Debian Bug report logs -
#887596
wordpress: CVE-2018-5776: XSS vulnerability in MediaElement
Reported by: Craig Small <csmall@debian.org>
Date: Thu, 18 Jan 2018 10:45:04 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Found in version wordpress/4.9.1+dfsg-1
Fixed in version wordpress/4.9.2+dfsg-1
Done: Craig Small <csmall@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org:
Bug#887596; Package src:wordpress.
(Thu, 18 Jan 2018 10:45:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Craig Small <csmall@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org.
(Thu, 18 Jan 2018 10:45:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: wordpress
Version: 4.9.1+dfsg-1
Severity: grave
Tags: security
Justification: user security hole
An XSS vulnerability was discovered in the Flash fallback files in MediaElement, a library that is included with WordPress. Because the Flash files are no longer needed for most use cases, they have been removed from WordPress.
I'm not 100% sure of how bad this is for Debian packages as a lot of
flash items are removed, but it could be still possibly triggered by
the JavaScript around it (this is where the patches seem to be).
This impacts all versions back to 3.7
References:
https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/
https://wpvulndb.com/vulnerabilities/9006
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.14.0-3-amd64 (SMP w/6 CPU cores)
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8), LANGUAGE=en_AU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Marked as found in versions wordpress/4.1+dfsg-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 18 Jan 2018 12:57:05 GMT) (full text, mbox, link).
Added tag(s) upstream and fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 18 Jan 2018 15:51:05 GMT) (full text, mbox, link).
Changed Bug title to 'wordpress: CVE-2018-5776: XSS vulnerability in MediaElement' from 'wordpress: XSS vulnerability in MediaElement'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 19 Jan 2018 09:18:03 GMT) (full text, mbox, link).
Reply sent
to Craig Small <csmall@debian.org>:
You have taken responsibility.
(Sat, 20 Jan 2018 07:54:04 GMT) (full text, mbox, link).
Notification sent
to Craig Small <csmall@debian.org>:
Bug acknowledged by developer.
(Sat, 20 Jan 2018 07:54:04 GMT) (full text, mbox, link).
Message #16 received at 887596-close@bugs.debian.org (full text, mbox, reply):
Source: wordpress
Source-Version: 4.9.2+dfsg-1
We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 887596@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated wordpress package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 20 Jan 2018 18:02:18 +1100
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentysixteen wordpress-theme-twentyfifteen wordpress-theme-twentyseventeen
Architecture: source all
Version: 4.9.2+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Description:
wordpress - weblog manager
wordpress-l10n - weblog manager - language files
wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files
wordpress-theme-twentyseventeen - weblog manager - twentyseventeen theme files
wordpress-theme-twentysixteen - weblog manager - twentysixteen theme files
Closes: 887596
Changes:
wordpress (4.9.2+dfsg-1) unstable; urgency=high
.
* New upstream security release Closes: #887596
and resolves CVE-2018-5776
* Update standards version to 4.1.3 - no change
Checksums-Sha1:
aa0d4e636f200eff02e8395fe72449ba54c279a3 2539 wordpress_4.9.2+dfsg-1.dsc
e92b0cb2fcb9e94d0b190a1fb7cb63d6126a9b35 6716056 wordpress_4.9.2+dfsg.orig.tar.xz
cb453e398689e01ed8b8a1ca5527487df2a08bab 6780752 wordpress_4.9.2+dfsg-1.debian.tar.xz
834abfdee4db1f4c9fe7eaf5e8423f05ce42c88b 4382376 wordpress-l10n_4.9.2+dfsg-1_all.deb
fec36f44de8a6f76bfd8420d801c2d7e5d49c2fd 700924 wordpress-theme-twentyfifteen_4.9.2+dfsg-1_all.deb
a64333028e98f2c8ab187c645a924880f765ccbe 941688 wordpress-theme-twentyseventeen_4.9.2+dfsg-1_all.deb
3eafbf44f5fac625722df09ed9f2ebee80da2f78 589532 wordpress-theme-twentysixteen_4.9.2+dfsg-1_all.deb
b576d55cbb55e92fdb638f3d3ba10aa37ea0c0c0 4460088 wordpress_4.9.2+dfsg-1_all.deb
18b26de6624011a8c277f9bd6ab7f255c633d76d 7240 wordpress_4.9.2+dfsg-1_amd64.buildinfo
Checksums-Sha256:
f9f93e12a31f00903df0805fd799726378b07fcf14bf8769526507d9a58dea51 2539 wordpress_4.9.2+dfsg-1.dsc
c30779787c1f8b565e4acb459768bf26ba1ef90c459fb0e6a5e4b2aa6116abff 6716056 wordpress_4.9.2+dfsg.orig.tar.xz
a5fb73eba4d339639434abb05a2d39f913ebd65ad43b5d256c2a0c734a927082 6780752 wordpress_4.9.2+dfsg-1.debian.tar.xz
5423dbd5336a464131430c8b40f5ce1ad50be47e4b1490b5553a27bf25189d56 4382376 wordpress-l10n_4.9.2+dfsg-1_all.deb
6d5c2d1f544d4ce3a984595a81202a7630ae50867b78b8906a44f5d2678bdedd 700924 wordpress-theme-twentyfifteen_4.9.2+dfsg-1_all.deb
0a0782d69c30b7cf5e2b4a9fbf2752f970bbd459df44520c5a3c0a866825e61b 941688 wordpress-theme-twentyseventeen_4.9.2+dfsg-1_all.deb
0b731b179d36edf59e07a3d81b8a31d80b8dc7957aa082b36d4970c89063d8b2 589532 wordpress-theme-twentysixteen_4.9.2+dfsg-1_all.deb
3816792f542634e97ca71b10d6fdcc40a11efb3891ae6c5e7011edc1be5cafaf 4460088 wordpress_4.9.2+dfsg-1_all.deb
d5393e778e4bef33e5bdecf891df498097af89b3d8f40b013505480eb9da557e 7240 wordpress_4.9.2+dfsg-1_amd64.buildinfo
Files:
ff1bcd080ba7e7f1b596ef2231ca367a 2539 web optional wordpress_4.9.2+dfsg-1.dsc
8364eb924f99304c495b252ca16e15c1 6716056 web optional wordpress_4.9.2+dfsg.orig.tar.xz
619f05542d7d17ab387341326f54ea48 6780752 web optional wordpress_4.9.2+dfsg-1.debian.tar.xz
ab6b57746ae67f40b1ff4481d943f86b 4382376 localization optional wordpress-l10n_4.9.2+dfsg-1_all.deb
9d2bafdf55d07644bc4587d375110ea1 700924 web optional wordpress-theme-twentyfifteen_4.9.2+dfsg-1_all.deb
eb87b46d989561c45efaae8a470b28a3 941688 web optional wordpress-theme-twentyseventeen_4.9.2+dfsg-1_all.deb
7d98cf3efb67cbddf13df1e860242eab 589532 web optional wordpress-theme-twentysixteen_4.9.2+dfsg-1_all.deb
271effe63a6a3443365d650970b9c24a 4460088 web optional wordpress_4.9.2+dfsg-1_all.deb
778ae3aed8bc49b1b5c79de8814d4ecb 7240 web optional wordpress_4.9.2+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAlpi75sACgkQAiFmwP88
hOMTTQ//e4eKQNeNrMQ8zph4CNkMkdgCzQuK3TGSsLEVnLbHK5t8WQ+2AnsyssSj
+aKBjinGJ5UXT+7XeExN0DKsLuttxsbDO/l+4VknFJg5Sy30b8/bsiT7HvHK8tII
TAUe0od91sgH8kRGSIuF365uLVZerNtDYn7Wko8cXY3i0Ej7gRzExCUXGqYdD22u
2pqZgMZormEOm+iyNFK55qRN414gJjzgLkQ51ZHIvQytrdo1KY0L3xDNz5Rrvxxv
4XQckHUgglnLsj4VF3fn4iM8IhHA3M3jf37g/jnymohicWR4tdSCRXMZvcBEaPf1
6eR0GOLzlj/RLLCn0ifF24jWGhhsJOqUiTrEqfpmf0vg8ICcQmAZ17qCLTnVC2D+
+VDlMAGWdWkgEYXodvqWXPBRVWPPyMPLjO7J3JkzkPywZ1iT5qZLXDONGrqbFlZ4
b1BO/e8wPLfV5oeNRnEA4+S6Zm3ClITXqkNhLXogEhZCnUPtC/InLbinXWU2zXhZ
TvEFS2lIs507QtOnlGxWjmwMl2VTqrO62Co5eLZcuz8dsx4G/e7VirNfEHIU6Ewh
Q6MdIYxSlqbSzX97W/baZywVHd3BqE/HJFa+8HFMY5mFoZ/wltiCSys5+uwmQcBr
kMtB4uqV7W+r+webY4pTWHN/BJZp61pBffibcblPGyyeFn1lD4g=
=t3cJ
-----END PGP SIGNATURE-----
No longer marked as found in versions wordpress/4.1+dfsg-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 24 Jan 2018 05:21:09 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 21 Feb 2018 07:31:00 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:46:19 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon