfsg-1+deb8u14) UNRELEASED; urgency=medium
   * CVE-2017-9066 not fixed as the relevant code has changed dramatically
     and there is no upstream patch for it.
     Insufficient redirect validation in the HTTP class.
+  * CVE-2017-8295 Don't use client-provided data to form password reset
+    from email address, from WordPress ticket #23239 Closes: #862053
 
- -- Craig Small <csmall@debian.org>  Thu, 18 May 2017 22:34:52 +1000
+ -- Craig Small <csmall@debian.org>  Wed, 24 May 2017 22:24:48 +1000
 
 wordpress (4.1+dfsg-1+deb8u13) jessie-security; urgency=medium
 

Message #26 received at 862053@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Craig Small <csmall@debian.org>

Cc: 862053@bugs.debian.org

Subject: Re: Bug#862053 marked as pending

Date: Sun, 4 Jun 2017 22:24:02 +0200

On Wed, May 24, 2017 at 08:40:57PM +0000, Craig Small wrote:
> tag 862053 pending
> thanks
> 
> Hello,
> 
> Bug #862053 reported by you has been fixed in the Git repository. You can
> see the changelog below, and you can check the diff of the fix at:

Hi Craig,
since the window for stretch is closing, could you please upload
a targeted fix for sid to get unblocked by the release team?

Cheers,
        Moritz

Message #31 received at 862053@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: Moritz Mühlenhoff <jmm@inutil.org>, 862053@bugs.debian.org

Subject: Re: Bug#862053: marked as pending

Date: Sun, 04 Jun 2017 21:54:33 +0000

[Message part 1 (text/plain, inline)]

Hi Moritz,
  My gpg key expired and while I have uploaded an updated expiry date it
takes some time to get into the ftp server keyring.  The problem is I dont
know when that is.

So to your question I can upload it after the ftp server keyring updates
plus some time it takes for me to realise it is updated. If you know how to
check for the keyring the actual server uses that can help the second part.

Also which version of WordPress are you referring to? I upload a minimum of
3 each security release.

 - Craig

-- 
Craig Small             https://dropbear.xyz/     csmall at : enc.com.au
Debian GNU/Linux        https://www.debian.org/   csmall at : debian.org
Mastodon: @smallsees@social.dropbear.xyz             Twitter: @smallsees
GPG fingerprint:      5D2F B320 B825 D939 04D2  0519 3938 F96B DF50 FEA5

[Message part 2 (text/html, inline)]

Message #36 received at 862053@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Craig Small <csmall@debian.org>

Cc: team@security.debian.org, 862053@bugs.debian.org

Subject: Re: Bug#862053: marked as pending

Date: Mon, 5 Jun 2017 00:24:48 +0200

On Sun, Jun 04, 2017 at 09:54:33PM +0000, Craig Small wrote:
> Hi Moritz,
>   My gpg key expired and while I have uploaded an updated expiry date it
> takes some time to get into the ftp server keyring.  The problem is I dont
> know when that is.
> 
> So to your question I can upload it after the ftp server keyring updates
> plus some time it takes for me to realise it is updated. If you know how to
> check for the keyring the actual server uses that can help the second part.

Ah, I missed that. Sorry.

> Also which version of WordPress are you referring to? I upload a minimum of
> 3 each security release.

I was primarily referring to the sid upload, since the time window for uploads
aimed to stretch closes in a few days.

Cheers,
        Moritz

Message #41 received at 862053@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: Moritz Mühlenhoff <jmm@inutil.org>

Cc: team@security.debian.org, 862053@bugs.debian.org

Subject: Re: Bug#862053: marked as pending

Date: Mon, 05 Jun 2017 11:42:28 +0000

[Message part 1 (text/plain, inline)]

I'll try now. That bug close was actually for the security backport. I am
going to try a sid upload and see if my key is valid.

 - Craig


On Mon, Jun 5, 2017 at 8:24 AM Moritz Mühlenhoff <jmm@inutil.org> wrote:

> On Sun, Jun 04, 2017 at 09:54:33PM +0000, Craig Small wrote:
> > Hi Moritz,
> >   My gpg key expired and while I have uploaded an updated expiry date it
> > takes some time to get into the ftp server keyring.  The problem is I
> dont
> > know when that is.
> >
> > So to your question I can upload it after the ftp server keyring updates
> > plus some time it takes for me to realise it is updated. If you know how
> to
> > check for the keyring the actual server uses that can help the second
> part.
>
> Ah, I missed that. Sorry.
>
> > Also which version of WordPress are you referring to? I upload a minimum
> of
> > 3 each security release.
>
> I was primarily referring to the sid upload, since the time window for
> uploads
> aimed to stretch closes in a few days.
>
> Cheers,
>         Moritz
>
-- 
Craig Small             https://dropbear.xyz/     csmall at : enc.com.au
Debian GNU/Linux        https://www.debian.org/   csmall at : debian.org
Mastodon: @smallsees@social.dropbear.xyz             Twitter: @smallsees
GPG fingerprint:      5D2F B320 B825 D939 04D2  0519 3938 F96B DF50 FEA5

[Message part 2 (text/html, inline)]

Message #46 received at 862053-close@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: 862053-close@bugs.debian.org

Subject: Bug#862053: fixed in wordpress 4.7.5+dfsg-2

Date: Mon, 05 Jun 2017 12:49:00 +0000

Source: wordpress
Source-Version: 4.7.5+dfsg-2

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 862053@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 05 Jun 2017 21:45:59 +1000
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentysixteen wordpress-theme-twentyfifteen wordpress-theme-twentyseventeen
Architecture: source all
Version: 4.7.5+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Description:
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
 wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files
 wordpress-theme-twentyseventeen - weblog manager - twentyseventeen theme files
 wordpress-theme-twentysixteen - weblog manager - twentysixteen theme files
Closes: 862053
Changes:
 wordpress (4.7.5+dfsg-2) unstable; urgency=medium
 .
   * Don't trust SERVER_NAME variable for emails
     CVE-2017-8295 Closes: #862053
Checksums-Sha1:
 d8de2d922cfa7789ae34925d5fd05f7a8e037bb0 2539 wordpress_4.7.5+dfsg-2.dsc
 b5fdc95e1497151b6c93172fb6535c98dc2e8ca9 6777644 wordpress_4.7.5+dfsg-2.debian.tar.xz
 7cd070fed80da6cf951f8a406f48749a5635499d 4383124 wordpress-l10n_4.7.5+dfsg-2_all.deb
 2d5c70ce578b4d04a97ea6727ed171917dcd12b9 700120 wordpress-theme-twentyfifteen_4.7.5+dfsg-2_all.deb
 c876caa73f5677c526197a2c79c4fed0d0dc259a 939838 wordpress-theme-twentyseventeen_4.7.5+dfsg-2_all.deb
 ca310d7f6dd72d5ffd9e7cb88778011c584a0f2d 588818 wordpress-theme-twentysixteen_4.7.5+dfsg-2_all.deb
 0688cb11bb331dee53c95cde0dd6a96f5b7edcdd 3998900 wordpress_4.7.5+dfsg-2_all.deb
 7ff9358352fb6c04d93179e7642a77765f4df768 7178 wordpress_4.7.5+dfsg-2_amd64.buildinfo
Checksums-Sha256:
 8acc3c8a307d7159f1fc1f76dcfe0c58c77a19c2a08a9d2404b46f85ca6bf3bc 2539 wordpress_4.7.5+dfsg-2.dsc
 96d62a9c178a18a6139ffc3ab2fe1d4f1c2f217509d8d32e38af1582135fb942 6777644 wordpress_4.7.5+dfsg-2.debian.tar.xz
 3580f9ea9c869790cb03a4578085f5b3697d9ace158914677a4a36b209d6e172 4383124 wordpress-l10n_4.7.5+dfsg-2_all.deb
 72023267b6b56bf8a54aa6587dc5d081167fbf82b395dee6c19ba5600dad3083 700120 wordpress-theme-twentyfifteen_4.7.5+dfsg-2_all.deb
 d1256c327e1b7d2af3c64fb6113fbc5529a895a39839e9532db98d60fecd6a5b 939838 wordpress-theme-twentyseventeen_4.7.5+dfsg-2_all.deb
 561692740003099d58cec50b4b2d72a3c175fb00855cdde7aa46aec7781a9bbe 588818 wordpress-theme-twentysixteen_4.7.5+dfsg-2_all.deb
 9e983533d134eb9718d4fedf28212d4ae0c33c5868b2719ac876d6b9a4028d45 3998900 wordpress_4.7.5+dfsg-2_all.deb
 ba5abd8684f7bd148d3620635a0071d8620578e38a3479fd482fbc1bb200df93 7178 wordpress_4.7.5+dfsg-2_amd64.buildinfo
Files:
 7bddc38f8b6c0e7c60c561d1f36f4fa4 2539 web optional wordpress_4.7.5+dfsg-2.dsc
 5918910abbb8062d732224e6356212db 6777644 web optional wordpress_4.7.5+dfsg-2.debian.tar.xz
 2e5c491d679fdf5c6d9d5b19af1d7b42 4383124 localization optional wordpress-l10n_4.7.5+dfsg-2_all.deb
 51e44eab3b57c1cd0724a7692034bea6 700120 web optional wordpress-theme-twentyfifteen_4.7.5+dfsg-2_all.deb
 15fb8502d011e2a99ff2782c968ab547 939838 web optional wordpress-theme-twentyseventeen_4.7.5+dfsg-2_all.deb
 d2cb7885566660c1534603dc473219a3 588818 web optional wordpress-theme-twentysixteen_4.7.5+dfsg-2_all.deb
 48033a59af30c4c7f9ef606a78a8f400 3998900 web optional wordpress_4.7.5+dfsg-2_all.deb
 813ee7102bf7ec9264c38887ef57d2da 7178 web optional wordpress_4.7.5+dfsg-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAlk1SKwACgkQAiFmwP88
hOPwOQ//UCDEsrYDFdGJq4kaCYmOvtGozKXAZC1QyOfs4bsVXcEO4Uk3+pkPBl3Q
Vger4a31L5PvVaV/YpmAgwL719Vf4McdVHpADzMlnSz5vgoUEF2FE+HDIvFfTa3i
y6UJstKO6SveRSXfkO6i+viAAiGsigTVTzb7PFM416Xb+bgabIXW+gWVO0asekiP
v8cPB+OuOuP9oj/z0iT3rMhNhtfYu/PwC3NLMblxTh+sYrTYjJeujbuDsQJyvNVh
vZQ+xTywMX1m2kmSci54miQKZFEi6AtZ6AInC5TyU+VzJCHBlDvrIx8EEmJZAT76
HOlguXqXEFKwGgktnDlsFu96xTSrg6KvQiGziPV08GqKJ4hZIN1LCoLQ7EIQTLLg
U6GkcvmILDi3vDYCA+Um3GDOZEEXbPyYBVJu7sPk5e11YNHkb7cG+/d9FsXn5BoU
qDGGxdTN4tf/3L8FbAwt2F9TRNLx5xFlkgcKl4g4ji99Qmm5uNVIJzNE1ij1STow
ZRmoJBKcAFIBv16rJSmVUApos1tJdQ4afEQYcyMrcvcWQdqy4J3CPeMegssczBJq
qcIJ+g0XADrk+9lhVCE5eee2trLTJpuWuxQEAPOBeED1GW8rgF6+w1ZUbZslCNeS
eIGool/Ady+dn3XIVqm3lzIe1RVgTHXBhZTId9QEnYBBoAi27io=
=10QR
-----END PGP SIGNATURE-----

Message #53 received at 862053-submitter@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: 862053-submitter@bugs.debian.org

Subject: Bug#862053 marked as pending

Date: Fri, 09 Jun 2017 11:43:00 +0000

tag 862053 pending
thanks

Hello,

Bug #862053 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    https://anonscm.debian.org/cgit/collab-maint/wordpress.git/commit/?id=15f30ad

---
commit 15f30ad74428038ecaed723da126e387e01148da
Author: Craig Small <csmall@debian.org>
Date:   Mon Jun 5 21:37:17 2017 +1000

    Don't use SERVER_NAME for emails
    
    WordPress uses the SERVER_NAME variable to generate the from address for
    password resets. This variable can be set by the hostname sent by the
    client, which means it can be spoofed.
    
    This patch fixes CVE-2017-8295 and closes #862053

diff --git a/debian/changelog b/debian/changelog
index 2201ddc..7c9bd0f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+wordpress (4.7.5+dfsg-2) UNRELEASED; urgency=medium
+
+  * Don't trust SERVER_NAME variable for emails
+    CVE-2017-8295 Closes: #862053
+
+ -- Craig Small <csmall@debian.org>  Mon, 05 Jun 2017 21:36:10 +1000
+
 wordpress (4.7.5+dfsg-1) unstable; urgency=high
 
   * New upstream release fixes 6 security issues Closes: #862816

Message #58 received at 862053-close@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: 862053-close@bugs.debian.org

Subject: Bug#862053: fixed in wordpress 4.1+dfsg-1+deb8u14

Date: Sat, 24 Jun 2017 21:19:24 +0000

Source: wordpress
Source-Version: 4.1+dfsg-1+deb8u14

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 862053@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 24 May 2017 22:24:48 +1000
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentyfifteen wordpress-theme-twentyfourteen wordpress-theme-twentythirteen
Architecture: source all
Version: 4.1+dfsg-1+deb8u14
Distribution: stable
Urgency: medium
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Description:
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
 wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files
 wordpress-theme-twentyfourteen - weblog manager - twentyfourteen theme files
 wordpress-theme-twentythirteen - weblog manager - twentythirteen theme files
Closes: 862053 862816
Changes:
 wordpress (4.1+dfsg-1+deb8u14) jessie-security; urgency=medium
 .
   * Backport patches from 4.7.5 Closes: #862816
    - CVE-2017-9062
      Improper handling of post meta data values in the XML-RPC API.
      Changeset 40699
    - CVE-2017-9065
      Lack of capability checks for post meta data in the XML-RPC API.
      Changeset 40684
    - CVE-2017-9064
      A Cross Site Request Forgery (CRSF) vulnerability was discovered
      in the filesystem credentials dialog.
      Changeset 40730
    - CVE-2017-9061
      A cross-site scripting (XSS) vulnerability was discovered when
      attempting to upload very large files.
      Changeset 40743
    - CVE-2017-9063
      A cross-site scripting (XSS) vulnerability was discovered related
      to the Customizer.
      Changeset 40711
   * CVE-2017-9066 not fixed as the relevant code has changed dramatically
     and there is no upstream patch for it.
     Insufficient redirect validation in the HTTP class.
   * CVE-2017-8295 Don't use client-provided data to form password reset
     from email address, from WordPress ticket #23239 Closes: #862053
Checksums-Sha1:
 6992e217144edb572b91420cf4668a316d2f6cce 2206 wordpress_4.1+dfsg-1+deb8u14.dsc
 aecf3343a5b0b3b5e559a7e1eb41b32f2259414e 6129728 wordpress_4.1+dfsg-1+deb8u14.debian.tar.xz
 d38e38a68b1eebba094e6863764e0350522fa5ef 3195086 wordpress_4.1+dfsg-1+deb8u14_all.deb
 0f926ddb33adc4287708dae4bd44c642bf3351c8 4246876 wordpress-l10n_4.1+dfsg-1+deb8u14_all.deb
 eae5ee49eb7f94e86ad7b6cb8e42da58305a7d54 502928 wordpress-theme-twentyfifteen_4.1+dfsg-1+deb8u14_all.deb
 709520bd322ec40b57181c6074e83f7887ce85f9 803836 wordpress-theme-twentyfourteen_4.1+dfsg-1+deb8u14_all.deb
 751ddcab0d9a5c616d1e838c5aa2db9cee195e79 321408 wordpress-theme-twentythirteen_4.1+dfsg-1+deb8u14_all.deb
Checksums-Sha256:
 609a1a1e165605c45aed4374962112511f5d2b51c2a22c3a4c2db39247bdcfa2 2206 wordpress_4.1+dfsg-1+deb8u14.dsc
 3e661549549ed624dcae24c794f95e61d3092edcb8e8676fdfb045a7ba1ddead 6129728 wordpress_4.1+dfsg-1+deb8u14.debian.tar.xz
 0ae928df0c24a663e804ae4a23c60e98f58552b54b7e862e7bb6d844382bead7 3195086 wordpress_4.1+dfsg-1+deb8u14_all.deb
 81d990e84c19a7a981b562ea175ad7680d37c769b942ec9fe37bdf1bc19c044f 4246876 wordpress-l10n_4.1+dfsg-1+deb8u14_all.deb
 de1a849613a7e8eea5a91437757afdccc9aca5781cb8d2fcc73be212fb3a7f10 502928 wordpress-theme-twentyfifteen_4.1+dfsg-1+deb8u14_all.deb
 02614dc4be3f5214ac033aabcfb3a9c4e17647436a8f69a22be7b67d5cbb0cc5 803836 wordpress-theme-twentyfourteen_4.1+dfsg-1+deb8u14_all.deb
 d9a4d329f75e8697af88d58462a58b66266986037a65e3cfb160d904a71c4fda 321408 wordpress-theme-twentythirteen_4.1+dfsg-1+deb8u14_all.deb
Files:
 27c20ffff81220e8d626f73689bc86ea 2206 web optional wordpress_4.1+dfsg-1+deb8u14.dsc
 b035d001eccb9ca647ae135aff1b205a 6129728 web optional wordpress_4.1+dfsg-1+deb8u14.debian.tar.xz
 12b570d668be90fc5b85e3915e7b4525 3195086 web optional wordpress_4.1+dfsg-1+deb8u14_all.deb
 2c138c159b53cd36cc37bea33b33996f 4246876 localization optional wordpress-l10n_4.1+dfsg-1+deb8u14_all.deb
 05e24fb8304a6540b527dff44640ef6c 502928 web optional wordpress-theme-twentyfifteen_4.1+dfsg-1+deb8u14_all.deb
 0f0b708a3cec3edd2373392f3366a4ec 803836 web optional wordpress-theme-twentyfourteen_4.1+dfsg-1+deb8u14_all.deb
 018961b042c46458dd381507f3f2c6cd 321408 web optional wordpress-theme-twentythirteen_4.1+dfsg-1+deb8u14_all.deb

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh4EL6Jg/PVnWQFAlkvoS4ACgkQEL6Jg/PV
nWTDSAf/TjNiSUUbm0y53KsLziBpR7m1pqJlessKgPLRkeyEq9TetzMfDk34DkpV
uJndrX6cvof4236MZkm7TwcqwtQZLfk0ZInYW9DTkmIs+tw0KdXDTA5WuYcmDqmb
n+JZFCDbChbqQJrm5DDxccBAtbvSrg1eTO5pSanKJ1c7tOfIzsUOgRdM8FHVnZb2
MEZ74OZOqrWrtPcgJ9cOAYlu6Pbu7YBukoL2lcvEsr3gnQicRnE0QQBNYPnPs6iA
KxPQ4rPuzWWozxg4/oVUFFWmVF26a2vCCKKSRrKClrb1BKw7JLZijzan1l6jWj+q
WPbWcywFvnIWxAohT45u5JM8dZ3deQ==
=r4Ra
-----END PGP SIGNATURE-----

Message #61 received at 862053-submitter@bugs.debian.org (full text, mbox, reply):

From: leighton@leightonbrothers.co.uk

To: 862053-submitter@bugs.debian.org

Subject: Please recheck your delivery address (UPS parcel 002249746)

Date: Sun, 2 Jul 2017 18:49:39 +0100

[Message part 1 (text/plain, inline)]

Dear Customer,

Your parcel was successfully delivered June 28 to UPS Station, but our courier cound not contact you.

Please check the attachment for complete details!

Thank you for your consideration,
 ,
UPS Support Agent.

[UPS-Delivery-002249746.zip (application/zip, attachment)]

Send a report that this bug log contains spam.