wordpress: Several security issues versions 3.8-5.0

Debian Bug report logs - #916403
wordpress: Several security issues versions 3.8-5.0

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: wordpress: Several security issues versions 3.8-5.0

Date: Fri, 14 Dec 2018 10:47:55 +1100

Source: wordpress
Version: 4.9.8
Severity: normal
Tags: security upstream


WordPress 5.0.1 has been released upstream which addresses multiple
security issues[1]

 * Karim El Ouerghemmi discovered that authors could alter meta data to
   delete files that they weren’t authorized to.
 * Simon Scannell of RIPS Technologies discovered that authors could create
   posts of unauthorized post types with specially crafted input.
 * Sam Thomas discovered that contributors could craft meta data in a way
   that resulted in PHP object injection.
 * Tim Coen discovered that contributors could edit new comments from
   higher-privileged users, potentially leading to a cross-site scripting
   vulnerability.
 * Tim Coen also discovered that specially crafted URL inputs could lead to
   a cross-site scripting vulnerability in some circumstances. WordPress
   itself was not affected, but plugins could be in some situations.
 * Team Yoast discovered that the user activation screen could be indexed
   by search engines in some uncommon configurations, leading to exposure
   of email addresses, and in some rare cases, default generated passwords.
 * Tim Coen and Slavco discovered that authors on Apache-hosted sites could
   upload specifically crafted files that bypass MIME verification, leading
   to a cross-site scripting vulnerability.

Phew!
Given it goes back to 3.8, it impacts every dist back to old stable.
I'll raise some CVE requests if they are not already in train.

1: https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/


-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.18.0-3-amd64 (SMP w/6 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Message #10 received at 916403@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Craig Small <csmall@debian.org>, 916403@bugs.debian.org

Subject: Re: Bug#916403: wordpress: Several security issues versions 3.8-5.0

Date: Fri, 14 Dec 2018 06:10:41 +0100

HI Craig,

On Fri, Dec 14, 2018 at 10:47:55AM +1100, Craig Small wrote:
[...]
> I'll raise some CVE requests if they are not already in train.

That would be appreciated if you can take care of it.

Regards,
Salvatore

Message #19 received at 916403@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 916403@bugs.debian.org

Subject: Re: Bug#916403: wordpress: Several security issues versions 3.8-5.0

Date: Sat, 15 Dec 2018 11:58:22 +1100

[Message part 1 (text/plain, inline)]

On Fri, 14 Dec. 2018, 16:10 Salvatore Bonaccorso <carnil@debian.org wrote:

> That would be appreciated if you can take care of it.
>
Request 614153 into MITRE.

Still trying to work out what changeset fixes what bug, they don't exactly
go into much details. I don't need it for the Sid release but for the
others.

 - Craig

[Message part 2 (text/html, inline)]

Message #24 received at 916403-close@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: 916403-close@bugs.debian.org

Subject: Bug#916403: fixed in wordpress 5.0.1+dfsg1-1

Date: Mon, 17 Dec 2018 15:00:31 +0000

Source: wordpress
Source-Version: 5.0.1+dfsg1-1

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 916403@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 16 Dec 2018 10:45:32 +1100
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentysixteen wordpress-theme-twentyseventeen wordpress-theme-twentynineteen
Architecture: source all
Version: 5.0.1+dfsg1-1
Distribution: unstable
Urgency: high
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Description:
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
 wordpress-theme-twentynineteen - weblog manager - twentynineteen theme files
 wordpress-theme-twentyseventeen - weblog manager - twentyseventeen theme files
 wordpress-theme-twentysixteen - weblog manager - twentysixteen theme files
Closes: 916403
Changes:
 wordpress (5.0.1+dfsg1-1) unstable; urgency=high
 .
   * New upstream source. fixes 7 Security issues Closes: #916403
     - CVE-2018-20147
       Delete files through altered meta data
     - CVE-2018-20152
       Create posts of unauthorized post types
     - CVE-2018-20148
       PHP object injection through crafted meta data
     - CVE-2018-20153
       Edit other users comments, leading to XSS
     - CVE-2018-20150
       XSS in plugins through crafted URL inputs
     - CVE-2018-20151
       User activation screen visible to search engines
     - CVE-2018-20149
       Bypass MIME verification causing XSS
   * Themes: Remove twentyfifteen, add twentynineteen and make default
   * Remove remote emojis
Checksums-Sha1:
 ae9d2317c4dd04e09c87cb31b7e44b4471600222 2435 wordpress_5.0.1+dfsg1-1.dsc
 83622d0ea85c9bd5170c0decfb5f106ae6abd409 7835368 wordpress_5.0.1+dfsg1.orig.tar.xz
 92e436c5e5cee27f4e5dea396587f4517bd189d8 6817480 wordpress_5.0.1+dfsg1-1.debian.tar.xz
 82366286dcceda252c339fd9e87bef9249d2c3a3 4383756 wordpress-l10n_5.0.1+dfsg1-1_all.deb
 7fa277e8207a34c7d891c5227a8edf14bcb6e7f2 305372 wordpress-theme-twentynineteen_5.0.1+dfsg1-1_all.deb
 87471deac654d63f841de391158bb715abe9c5da 945008 wordpress-theme-twentyseventeen_5.0.1+dfsg1-1_all.deb
 d87543a17b53ee26a4cedb2eaa5777ca6e0614cc 593000 wordpress-theme-twentysixteen_5.0.1+dfsg1-1_all.deb
 82ab6a6f494edfffa6c77e9dd9dddbe668629381 5994928 wordpress_5.0.1+dfsg1-1_all.deb
 2400b27c538189cdeba919373fbc00236b8271d0 7219 wordpress_5.0.1+dfsg1-1_amd64.buildinfo
Checksums-Sha256:
 b897c69e10f63270695d079c84fa6a592a425dc0b926b0f20a4e99877a2cae26 2435 wordpress_5.0.1+dfsg1-1.dsc
 d05557f8bb374f5ac6bfa2ecd9682862ac7ae3753d6ab246feecccf2c994e8c3 7835368 wordpress_5.0.1+dfsg1.orig.tar.xz
 f1c4551357d0d58b9b79ccfc5e196425dfd896a43864805fcd4093fc486f3fc2 6817480 wordpress_5.0.1+dfsg1-1.debian.tar.xz
 0f633c61cb6259a3da29fb6c5134f4e20a3cffc13c62a4d8295eb14e63d24479 4383756 wordpress-l10n_5.0.1+dfsg1-1_all.deb
 51673d4fe6b47edb367d5c56cb173e40aba09ac5538cefcc0968dae2ef9a913c 305372 wordpress-theme-twentynineteen_5.0.1+dfsg1-1_all.deb
 6723cd855fcfa36cb511a1716e6556b3a42ee1dec491132fa8a8eadc7366de0b 945008 wordpress-theme-twentyseventeen_5.0.1+dfsg1-1_all.deb
 8ab8b7eb104f95bbe727e45f573ab10c1ee85a52004347cfa678332ccab175be 593000 wordpress-theme-twentysixteen_5.0.1+dfsg1-1_all.deb
 933363d13a5fcc4b485a302c40c1dd9b74c2f9d65a5cf43a619f41f8212f5522 5994928 wordpress_5.0.1+dfsg1-1_all.deb
 d0e7d4e13b35f3416fdc066974d697b2e018e1a93e9f15862868a9300eda4407 7219 wordpress_5.0.1+dfsg1-1_amd64.buildinfo
Files:
 95f15a90e70b8b96981b067a146c73ad 2435 web optional wordpress_5.0.1+dfsg1-1.dsc
 847eeb7cce6ed842ba1b3acf3cbe77bb 7835368 web optional wordpress_5.0.1+dfsg1.orig.tar.xz
 f398ce1f3903c0b4fa944b2a4bcf4907 6817480 web optional wordpress_5.0.1+dfsg1-1.debian.tar.xz
 939f2414a7295e98ffcc4fcdb1ada8eb 4383756 localization optional wordpress-l10n_5.0.1+dfsg1-1_all.deb
 6265d0cdf898ddffac8eeb665f32a224 305372 web optional wordpress-theme-twentynineteen_5.0.1+dfsg1-1_all.deb
 cd02538b2644ccdf191facf6ba6df510 945008 web optional wordpress-theme-twentyseventeen_5.0.1+dfsg1-1_all.deb
 4b9248376c6048f7e955915ae045211a 593000 web optional wordpress-theme-twentysixteen_5.0.1+dfsg1-1_all.deb
 54024224ba3e9d74ed7d7ca0333746a0 5994928 web optional wordpress_5.0.1+dfsg1-1_all.deb
 ed48c242a25ed23a1cf1df5594a3b580 7219 web optional wordpress_5.0.1+dfsg1-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAlwVk6MACgkQAiFmwP88
hON9VhAAhkAV/rxIDJlFcvx81MQsphFqMAl2t9Fvn24bQu/uS0IZKSHK81UC7J04
emj1Ta5ukNETASdfgVqx7t+tyB5PoLOVgclu5P8c9gLyBNuRFX46oBaQD5rIhrJ/
0yMt//xr0ORVZEUIKWEe5aa0ne16oTfjxOQnAA1UdA61kdxkmFu80wcsvyc821xt
DbSCpVR2ZeOc+JpWKWsUJ+avw0tFkHrLLeE2wXfIyNXynja7lQuG4QIDw8zVL/as
bSf21JC3mTXtmrGHMCE/jqkOdyNfBDcrRe89RV8IEC8rBZgjrEP3okxdAdtXvxeY
lufrHH1jwsaTKySwmGzSt+IirDzkTVfl0+cEmAmKZ17guSjPaw8W6m8xT4LDZb97
z5g0Pb882bSx7+pkkKJKRmTA4OaTh6keRwPntoObtro3nr3zJOpFz3XbI3AkVOx5
dbdKubfctzc9kL1Ixul33cPSz8+pySLJTtxrxTHTRvsP8wZqeqtpL6nlMvH6B10Q
Yqpal/7rwL8LH0wai84RtlNESQnZ8f/N5/dUOzY5oFWHfjRlfsB9Q7K9bwrkUKNN
UBSENtUygF+Gb65RbFQPmtu26i7l8yCgAabrMM5DUPqba5yR0R3gbtc2UcbEvKdu
5zel85uU3ItE0xsKEzPJaTFaohmbI8eAyGAs3ry875pJDdxMmeI=
=8hGf
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.