wordpress: New critical security release available: 4.1.2 (CVE-2015-3438 CVE-2015-3439)

Debian Bug report logs - #783347
wordpress: New critical security release available: 4.1.2 (CVE-2015-3438 CVE-2015-3439)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Christer Mjellem Strand <dilldall@bjork.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: wordpress: New critical security release available: 4.1.2

Date: Sun, 26 Apr 2015 10:42:10 +0200

Package: wordpress
Version: 4.1+dfsg-1
Severity: important

Dear Maintainer,

Version 4.1.2 was released on April 21st, tagged as a "critical security release", and containing several security-related fixes, including an important XSS fix.
As far as I can tell, this release is not available in neither stable nor unstable, nor have the fixes as of yet been backported to a stable release.
I therefore request that you please consider packaging and uploading this fixed version.
Note also that version 4.2 was released on April 23rd, which should likely be considered for unstable.

I understand this must have been a busy week, and apologize if this is already being looked into.

Thanks, and thanks for maintaining WordPress!

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.16-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages wordpress depends on:
ii  apache2                          2.4.9-1
ii  apache2-bin [httpd]              2.4.9-1
ii  apache2-mpm-itk [httpd]          2.4.9-1
ii  ca-certificates                  20141019
ii  libapache2-mod-php5              5.6.0+dfsg-1
ii  libjs-cropper                    1.2.2-1
ii  libjs-mediaelement               2.15.1+dfsg-1
ii  libphp-phpmailer                 5.2.9+dfsg-2
ii  mysql-client-5.5 [mysql-client]  5.5.40-1
ii  php-getid3                       1.9.8-3
ii  php5                             5.4.4-15.1
ii  php5-gd                          5.6.0+dfsg-1
ii  php5-mysql                       5.6.0+dfsg-1
ii  wordpress-theme-twentyfifteen    4.1+dfsg-1

Versions of packages wordpress recommends:
ii  wordpress-l10n  4.1+dfsg-1

Versions of packages wordpress suggests:
ii  mysql-server  5.5.40-1

-- Configuration Files:
/etc/wordpress/htaccess [Errno 2] No such file or directory: u'/etc/wordpress/htaccess'

-- no debconf information

-- debsums errors found:
sh: /usr/sbin/dpkg-divert: No such file or directory

Message #12 received at 783347@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: Christer Mjellem Strand <dilldall@bjork.org>, 783347@bugs.debian.org

Subject: Re: Bug#783347: wordpress: New critical security release available: 4.1.2

Date: Sun, 26 Apr 2015 20:45:59 +1000

On Sun, Apr 26, 2015 at 10:42:10AM +0200, Christer Mjellem Strand wrote:
> Version 4.1.2 was released on April 21st, tagged as a "critical security release", and containing several security-related fixes, including an important XSS fix.
Thanks for the report. At the same time they changed the download urls
so my watch file failed. Seems to not of triggered anything in the
security part of Debian either; odd really.

> Note also that version 4.2 was released on April 23rd, which should likely be considered for unstable.
I'll work on 4.2 for sid and testing.

> I understand this must have been a busy week, and apologize if this is already being looked into.
Nope, completely missed. Thanks for letting me know.


-- 
Craig Small (@smallsees)   http://enc.com.au/       csmall at : enc.com.au
Debian GNU/Linux           http://www.debian.org/   csmall at : debian.org
GPG fingerprint:        5D2F B320 B825 D939 04D2  0519 3938 F96B DF50 FEA5

Message #17 received at 783347-quiet@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: 783347-quiet@bugs.debian.org

Subject: Re: Bug#783347: wordpress: New critical security release available: 4.1.2

Date: Sun, 26 Apr 2015 23:13:51 +1000

sid has been uploaded and I have most (I think) backported the
changesets for jessie, but they need some reviewing and I have
ran out of time for tonight :/

 - Craig
-- 
Craig Small (@smallsees)   http://enc.com.au/       csmall at : enc.com.au
Debian GNU/Linux           http://www.debian.org/   csmall at : debian.org
GPG fingerprint:        5D2F B320 B825 D939 04D2  0519 3938 F96B DF50 FEA5

Message #24 received at 783347-submitter@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: 783347-submitter@bugs.debian.org

Subject: Bug#783347 marked as pending

Date: Tue, 28 Apr 2015 06:15:20 +0000

tag 783347 pending
thanks

Hello,

Bug #783347 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://git.debian.org/?p=collab-maint/wordpress.git;a=commitdiff;h=9d0f750

---
commit 9d0f750a485f43e438f6ac910ad80ccd93e96744
Author: Craig Small <csmall@debian.org>
Date:   Mon Apr 27 22:58:26 2015 +1000

    4.1-2 release

diff --git a/debian/changelog b/debian/changelog
index acf85cf..4e129aa 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,8 @@
-wordpress (4.1+dfsg-2) UNRELEASED; urgency=medium
+wordpress (4.1+dfsg-2) jessie-security; urgency=high
 
-  * Backports of 4.1.2 security fixes
+  * Backports of 4.1.2 security fixes Closes: #783347
 
- -- Craig Small <csmall@debian.org>  Sun, 26 Apr 2015 23:09:32 +1000
+ -- Craig Small <csmall@debian.org>  Mon, 27 Apr 2015 22:53:25 +1000
 
 wordpress (4.1+dfsg-1) unstable; urgency=medium
 

Message #31 received at 783347@bugs.debian.org (full text, mbox, reply):

From: Rodrigo Campos <rodrigo@sdfg.com.ar>

To: 783347@bugs.debian.org

Cc: csmall@debian.org

Subject: Any ETA on when the backport will come to jessie ?

Date: Thu, 30 Apr 2015 19:46:52 +0100

Sorry to disturb Craig,

But is there any ETA on when the changes will come to jessie ? Can I help you
with testing ?

Also, I can review the backports if you still need peer review :)






Thanks a lot and sorry again,
Rodrigo

Message #36 received at 783347@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: Rodrigo Campos <rodrigo@sdfg.com.ar>

Cc: 783347@bugs.debian.org

Subject: Re: Any ETA on when the backport will come to jessie ?

Date: Sat, 2 May 2015 13:01:29 +1000

On Thu, Apr 30, 2015 at 07:46:52PM +0100, Rodrigo Campos wrote:
> But is there any ETA on when the changes will come to jessie ? Can I help you
> with testing ?
> 
> Also, I can review the backports if you still need peer review :)
I'm about to release it. I emailled security team and they didn't say
no, but it wasn't exactly clear I was ok to proceed.

 - Craig

-- 
Craig Small (@smallsees)   http://enc.com.au/       csmall at : enc.com.au
Debian GNU/Linux           http://www.debian.org/   csmall at : debian.org
GPG fingerprint:        5D2F B320 B825 D939 04D2  0519 3938 F96B DF50 FEA5

Message #39 received at 783347-submitter@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: 783347-submitter@bugs.debian.org

Subject: Bug#783347 marked as pending

Date: Sat, 02 May 2015 04:11:32 +0000

tag 783347 pending
thanks

Hello,

Bug #783347 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://git.debian.org/?p=collab-maint/wordpress.git;a=commitdiff;h=290cf3d

---
commit 290cf3df05eb43415aff560ec824dd6d5f319399
Author: Craig Small <csmall@debian.org>
Date:   Sat May 2 14:09:12 2015 +1000

    4.2.1 and 4.1.2 packages backported
    
    All the relevant changesets from wordpress 4.1.2 and
    4.2.1 backported for wheezy.
    
    Bugs: #783347

diff --git a/debian/changelog b/debian/changelog
index a0781c0..330a607 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+wordpress (3.6.1+dfsg-1~deb7u6) wheezy-security; urgency=medium
+
+  * Wordpress 4.2.1 and 4.1.2 security fixes
+  * Backports of 4.1.2 security fixes Closes: #783347
+    - Changeset 32163 sanity checks
+    - Changeset 32165 sanitize order by
+    - Changeset 32174 multisite change extra checks
+    - Changeset 32176 Dashboard escapes titles
+    - Changeset 32234 More WPDB query sanity
+  * Backport of 4.2.1 for security fixes Closes: #783554
+    - Changeset 32307: XSS for long 64k+ comments
+  * Changeset 32172 NOT applied as bug introduced later
+
+ -- Craig Small <csmall@debian.org>  Sat, 02 May 2015 14:04:44 +1000
+
 wordpress (3.6.1+dfsg-1~deb7u5) wheezy-security; urgency=high
 
   * Non-maintainer upload by the Security Team.

Message #44 received at 783347@bugs.debian.org (full text, mbox, reply):

From: Rodrigo Campos <rodrigo@sdfg.com.ar>

To: Craig Small <csmall@debian.org>, 783347@bugs.debian.org

Subject: Re: Any ETA on when the backport will come to jessie ?

Date: Sat, 2 May 2015 06:52:33 +0100

On Sat, May 02, 2015 at 01:01:29PM +1000, Craig Small wrote:
> On Thu, Apr 30, 2015 at 07:46:52PM +0100, Rodrigo Campos wrote:
> > But is there any ETA on when the changes will come to jessie ? Can I help you
> > with testing ?
> > 
> > Also, I can review the backports if you still need peer review :)
> I'm about to release it. I emailled security team and they didn't say
> no, but it wasn't exactly clear I was ok to proceed.

Great, thanks a lot Craig. Really.




And sorry again,
Rodrigo

Message #49 received at 783347-close@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: 783347-close@bugs.debian.org

Subject: Bug#783347: fixed in wordpress 4.1+dfsg-1+deb8u1

Date: Tue, 05 May 2015 19:47:11 +0000

Source: wordpress
Source-Version: 4.1+dfsg-1+deb8u1

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 783347@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 02 May 2015 12:59:53 +1000
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentyfifteen wordpress-theme-twentyfourteen wordpress-theme-twentythirteen
Architecture: source all
Version: 4.1+dfsg-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Description:
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
 wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files
 wordpress-theme-twentyfourteen - weblog manager - twentyfourteen theme files
 wordpress-theme-twentythirteen - weblog manager - twentythirteen theme files
Closes: 783347 783554
Changes:
 wordpress (4.1+dfsg-1+deb8u1) jessie-security; urgency=high
 .
   * Backports of 4.1.2 security fixes Closes: #783347
     - Changeset 32163 sanity checks
     - Changeset 32165 sanitize order by
     - Changeset 32172 filename check
     - Changeset 32174 multisite change extra checks
     - Changeset 32176 Dashboard escapes titles
     - Changeset 32234 More WPDB query sanity
   * Backport of 4.2.1 for security fixes Closes: #783554
     - Changeset 32307: XSS for long 64k+ comments
Checksums-Sha1:
 94a3a76c5053d9e2c2f3c0bceced2206f490df45 2533 wordpress_4.1+dfsg-1+deb8u1.dsc
 0b105e79723c1f1c16764eb98122ed426f738940 4749996 wordpress_4.1+dfsg.orig.tar.xz
 b38521fe49f31729c6c1043db02321dd24acca2e 6099980 wordpress_4.1+dfsg-1+deb8u1.debian.tar.xz
 31bf2fc2775ca23889269eca22dd4351ff4c97fc 3166172 wordpress_4.1+dfsg-1+deb8u1_all.deb
 3b0378f7e1507698507999f040be00567417eef1 4236442 wordpress-l10n_4.1+dfsg-1+deb8u1_all.deb
 59746a6d72a28439e4480214d980ca115f1b3fac 507016 wordpress-theme-twentyfifteen_4.1+dfsg-1+deb8u1_all.deb
 ab210a7d4cd1422949efbb8e4fbbeefccf6a5847 802872 wordpress-theme-twentyfourteen_4.1+dfsg-1+deb8u1_all.deb
 d198be75f96414f176d169e79cdde3bbfe475cc9 322378 wordpress-theme-twentythirteen_4.1+dfsg-1+deb8u1_all.deb
Checksums-Sha256:
 41e8a4182c01cef29eb8dacc45ce936f7b8695e8d494ec20a7b517b98a5d1bc7 2533 wordpress_4.1+dfsg-1+deb8u1.dsc
 11ca9ce2f5b05866df9521a50b8be22ac2315f652aa95ba49bdb202c5dda4954 4749996 wordpress_4.1+dfsg.orig.tar.xz
 121586a27de1bae14d9b49716b2f273b9f6f35cce92e8d206d4ae1fa225bd0d0 6099980 wordpress_4.1+dfsg-1+deb8u1.debian.tar.xz
 dc228c41d60a19e7a82d75ec585321d880f464fb4fd8ee57ff6b7b05b894886a 3166172 wordpress_4.1+dfsg-1+deb8u1_all.deb
 778e3ae0816a1ce0687d7363496fe65072d6c8e34d7e774914e4741962762e64 4236442 wordpress-l10n_4.1+dfsg-1+deb8u1_all.deb
 7e04ac07f14ca4808a4146b24f3187dde246945c4c25b7b06567553e7ccf4ae8 507016 wordpress-theme-twentyfifteen_4.1+dfsg-1+deb8u1_all.deb
 674eaa355cb34a6501cf36695a6933c4c60caddcdb8a1819237b52ddc80028c1 802872 wordpress-theme-twentyfourteen_4.1+dfsg-1+deb8u1_all.deb
 5bd200b0f06710ce4f9f89838dd20204354bbdf0ce4bd033f4729ccd618feb38 322378 wordpress-theme-twentythirteen_4.1+dfsg-1+deb8u1_all.deb
Files:
 d852da545618a53ee46ed6ef63526e6e 2533 web optional wordpress_4.1+dfsg-1+deb8u1.dsc
 90db367f6588135c80a22a91e1c42fcd 4749996 web optional wordpress_4.1+dfsg.orig.tar.xz
 47bdcf156fd8464b72721416c270e150 6099980 web optional wordpress_4.1+dfsg-1+deb8u1.debian.tar.xz
 0cd986a2a5e9d08e33c475b6e7db5640 3166172 web optional wordpress_4.1+dfsg-1+deb8u1_all.deb
 a4627b36843ab6af180e6c1e1e8621d8 4236442 localization optional wordpress-l10n_4.1+dfsg-1+deb8u1_all.deb
 5e154ee5c3d36d5eccec371cd06d8c50 507016 web optional wordpress-theme-twentyfifteen_4.1+dfsg-1+deb8u1_all.deb
 024aa861b06e201811fcb910a5b4fde9 802872 web optional wordpress-theme-twentyfourteen_4.1+dfsg-1+deb8u1_all.deb
 20b7a0629ebff373db130495aa86e8a7 322378 web optional wordpress-theme-twentythirteen_4.1+dfsg-1+deb8u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVREScAAoJEDk4+WvfUP6lPPsP/3Y49JclYT+acUjYrUXtyzBm
bHbbzMb4jH+SiQ0waJsGanSSYeJfnpCYxe8Sle8L9uGZDaoc1UvdAePYx0E+UqS5
qPy5R2Yi9viEiYCanER3ko16Ymbfe6XSzB/BGDYHQFQ6ez9VVcH5L1hcoyF3uhds
z2c1vWFvYAQeiKI2Z50WRuyx+AS5nQ0cVBheGo09vYlTZ4DljPWkul5UHJhu5UqK
Ps2YvT62VeHW9MMwjgUJkBVhqEG9gWprRaG9d7xd8IxJj7HU2iFoahdcQA3svZyB
ZEj5ShV2wrOEXJxb67suQ4/D8Sa44aX5jNuBYah4w2drMZgWhMIfwHnHYH7sm1R8
9qN160aTsc7do0EvmHkd9wfmFPf4GvBsrhstwgHeIRd8IM/zs2Q34yesMJpSrPw/
+tgUoB/Dbx5/RHPKqxUztZfMGxdxjrAqL6/mqjhacMH+VWRIZmkx/UblSiKknxL9
Lu4exW/FCXBQFo8cYumHP9mbFn2i8/jy4Lwr3GONhoLNAFsXXgq0DingY/ilRcvF
z0YYR7YzlwQkUUd6efEU0jpkuxn7qg+0fWYYy5FIBAmG05X98c9+dJD04246vPhI
TJ50vvgqw/P6Mfa/M3PbOHp+HFJAQUTD0bc0agK/o6janKrF88DmVDMTHbgedBDb
SNSJdwcwpzYvft2LG+Ld
=4agW
-----END PGP SIGNATURE-----

Message #54 received at 783347-close@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: 783347-close@bugs.debian.org

Subject: Bug#783347: fixed in wordpress 3.6.1+dfsg-1~deb7u6

Date: Tue, 05 May 2015 19:50:51 +0000

Source: wordpress
Source-Version: 3.6.1+dfsg-1~deb7u6

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 783347@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 02 May 2015 14:04:44 +1000
Source: wordpress
Binary: wordpress wordpress-l10n
Architecture: source all
Version: 3.6.1+dfsg-1~deb7u6
Distribution: wheezy-security
Urgency: high
Maintainer: Giuseppe Iuculano <iuculano@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Description: 
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
Closes: 783347 783554
Changes: 
 wordpress (3.6.1+dfsg-1~deb7u6) wheezy-security; urgency=high
 .
   * Wordpress 4.2.1 and 4.1.2 security fixes
   * Backports of 4.1.2 security fixes Closes: #783347
     - Changeset 32163 sanity checks
     - Changeset 32165 sanitize order by
     - Changeset 32174 multisite change extra checks
     - Changeset 32176 Dashboard escapes titles
     - Changeset 32234 More WPDB query sanity
   * Backport of 4.2.1 for security fixes Closes: #783554
     - Changeset 32307: XSS for long 64k+ comments
   * Changeset 32172 NOT applied as bug introduced later
Checksums-Sha1: 
 6f54cad28fbfe673f9a319fd6d78ef83f893df77 2319 wordpress_3.6.1+dfsg-1~deb7u6.dsc
 7119aca4b8f3f4c8e84c1234280fbdeefe4d3d9a 5257884 wordpress_3.6.1+dfsg-1~deb7u6.debian.tar.xz
 8271203fe2e555f74950b6b35ee94a367b6f7544 3968708 wordpress_3.6.1+dfsg-1~deb7u6_all.deb
 7402a1d88ade89f5f582fce96841c92db251486e 8871404 wordpress-l10n_3.6.1+dfsg-1~deb7u6_all.deb
Checksums-Sha256: 
 77d15ca65d639d01c98cec03ae92232c7bc6dbd9aaf736cea9e9dc5f0636d0db 2319 wordpress_3.6.1+dfsg-1~deb7u6.dsc
 b9f205ad169ceea7d9103ee7dde81eefeb5bfea606226802cf20d2a3ce855ee7 5257884 wordpress_3.6.1+dfsg-1~deb7u6.debian.tar.xz
 8bc3740186fcedbaa66f840dcf0b8c69ca17b973517d74301682a5d9441c7437 3968708 wordpress_3.6.1+dfsg-1~deb7u6_all.deb
 05701eaf98b1961ce27168bd7d8d5230b5f1dba9d5402d410ccb28fdd872e0ee 8871404 wordpress-l10n_3.6.1+dfsg-1~deb7u6_all.deb
Files: 
 dc9375edfe7ee0583e4d4457ade2b3ce 2319 web optional wordpress_3.6.1+dfsg-1~deb7u6.dsc
 b1725a153d55e852c8c37c0cf1069907 5257884 web optional wordpress_3.6.1+dfsg-1~deb7u6.debian.tar.xz
 c1038f5f72ce53101069929d9794af49 3968708 web optional wordpress_3.6.1+dfsg-1~deb7u6_all.deb
 2fc7ea8214aa14c942114d285791ab30 8871404 localization optional wordpress-l10n_3.6.1+dfsg-1~deb7u6_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVR2LAAAoJEDk4+WvfUP6lua8QAJQ4MjtNcg1wEYJjjMVEWhCF
Mks8dhcQu8YKx25xbqub9FqriZjnJPPtax3OQ/DuNzjDQytJJqbv03n7rT8/eK8V
8YO38KYxrMD6jPp40YGpiq3oMnwpVvoxrzqQ31vNR0rdf4hKf1iKYzEaonVOn9iT
f2tqNYAXMcF9mmoKURbZPIeZMUUZXHBhWv9ZSIX3VMVDiYOwNN5acVTRmPD47bH0
/3tSHlG7oOd2KDttF8lrm94Ukh5YA6/dQhfgJsx5Q0umoeMioK2eLSg2B1YULuSq
ycVg9PTG/JV6bbP9CwCluRYOUvR/dWS5+QQY0dq6GuooAVcBBtYI0cpxKet/3J9V
dnOkS70Gon/PMbtUnhtEpgG6HSZr18B/hXLE0THZf6JU+HPu4VZzQvN6OqSfhXvk
PVeWlhk97j0FLUcDeMwlpusu4tfXjR4gkHWk0V5tWjRdgDp3MUMmufdvVaFIFmot
I0Jaeco/dUfvI0tihCfUT4pWAw7hEby8SCB5qfha+5mtbwxjlAqmAcmB/HY54XdI
/XIvm23X0FeUrqm7jIMvEuX+HSZKTA3/V7Y5rwCm7PMAu4rOutYQSUJ8Y22oczgA
0RCj+BjQgBLwZ1gbKMudu3ukvMCluxEqXdNdP49CJ04jpQCQ8W2suFGKWXyylXOc
nqjyA9VHcyRjim+fxhny
=twUh
-----END PGP SIGNATURE-----

Message #59 received at 783347-close@bugs.debian.org (full text, mbox, reply):

From: Mike Gabriel <sunweaver@debian.org>

To: 783347-close@bugs.debian.org

Subject: Bug#783347: fixed in wordpress 3.6.1+dfsg-1~deb6u6

Date: Mon, 01 Jun 2015 11:53:09 +0000

Source: wordpress
Source-Version: 3.6.1+dfsg-1~deb6u6

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 783347@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Gabriel <sunweaver@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 01 Jun 2015 13:07:25 +0200
Source: wordpress
Binary: wordpress wordpress-l10n
Architecture: source all
Version: 3.6.1+dfsg-1~deb6u6
Distribution: squeeze-lts
Urgency: medium
Maintainer: Giuseppe Iuculano <iuculano@debian.org>
Changed-By: Mike Gabriel <sunweaver@debian.org>
Description: 
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
Closes: 770425 783347 783554
Changes: 
 wordpress (3.6.1+dfsg-1~deb6u6) squeeze-lts; urgency=medium
 .
   [ Mike Gabriel ]
   * Non-maintainer upload by the Squeeze LTS Team.
     + Backport patch set from wordpress in Debian wheezy
       (3.6.1+dfsg-1~deb7u5 and 3.6.1+dfsg-1~deb7u6).
     + For details, see below.
 .
   [ Craig Small ]
   * From 3.6.1+dfsg-1~deb7u6...
   * Backports of 4.1.2 security fixes (CVE-2015-3438, CVE-2015-3439).
     (Closes: #783347).
     - Changeset 32163 sanity checks
     - Changeset 32165 sanitize order by
     - Changeset 32174 multisite change extra checks
     - Changeset 32176 Dashboard escapes titles
     - Changeset 32234 More WPDB query sanity
   * Backport of 4.2.1 for security fixes Closes: #783554
     - Changeset 32307: XSS for long 64k+ comments (CVE-2015-3440).
   * Changeset 32172 NOT applied as bug introduced later.
 .
   * From 3.6.1+dfsg-1~deb7u5...
   * Backport patches for 3.7.4->3.7.5 (Closes: #770425).
     - CVE-2014-9031 XSS in wptexturize() via comments or posts
     - CVE-2014-9033 CSRF in the password reset process
     - CVE-2014-9034 Denial of service for giant passwords
     - CVE-2014-9035 XSS in Press This
     - CVE-2014-9036 XSS in HTML filtering of CSS in posts
     - CVE-2014-9037 Hash comparison vulnerability in old passwords
     - CVE-2014-9038 SSRF: Safe HTTP requests did not sufficiently block
       the loopback IP address space
     - CVE-2014-9039 Email address change didn't invalidate previously sent
       password reset
Checksums-Sha1: 
 8579908c887fbf54853c35656000f252b859ad5f 2194 wordpress_3.6.1+dfsg-1~deb6u6.dsc
 d6c057f370bbe0e14a4e401e0f4af4ca0f39900b 11018022 wordpress_3.6.1+dfsg-1~deb6u6.debian.tar.gz
 f47b685b0549607a5ed361883932d563b802ee7a 3992404 wordpress_3.6.1+dfsg-1~deb6u6_all.deb
 fa08938e7c79647ed5b81431794b566afb2c717e 8869726 wordpress-l10n_3.6.1+dfsg-1~deb6u6_all.deb
Checksums-Sha256: 
 0973d67ec3bfb3d5640f40d4f05720cb9312c83ff170e4bbdd5c84375bed5928 2194 wordpress_3.6.1+dfsg-1~deb6u6.dsc
 313a26e3b23acc805c883faacdc70dcbd7388478ba07fb76312c7a2b12bd8e1f 11018022 wordpress_3.6.1+dfsg-1~deb6u6.debian.tar.gz
 877e790334675ee6e77d4e130d61cd381e260ae724ccf30996994ac19a70d490 3992404 wordpress_3.6.1+dfsg-1~deb6u6_all.deb
 e72c9b4bb1985a04ae0b6006faba85184d031f6758d1914956d8f6f31dd39071 8869726 wordpress-l10n_3.6.1+dfsg-1~deb6u6_all.deb
Files: 
 83ee2d80c631c8506d121dc0fc2b0c28 2194 web optional wordpress_3.6.1+dfsg-1~deb6u6.dsc
 166957d040da2b4a989d6574070ac6bf 11018022 web optional wordpress_3.6.1+dfsg-1~deb6u6.debian.tar.gz
 bb6760d7fd9db4ae24c253739e02e445 3992404 web optional wordpress_3.6.1+dfsg-1~deb6u6_all.deb
 2c0ca74294de6264aa48e4fe63d14d34 8869726 localization optional wordpress-l10n_3.6.1+dfsg-1~deb6u6_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJVbEIrAAoJEJr0azAldxsx3mQQAJwp+0XGRI2IdL3ObCKd2ic3
3iqRo2EcQME9z8+KI1uDXzLNa+1GFAUW1WiqzIetvcrNAIz9YVt7DGVaL6SZQSQu
adZcHsXgtw/+NJBiqx6Nfjk6Uo6Xh7WMBhHVwt2QpHIt5I7xKK6RWN3aiXdNOuGq
lYqvGZt/TAu5FiPU09iUqp5OcflcCVnHvRm/d/UwU20cS43voYvhrhj3kXXqOMyV
x3uuAC/Uz9Lp64WO+FDFH+skIAUV4zTQw0auQCefOF+vNjvcWezUiDTfez0t0XUv
yLNHFM/w1Heu4ZOaOC+ntO3hyJzyEFTqFpoPu9d2ilM5KGQcqn4vEXHIyEA0pwD7
a++5v+S9Q+ELwc1LUKEElv7gOu0NTk2+cHk0IQ2b2CcANu+I43vXN313Vhua/TF4
sYIp8Q7hv52fpgtWeaCGhZZPdUC65D8Z28pBFcIjNZek8JMH++m9s9r3yx4xHSqT
b3s1lsVWGfa4ZC2XjVF7FPrAb2b1g+ld7TG7f+N4NEV2hJN+DKKeU/GZZREm/o4t
AocQcqmJsxi0KGSZCXbqZTvTCyT6WOuVU6sWPvypKuEJuUvO48ZOdDFCqzbPUyqp
DUdPqPShD5qdDgEghug+7dbcoc+yF6t5Zzo7f308O/acIJnHAMknAC23Z3Sj7TA3
6vuQhTo9ij4MxEOZGb/m
=ylZN
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.