wordpress: CVE-2016-6896 CVE-2016-6897

Debian Bug report logs - #837090
wordpress: CVE-2016-6896 CVE-2016-6897

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: wordpress: CVE-2016-6896 CVE-2016-6897

Date: Thu, 08 Sep 2016 19:36:35 +0200

Source: wordpress
Version: 4.5.3+dfsg-1
Severity: grave
Tags: security upstream
Justification: user security hole

Hi,

the following vulnerabilities were published for wordpress.

CVE-2016-6896[0] and CVE-2016-6897[1]. It was reported that they at
least affect 4.5.3, no earlier version were so far checked, since no
full details to fixes given. There are more information in [2].

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-6896
[1] https://security-tracker.debian.org/tracker/CVE-2016-6897
[2] https://sumofpwn.nl/advisory/2016/path_traversal_vulnerability_in_wordpress_core_ajax_handlers.html
[3] http://seclists.org/oss-sec/2016/q3/341

Could you please have a look at those, and please adjust the affected
versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 837090-close@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: 837090-close@bugs.debian.org

Subject: Bug#837090: fixed in wordpress 4.6.1+dfsg-1

Date: Fri, 09 Sep 2016 12:19:56 +0000

Source: wordpress
Source-Version: 4.6.1+dfsg-1

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 837090@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 09 Sep 2016 21:56:22 +1000
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentysixteen wordpress-theme-twentyfifteen wordpress-theme-twentyfourteen
Architecture: source all
Version: 4.6.1+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Description:
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
 wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files
 wordpress-theme-twentyfourteen - weblog manager - twentyfourteen theme files
 wordpress-theme-twentysixteen - weblog manager - twentysixteen theme files
Closes: 837090
Changes:
 wordpress (4.6.1+dfsg-1) unstable; urgency=medium
 .
   * New upstream security release, Closes: #837090, fixes CVE-2016-6896 and
     CVE-2016-6897
Checksums-Sha1:
 1d4358c33837111fffc3128aca33c33f393e52be 2523 wordpress_4.6.1+dfsg-1.dsc
 3cc461c5d25a15e7e7b9552cf852fea30c656ab1 6154728 wordpress_4.6.1+dfsg.orig.tar.xz
 7523306d85a2eac628343a9ebc4aca1b627d986a 6950416 wordpress_4.6.1+dfsg-1.debian.tar.xz
 3dea5f97150d628b550da45aedd0c64165c4771d 4239702 wordpress-l10n_4.6.1+dfsg-1_all.deb
 fc874711e5a97944b7ae6bdfee0fdb6cf26a66a4 698828 wordpress-theme-twentyfifteen_4.6.1+dfsg-1_all.deb
 4890067b6ad0b8cb52ad0e1be3e1d23995560845 1120184 wordpress-theme-twentyfourteen_4.6.1+dfsg-1_all.deb
 a3b54e972bf5ccc1804dc2bcbd650344b14906a9 587770 wordpress-theme-twentysixteen_4.6.1+dfsg-1_all.deb
 aef631a3f0d255d25cfa8ee5958bed64c929d019 3830938 wordpress_4.6.1+dfsg-1_all.deb
Checksums-Sha256:
 8afbb0bbbb7db08474fc309cec9c825705bd8cf9dd30c62d88082e41552c6358 2523 wordpress_4.6.1+dfsg-1.dsc
 1ddf59a393d5bfad357790c1e2a8cc18e2d39724f91135606517ed4f2d8c35b1 6154728 wordpress_4.6.1+dfsg.orig.tar.xz
 1bcd6fbb3cba02616f67881499f8dbd9aa271e7493074d5a953bfc795e7b3d29 6950416 wordpress_4.6.1+dfsg-1.debian.tar.xz
 61a52bcba80b3439734a4da8a1bb07a29e4429be37aeb965cd53375fdb61a2d1 4239702 wordpress-l10n_4.6.1+dfsg-1_all.deb
 0931b4c96bbb24c9896c21957f5e35d79e1b80e396721d071fcf956cc8789ea6 698828 wordpress-theme-twentyfifteen_4.6.1+dfsg-1_all.deb
 7a93f7d8a6c9d885c54baf00b840a3e493301b158f50a61d77fc7b9705ea3328 1120184 wordpress-theme-twentyfourteen_4.6.1+dfsg-1_all.deb
 b399e11412402f09c93cc488505de5b869bab7cfbfeefe7c9e3d59333d2c7088 587770 wordpress-theme-twentysixteen_4.6.1+dfsg-1_all.deb
 fa9d9ceb685ce2d2c9bb7d1752a66085499fb3a79418144c56f7bf4fe31760ae 3830938 wordpress_4.6.1+dfsg-1_all.deb
Files:
 66256ba46886f8ab2a5e8c7ae0e29985 2523 web optional wordpress_4.6.1+dfsg-1.dsc
 ba1153082931208b4b81c0b342ecbdb9 6154728 web optional wordpress_4.6.1+dfsg.orig.tar.xz
 7edc8d6dcbad60014a7568c1a6e4b1a4 6950416 web optional wordpress_4.6.1+dfsg-1.debian.tar.xz
 c3a82324d898dad4d3807452d149d4f3 4239702 localization optional wordpress-l10n_4.6.1+dfsg-1_all.deb
 cfa5d5cf9139fb33453ebc3ca63563ae 698828 web optional wordpress-theme-twentyfifteen_4.6.1+dfsg-1_all.deb
 08550aeb4de92aedb97bd0288ac5de84 1120184 web optional wordpress-theme-twentyfourteen_4.6.1+dfsg-1_all.deb
 4126d5c1a43a095f8d6b077f0834c8c6 587770 web optional wordpress-theme-twentysixteen_4.6.1+dfsg-1_all.deb
 5728d78637bf947d562a3e595851d2f4 3830938 web optional wordpress_4.6.1+dfsg-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJX0qPkAAoJEDk4+WvfUP6lGAUP/2dwSzMcwjmPzs5W6joecSPd
rVNFmIkBoq5+mnQkP6C2hIoNH1kIG+R4aJ/Q/of3+jVJAPYz3O+YOZAMUnkubTr1
BHzSeBRUEnw2R9IbWsf3Iz7JBvj4/7XqUIb+/JhXtghZmAaOrDSJ+aw8UerB8leg
2Qtqn7Mhl9mnGNSeBrp3WmklFiGRQyTFSmWdy5Hb9KriMaquFBZRMYYd0Dt/sW5y
A+mOf+O3Vs0xLN0AzclOp5O4OT4+5TDt+Ma8pqwAqMOzKDU6oUU80OsJR21/mB5f
Bh/zNPT8l/L47ewMPFEP3PpubbDcGXRR9FufwDX4+rlePfalp2ugn/Dc2t8zW+cr
6dJhVDe91Y7AzYBKw+km15riy650koOdO//TBhwf+aB2ZSogdis1GMnyMy7nZ1Yb
k6uY6HopghohGf5WKG8kSSZROOE8or6J6nQAr6YM7HZTZCnh7z59bFGuMMXT64Vq
pDoBEHuSkhHLdCT7Df27zMfgPQWQMD+RlQbyRqB8xAcLIJtc5PfRV5et6+Jbua2N
vtC1Wmw9TXSxJFZMCwSV6bFkKD22w+WTrTerhmGiW2A65X1ArHd/i1LiRqq34QNz
0B8K1+TWCzN6iZv5wihod3BKQobelvF+Kmt5QozqA+252VL/SGWq3QXDlaL4imVg
EueC8+LnCxVqT8S0laB9
=syEi
-----END PGP SIGNATURE-----

Message #15 received at 837090@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 837090@bugs.debian.org

Subject: Re: Bug#837090: wordpress: CVE-2016-6896 CVE-2016-6897

Date: Fri, 09 Sep 2016 21:13:46 +0000

[Message part 1 (text/plain, inline)]

On Fri, Sep 9, 2016 at 3:39 AM Salvatore Bonaccorso <carnil@debian.org>
wrote:

> the following vulnerabilities were published for wordpress.
>
> CVE-2016-6896[0] and CVE-2016-6897[1]. It was reported that they at
> least affect 4.5.3, no earlier version were so far checked, since no
> full details to fixes given. There are more information in [2].
>

It's a little more complicated than that with three vulnerabilities and the
identification a bit mixed up. So here goes.

CSRFcheck done too late.
This is CVE-2016-6897, oss-sec correctly broke the two issues out due to
different versions being impacted. It was (silently?) fixed for wordpress
4.6 but that didn't get updated (I missed the 4.6 announcement) so sid was
still vulnerable until I uploaded 4.6.1
Reported in wordpress 37490 and fixed in changeset 38168.

Directory traversal
This is CVE-2016-6896. Wordpress 4.6.1 reports this as " a cross-site
scripting vulnerability via image filename, reported by SumOfPwn researcher
Cengiz Han Sahin". Fixed in changeset 38538.

Upgrade Package Uploader
This has no CVE. Wordpress 4.6.1 reports this as "path traversal
vulnerability in the upgrade package uploader, reported by Dominik
Schilling". Fixed in changeset 38524.

The first changeset is simple with the other two being trivial. I will
start to look at jessie and see if that version is impacted. My initial
hunch is it will be. Expect a debdiff shortly!

 - Craig

[Message part 2 (text/html, inline)]

Message #20 received at 837090-submitter@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: 837090-submitter@bugs.debian.org

Subject: Bug#837090 marked as pending

Date: Fri, 09 Sep 2016 22:05:46 +0000

tag 837090 pending
thanks

Hello,

Bug #837090 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://git.debian.org/?p=collab-maint/wordpress.git;a=commitdiff;h=8f8575b

---
commit 8f8575b8132884811063c7fefbd7aaf0825a7e71
Author: Craig Small <csmall@debian.org>
Date:   Sat Sep 10 07:53:57 2016 +1000

    backport changeset 38538
    
    sanitize the title from the uploaded filename.
    Fixes CVE-2016-6896
    
    References:
     https://core.trac.wordpress.org/changeset/38538

diff --git a/debian/changelog b/debian/changelog
index fcadd38..eeb8780 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+wordpress (4.1+dfsg-1+deb8u10) UNRELEASED; urgency=high
+
+  * Backport patches from 4.6.1/4.1.13 Closes: #837090
+  * CVE-2016-6897 not vulnerable
+  * Changeset 38538 santize filename CVE-2016-6896
+
+ -- Craig Small <csmall@debian.org>  Sat, 10 Sep 2016 07:46:59 +1000
+
 wordpress (4.1+dfsg-1+deb8u9) jessie-security; urgency=high
 
   * Backport patches from 4.5.3/4.1.12 Closes: #828225

Message #25 received at 837090@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Craig Small <csmall@debian.org>, Debian Security Team <team@security.debian.org>

Cc: 837090@bugs.debian.org

Subject: wordpress CVEs (was: Re: Bug#837090: wordpress: CVE-2016-6896 CVE-2016-6897)

Date: Sat, 10 Sep 2016 10:05:03 +0200

[Message part 1 (text/plain, inline)]

HI Craig,

Thanks for looking into it. Some comments, and adding the security
team alias.

On Fri, Sep 09, 2016 at 09:13:46PM +0000, Craig Small wrote:
> On Fri, Sep 9, 2016 at 3:39 AM Salvatore Bonaccorso <carnil@debian.org>
> wrote:
> 
> > the following vulnerabilities were published for wordpress.
> >
> > CVE-2016-6896[0] and CVE-2016-6897[1]. It was reported that they at
> > least affect 4.5.3, no earlier version were so far checked, since no
> > full details to fixes given. There are more information in [2].
> >
> 
> It's a little more complicated than that with three vulnerabilities and the
> identification a bit mixed up. So here goes.
> 
> CSRFcheck done too late.
> This is CVE-2016-6897, oss-sec correctly broke the two issues out due to
> different versions being impacted. It was (silently?) fixed for wordpress
> 4.6 but that didn't get updated (I missed the 4.6 announcement) so sid was
> still vulnerable until I uploaded 4.6.1
> Reported in wordpress 37490 and fixed in changeset 38168.

Thanks for looking. Note that CVE-2016-6896 and CVE-2016-6897 are
related to
https://sumofpwn.nl/advisory/2016/path_traversal_vulnerability_in_wordpress_core_ajax_handlers.html
. The CVEs were assigned in
https://marc.info/?l=oss-security&m=147184869305873&w=2 .

Thus https://core.trac.wordpress.org/changeset/38168 should be
addressing both CVE-2016-6896 and CVE-2016-6897, is this correct?

> Directory traversal
> This is CVE-2016-6896. Wordpress 4.6.1 reports this as " a cross-site
> scripting vulnerability via image filename, reported by SumOfPwn researcher
> Cengiz Han Sahin". Fixed in changeset 38538.

Actually I think this is CVE-2016-7168. Cf.
https://marc.info/?l=oss-security&m=147337303615272&w=2 where the CVE
was assigned and is different from CVE-2016-6896. So the 'cross-site
scripting vulnerability via image filename', which is CVE-2016-7168
should be addressed by https://core.trac.wordpress.org/changeset/38538
.

> Upgrade Package Uploader
> This has no CVE. Wordpress 4.6.1 reports this as "path traversal
> vulnerability in the upgrade package uploader, reported by Dominik
> Schilling". Fixed in changeset 38524.

This is CVE-2016-7169.
(https://core.trac.wordpress.org/changeset/38524).

Can you confirm the above?

Regards,
Salvatore

[signature.asc (application/pgp-signature, inline)]

Message #30 received at 837090@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 837090@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#837090: wordpress CVEs (was: Re: Bug#837090: wordpress: CVE-2016-6896 CVE-2016-6897)

Date: Sat, 10 Sep 2016 11:34:34 +0000

[Message part 1 (text/plain, inline)]

On Sat, Sep 10, 2016 at 6:25 PM Salvatore Bonaccorso <carnil@debian.org>
wrote:

> HI Craig,
>
> Thanks for looking into it. Some comments, and adding the security
> team alias.
>
> On Fri, Sep 09, 2016 at 09:13:46PM +0000, Craig Small wrote:
> > On Fri, Sep 9, 2016 at 3:39 AM Salvatore Bonaccorso <carnil@debian.org>
> > wrote:
>


> > CSRFcheck done too late.
> > This is CVE-2016-6897, oss-sec correctly broke the two issues out due to
> > different versions being impacted. It was (silently?) fixed for wordpress
> > 4.6 but that didn't get updated (I missed the 4.6 announcement) so sid
> was
> > still vulnerable until I uploaded 4.6.1
> > Reported in wordpress 37490 and fixed in changeset 38168.
>
> Thanks for looking. Note that CVE-2016-6896 and CVE-2016-6897 are
> related to
>
> https://sumofpwn.nl/advisory/2016/path_traversal_vulnerability_in_wordpress_core_ajax_handlers.html
> . The CVEs were assigned in
> https://marc.info/?l=oss-security&m=147184869305873&w=2 .
>
> Thus https://core.trac.wordpress.org/changeset/38168 should be
> addressing both CVE-2016-6896 and CVE-2016-6897, is this correct?
>
No, between 4.2 and 4.6 the sequence was:
  * check the file (get_plugin_data)
  * check the permissions (current_user_can)
  * check the nonce for CSRF (check_ajax_referer)

Then changeset 37714 did a lot of things, including putting the
check_ajax_referer check before everything else. This, I believe, fixed
CVE-2016-6897 if I'm understanding the reasons for the various functions
and that the point of check_ajax_referer() is to stop CSRF.

So 4.6 (not 4.6.1) had:
  * check the nonce for CSRF (check_ajax_referer)
  * check the file (get_plugin_data)
  * check the permissions (current_user_can)

This is why under "Fix" on the sumofpwn website it says 4.6 fixed that bit.

At 4.6 we're safe from CVE-2016-6897 but not CVE-2016-6896.
So we need:
 changeset 37714, or a subset of it, for CVE-2016-6897
 changeset 38168 for CVE-2016-6896, see how the current_user_can() gets
moved forward and get_plugin_data() moved backward?

> Directory traversal
> > This is CVE-2016-6896. Wordpress 4.6.1 reports this as " a cross-site
> > scripting vulnerability via image filename, reported by SumOfPwn
> researcher
> > Cengiz Han Sahin". Fixed in changeset 38538.
>
> Actually I think this is CVE-2016-7168. Cf.
> https://marc.info/?l=oss-security&m=147337303615272&w=2 where the CVE
> was assigned and is different from CVE-2016-6896. So the 'cross-site
> scripting vulnerability via image filename', which is CVE-2016-7168
> should be addressed by https://core.trac.wordpress.org/changeset/38538
> .
>
Ah yes you're correct. They didn't mention this one in their release notes,
odd. Or perhaps I mixed this one up with the previous two as it was the
same reporter.
I concurr 38538 relates to CVE-2016-7168.



> > Upgrade Package Uploader
> > This has no CVE. Wordpress 4.6.1 reports this as "path traversal
> > vulnerability in the upgrade package uploader, reported by Dominik
> > Schilling". Fixed in changeset 38524.
>
> This is CVE-2016-7169.
> (https://core.trac.wordpress.org/changeset/38524).
>
 I concur that changeset 38524 is for CVE-2016-7169


> Can you confirm the above?
>
In summary:
CVE-2016-6896 - CSRF in ajax: fixed in changeset 38168
CVE-2016-6897 - ajax handler path traversal: fixed in changet 37114
CVE-2016-7168 - directory traversal on image filename: fixed in changeset
38538
CVE-2016-7169 - upgrade package uploader: fixed in changeset 38524

For Jessie, the first two its not vulnerable as the functions were
introduced in WordPress 4.2.x
It means what is required is the two patches and changelog need to just
have their CVE IDs fixed.
Does that sound right to you?

 - Craig

[Message part 2 (text/html, inline)]

Message #35 received at 837090-close@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: 837090-close@bugs.debian.org

Subject: Bug#837090: fixed in wordpress 4.1+dfsg-1+deb8u10

Date: Mon, 03 Oct 2016 19:17:07 +0000

Source: wordpress
Source-Version: 4.1+dfsg-1+deb8u10

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 837090@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 10 Sep 2016 08:07:11 +1000
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentyfifteen wordpress-theme-twentyfourteen wordpress-theme-twentythirteen
Architecture: source all
Version: 4.1+dfsg-1+deb8u10
Distribution: jessie-security
Urgency: high
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Description:
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
 wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files
 wordpress-theme-twentyfourteen - weblog manager - twentyfourteen theme files
 wordpress-theme-twentythirteen - weblog manager - twentythirteen theme files
Closes: 837090
Changes:
 wordpress (4.1+dfsg-1+deb8u10) jessie-security; urgency=high
 .
   * Backport patches from 4.6.1/4.1.13 Closes: #837090
   * CVE-2016-6896 and CVE-2016-6897 not vulnerable
   * Changeset 38538 sanitize filename in media CVE-2016-7168
   * Changeset 38524 sanitize filename upload upgrader  CVE-2016-7169
   * CVE-2016-4029:
     WordPress before 4.5 does not consider octal and hexadecimal IP address
     formats when determining an intranet address, which allows remote attackers
     to bypass an intended SSRF protection mechanism via a crafted address.
   * CVE-2016-6634:
     Cross-site scripting (XSS) vulnerability in the network settings page in
     WordPress before 4.5 allows remote attackers to inject arbitrary web script
     or HTML via unspecified vectors.
   * CVE-2016-6635:
     Cross-site request forgery (CSRF) vulnerability in the
     wp_ajax_wp_compression_test function in wp-admin/includes/ajax-actions.php
     in WordPress before 4.5 allows remote attackers to hijack the
     authentication of administrators for requests that change the script
     compression option.
Checksums-Sha1:
 f092fb1eb33a47380c0ec8ca362c52ebf9906746 2537 wordpress_4.1+dfsg-1+deb8u10.dsc
 ac437190e0ea392da4ccc5262ef9233c35166ae5 6126040 wordpress_4.1+dfsg-1+deb8u10.debian.tar.xz
 184e136386021352b8090b5d25a1460d861e1349 3172420 wordpress_4.1+dfsg-1+deb8u10_all.deb
 106fa24dea9a667e2fe2f479e87a19331ca87f59 4236622 wordpress-l10n_4.1+dfsg-1+deb8u10_all.deb
 66e6711ced807d7af8771bcdf3211b099ce64ede 502012 wordpress-theme-twentyfifteen_4.1+dfsg-1+deb8u10_all.deb
 fa5a2d486a3eb707d60651ffca0f7a6a9e207337 801288 wordpress-theme-twentyfourteen_4.1+dfsg-1+deb8u10_all.deb
 f868dc86ebd32ef10034fe9688b26dd1fcd76e92 320818 wordpress-theme-twentythirteen_4.1+dfsg-1+deb8u10_all.deb
Checksums-Sha256:
 6ab7fae71273080f38af849cb9cd469f1a77734e882974c77fdf179ea0273513 2537 wordpress_4.1+dfsg-1+deb8u10.dsc
 f44383ee88b7816a3c488e11dd677a60cdc5411eeaae54ad382d541b48696db9 6126040 wordpress_4.1+dfsg-1+deb8u10.debian.tar.xz
 f5bf9e0ae17c6b84dbead1cccb17f0a91297d740937c67f88c5f0a16bdf15a58 3172420 wordpress_4.1+dfsg-1+deb8u10_all.deb
 4f25747f8aa08812dcfa20741d767dd8fce1ebf8788551258cffd5b4c6c60c02 4236622 wordpress-l10n_4.1+dfsg-1+deb8u10_all.deb
 ab3ee769d3e1b6687ff19f3dfbfd6fcf41b7778d01e2503cfa0aa8f1d069e34d 502012 wordpress-theme-twentyfifteen_4.1+dfsg-1+deb8u10_all.deb
 b73dd46064424228517c128f4049bff2433952fe15a154dacea671c41570d622 801288 wordpress-theme-twentyfourteen_4.1+dfsg-1+deb8u10_all.deb
 823f8691bad4935579cb9b2268858595b969195ad0b9be1bf677d81c45c6e390 320818 wordpress-theme-twentythirteen_4.1+dfsg-1+deb8u10_all.deb
Files:
 26fed67c2608fdd016e21c6b053fa5a0 2537 web optional wordpress_4.1+dfsg-1+deb8u10.dsc
 41d651a14a8da2b48b35d48f9cf62f4e 6126040 web optional wordpress_4.1+dfsg-1+deb8u10.debian.tar.xz
 a2a50da05c206e3e0944e8f302a8fc04 3172420 web optional wordpress_4.1+dfsg-1+deb8u10_all.deb
 4aa8009cb1635461452bf6d32b8691a6 4236622 localization optional wordpress-l10n_4.1+dfsg-1+deb8u10_all.deb
 6586be82424fc8cd5702ae6d96d7f84d 502012 web optional wordpress-theme-twentyfifteen_4.1+dfsg-1+deb8u10_all.deb
 dbed8d1ee41b97fa711b84dd2206865e 801288 web optional wordpress-theme-twentyfourteen_4.1+dfsg-1+deb8u10_all.deb
 079a7a7a65438785127c9c450bfcba54 320818 web optional wordpress-theme-twentythirteen_4.1+dfsg-1+deb8u10_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJX66gXAAoJEDk4+WvfUP6loIUP/2V+lv69Nhy8JfeRgT0ZcMaw
IL3ZTpD20NJNVzUP/b2uoR9qjkgH0zVrboUgusDDR8pJH+qFe/NPPA8/lVHb4xt5
j0s8gHuyzXu95Y3rtPskGI2B7CXTaiblteVpBipBGnnHZG1+GS2+ZOLnCfLchrNv
4gO8fl6LbJEsPKGVQ9sNj0Vnywof+YHXNpRV2jXt5mHvH7fUtguNoMHkCRGXeDkU
tm5kud3C1h9T3ep52c1pXIPa2zvyXtoLuJeRRwnrSUtFE9ZQ5CYJAVHAjJsSn54c
ywD+szuHksKAQoAP4zoU2xNsbOEI1mUg3346WMFyDgYBj43Nz1oB/GZ8VDridSCm
LROcqZMQAJfMuuFoUXnKsoqOZrJBVKQq57oyaluqnhNezrRo0WkOGLYkuT2C7gxB
byVdN3YC/a0qsYbHWN2YgjEgH+mbaJu25V8j8ExxeGDQ0ta5sCied4npsKY5qsLL
hZ19y77lCjDvYzUMnCKH+oBzWNaiBp72iA6U4KQSw67SzhJhVOv8XxtCOiYVmB2T
Sco8MuT7YxGQpssRPyRdjf0K6BYKICNVNnbHAcdCY3aXlcgZbOsHFDsCwij6jd8+
majcQptNIXTVt92Vi+wskRBMPDeqCrBffLL3eweZBeLE7huhWiqg9AkSV2mhcZj3
KOP7lnTWqLX0kyYaro7Q
=xbRS
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.