wordpress: CVE-2019-9787: Comments may create a XSS

Debian Bug report logs - #924546
wordpress: CVE-2019-9787: Comments may create a XSS

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: wordpress: Comments may create a XSS

Date: Thu, 14 Mar 2019 21:20:05 +1100

Source: wordpress
Version: 5.0.3+dfsg1-1
Severity: important
Tags: security

This release also includes a pair of security fixes that handle how comments are filtered and then stored in the database. With a maliciously crafted comment, a WordPress post was vulnerable to cross-site scripting.

WordPress versions 5.1 and earlier are affected by these bugs, which are fixed in version 5.1.1. Updated versions of WordPress 5.0 and earlier are also available for any users who have not yet updated to 5.1.


-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-2-amd64 (SMP w/6 CPU cores)
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8), LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Message #10 received at 924546-close@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: 924546-close@bugs.debian.org

Subject: Bug#924546: fixed in wordpress 5.1.1+dfsg1-1

Date: Thu, 14 Mar 2019 11:51:12 +0000

Source: wordpress
Source-Version: 5.1.1+dfsg1-1

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 924546@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 14 Mar 2019 22:10:00 +1100
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentynineteen wordpress-theme-twentyseventeen wordpress-theme-twentysixteen
Architecture: source all
Version: 5.1.1+dfsg1-1
Distribution: unstable
Urgency: medium
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Description:
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
 wordpress-theme-twentynineteen - weblog manager - twentynineteen theme files
 wordpress-theme-twentyseventeen - weblog manager - twentyseventeen theme files
 wordpress-theme-twentysixteen - weblog manager - twentysixteen theme files
Closes: 924546
Changes:
 wordpress (5.1.1+dfsg1-1) unstable; urgency=medium
 .
   * New upstream release
   * Fixes XSS security hole in comments Closes: #924546
   * Added new/better config example
Checksums-Sha1:
 888d584ef7b18b906c832d5e405c9d11e4f587a6 2442 wordpress_5.1.1+dfsg1-1.dsc
 6e12d1794fed0753cca0c467e6a4f7c2e1d36be9 7734220 wordpress_5.1.1+dfsg1.orig.tar.xz
 f77f9f654f4e95501c70676d0d9b34da8a4eb8d0 6818632 wordpress_5.1.1+dfsg1-1.debian.tar.xz
 4de460c362eab407586157eec72c5e1b2f76a427 4381952 wordpress-l10n_5.1.1+dfsg1-1_all.deb
 5804f613d7315f6e1af2d2cc7afb1ead96da907f 315164 wordpress-theme-twentynineteen_5.1.1+dfsg1-1_all.deb
 74120931b353913bce1060eb1d57e5756244aede 945892 wordpress-theme-twentyseventeen_5.1.1+dfsg1-1_all.deb
 7c7d76126cf413dd2293c24925752406b214e6bc 593644 wordpress-theme-twentysixteen_5.1.1+dfsg1-1_all.deb
 b8c166af1b2fc2c9e19b5701d17be194568b8eb3 5863996 wordpress_5.1.1+dfsg1-1_all.deb
 0587fb309ccb645a3bfd1134d1206e032e7b0bbf 7250 wordpress_5.1.1+dfsg1-1_amd64.buildinfo
Checksums-Sha256:
 5058fb8595acdd535c0f0c4c39174b02190fbc102877c0d949a1deaa66ee2dda 2442 wordpress_5.1.1+dfsg1-1.dsc
 aa7a350983f50c808c5d2ddc6e4ce1912b818ed542c951f534fd3dc59fe088c5 7734220 wordpress_5.1.1+dfsg1.orig.tar.xz
 e19e2fb35e871aa58e703fd1ceaa343ac9a92b3372ee0943c08d2a56d19c078e 6818632 wordpress_5.1.1+dfsg1-1.debian.tar.xz
 e378df35cb39b987c9d3683e81222702199e0f4c22dfeecba653ad948f88140d 4381952 wordpress-l10n_5.1.1+dfsg1-1_all.deb
 6212c2ac39dd15b17a43410aaeb5df31bdf8bdb8bf304387ee7e594d8b33004c 315164 wordpress-theme-twentynineteen_5.1.1+dfsg1-1_all.deb
 fb2468d99c13f30a448a7b4a2b60ee26702f8e3f62cc04eee24ee0936840e427 945892 wordpress-theme-twentyseventeen_5.1.1+dfsg1-1_all.deb
 ea82e8b4f7a664c3cbadc1976f740ba0e4bbf4d2306538d3fe94478420ea1440 593644 wordpress-theme-twentysixteen_5.1.1+dfsg1-1_all.deb
 a73eab6d9c1e8ed11fe337a6d3784805b62301392ac998794fe6c1ab055cc00c 5863996 wordpress_5.1.1+dfsg1-1_all.deb
 3e9f9e1a9715f2f58f928cecc4d2bda4ac44e98fe3c2d424646d4148e899f7ff 7250 wordpress_5.1.1+dfsg1-1_amd64.buildinfo
Files:
 ba208241de174f9a46f13fe5cff07d55 2442 web optional wordpress_5.1.1+dfsg1-1.dsc
 449a06201c1369a912026567ce2d56d0 7734220 web optional wordpress_5.1.1+dfsg1.orig.tar.xz
 a53797f4a79615b7acfbbf01d85391d4 6818632 web optional wordpress_5.1.1+dfsg1-1.debian.tar.xz
 e622e6c42a5d80d23a04a09f31380ff6 4381952 localization optional wordpress-l10n_5.1.1+dfsg1-1_all.deb
 3074ed9c05ae5f4bfe236066edb38e6b 315164 web optional wordpress-theme-twentynineteen_5.1.1+dfsg1-1_all.deb
 0f7b0ea7f65ef5939b87f25b7972da9a 945892 web optional wordpress-theme-twentyseventeen_5.1.1+dfsg1-1_all.deb
 23b8b41af1e214b13d6198cde20bc63e 593644 web optional wordpress-theme-twentysixteen_5.1.1+dfsg1-1_all.deb
 7f38c8a6fc8d63ea537ef77fed77feaf 5863996 web optional wordpress_5.1.1+dfsg1-1_all.deb
 da17d1ed1a367ea0657454f1e086ed2f 7250 web optional wordpress_5.1.1+dfsg1-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAlyKOyIACgkQAiFmwP88
hONBEA//YZoOU0TRqcbN3+72OMdynNYjFS8hHFVi2uo4o9RMjWMBgZEkDbjH28Yq
imeTCgeYI2tYqw1YSRax3bvH3jsqDI7sloVuBkj4aZPlN8XoQXDEQn+0DplxpKzS
U6b9WNWtGSJjF43E2iBIdjL7ddCCIquoAc5Uv7SQK30IT+3Ad34YscefMUnNxb3k
axaMHV7LkwGKO6zBFPn5S22vUG8+XUEGkFuPk0d8RV3dzv/j2m9rOXu+9ECAzhM+
Wp3FE4VATwsy6kAa2jNGSZGgqi5GTnDcWLmlkdWKWp8mH4u1dCmPwi76P/ahNQBs
Xd3sNSfKs2y7NYesEIFcIks+ZgzcLnzlYAYvM1EseQHjGgKKLHrkbhkFuhqwAQ/l
WQeGOzHhGjBr9+Dcbl6srUBTAQ2K7sjFdVJMAJ2rLPxDUQe3guP6oW1VBlEkZkgi
a/lZyIbkkDT1SA9fwOTbEGXnLnLle8B+N4rOZGYQ/rNekPexrAiH8AzyRJP8Rq6i
DFk4lrShnjyW0XRle9mwoRMMckmuyBCEE/ldZRjxeUHNUd5WJWukZFKwlHuJEd++
ggCUon9FfOg982WOqSQDlfzPbvb9CloWHZVyx8CYiWcto8fCTQzIIb0Ju1Dlp2jy
udMl0hKNrPLPEN8G9WXqx8tndKEHfUzFG+URhuUVlsI0mJc5hRE=
=0x7N
-----END PGP SIGNATURE-----

Message #15 received at 924546@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Craig Small <csmall@debian.org>, 924546@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#924546: wordpress: Comments may create a XSS

Date: Thu, 14 Mar 2019 15:48:52 +0100

Hi Craig,

On Thu, Mar 14, 2019 at 09:20:05PM +1100, Craig Small wrote:
> Source: wordpress
> Version: 5.0.3+dfsg1-1
> Severity: important
> Tags: security
> 
> This release also includes a pair of security fixes that handle how
> comments are filtered and then stored in the database. With a
> maliciously crafted comment, a WordPress post was vulnerable to
> cross-site scripting.
> 
> WordPress versions 5.1 and earlier are affected by these bugs, which
> are fixed in version 5.1.1. Updated versions of WordPress 5.0 and
> earlier are also available for any users who have not yet updated to
> 5.1.

Can you request a CVE for the XSS issue? Or respectively for the
issues fixed in that release?

Regards,
Salvatore

Message #20 received at 924546@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Craig Small <csmall@debian.org>, 924546@bugs.debian.org

Subject: Re: Bug#924546: wordpress: Comments may create a XSS

Date: Thu, 14 Mar 2019 21:15:23 +0100

Control: retitle -1 wordpress: CVE-2019-9787: Comments may create a XSS

On Thu, Mar 14, 2019 at 09:20:05PM +1100, Craig Small wrote:
> Source: wordpress
> Version: 5.0.3+dfsg1-1
> Severity: important
> Tags: security
> 
> This release also includes a pair of security fixes that handle how
> comments are filtered and then stored in the database. With a
> maliciously crafted comment, a WordPress post was vulnerable to
> cross-site scripting.
> 
> WordPress versions 5.1 and earlier are affected by these bugs, which
> are fixed in version 5.1.1. Updated versions of WordPress 5.0 and
> earlier are also available for any users who have not yet updated to
> 5.1.

CVE-2019-9787 has been assigned for this issue.

Regards,
Salvatore

Message #33 received at 924546@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Craig Small <csmall@debian.org>, 924546@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: wordpress for buster (was: Re: Bug#924546: wordpress: Comments may create a XSS)

Date: Tue, 19 Mar 2019 14:18:45 +0100

Hi Craig,

On Thu, Mar 14, 2019 at 09:20:05PM +1100, Craig Small wrote:
> Source: wordpress
> Version: 5.0.3+dfsg1-1
> Severity: important
> Tags: security
> 
> This release also includes a pair of security fixes that handle how
> comments are filtered and then stored in the database. With a
> maliciously crafted comment, a WordPress post was vulnerable to
> cross-site scripting.
> 
> WordPress versions 5.1 and earlier are affected by these bugs, which
> are fixed in version 5.1.1. Updated versions of WordPress 5.0 and
> earlier are also available for any users who have not yet updated to
> 5.1.

Given we are in freeze, the fix cannot enter now buster withouth
having an ack from release team.

Can you check if it would be feasible to make this upload enter
buster?

Regards,
Salvatore

Message #38 received at 924546@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 924546@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: Bug#924546: wordpress for buster (was: Re: Bug#924546: wordpress: Comments may create a XSS)

Date: Fri, 22 Mar 2019 16:02:41 +1100

[Message part 1 (text/plain, inline)]

Hi,
  I'll see what the release team say. I have everything prepared for a
backport, just need the respective OK.

 - Craig

[Message part 2 (text/html, inline)]

Message #43 received at 924546-close@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: 924546-close@bugs.debian.org

Subject: Bug#924546: fixed in wordpress 5.0.4+dfsg1-1

Date: Thu, 18 Apr 2019 09:48:37 +0000

Source: wordpress
Source-Version: 5.0.4+dfsg1-1

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 924546@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 24 Mar 2019 09:20:02 +1100
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentynineteen wordpress-theme-twentyseventeen wordpress-theme-twentysixteen
Architecture: source all
Version: 5.0.4+dfsg1-1
Distribution: buster
Urgency: medium
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Description:
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
 wordpress-theme-twentynineteen - weblog manager - twentynineteen theme files
 wordpress-theme-twentyseventeen - weblog manager - twentyseventeen theme files
 wordpress-theme-twentysixteen - weblog manager - twentysixteen theme files
Closes: 924546
Changes:
 wordpress (5.0.4+dfsg1-1) buster; urgency=medium
 .
   * Backport of 5.1.1 patches
   * Fix XSS security hole in comments Closes: #924546 CVE-2019-9787
Checksums-Sha1:
 9d69c22484fd841ee0f7c5bf49e1706ac9cd29fb 2442 wordpress_5.0.4+dfsg1-1.dsc
 c2f13e9747708167a7445848032220e21aa7400b 7841492 wordpress_5.0.4+dfsg1.orig.tar.xz
 189766d6ebe768ca46c5fc4231f2bb9746444bb1 6817812 wordpress_5.0.4+dfsg1-1.debian.tar.xz
 fcbe7335e064936dc96a32d3225e5b5e997375e6 4384352 wordpress-l10n_5.0.4+dfsg1-1_all.deb
 3340e0dba1f3aaf2062c013e9b84d1ce0eefd95f 306000 wordpress-theme-twentynineteen_5.0.4+dfsg1-1_all.deb
 112ae52a7de1090ecba4872bd3555d07087dedfb 945588 wordpress-theme-twentyseventeen_5.0.4+dfsg1-1_all.deb
 fe8180d36a2d31a43b79b6ea76120b90b77000c6 593208 wordpress-theme-twentysixteen_5.0.4+dfsg1-1_all.deb
 fbf6fdf09a2172b83d45dc909b15ca0f1e61de9f 5998120 wordpress_5.0.4+dfsg1-1_all.deb
 f0a5c6c6999e1b57508d8b4d3d25f9e2f3a92cac 7017 wordpress_5.0.4+dfsg1-1_amd64.buildinfo
Checksums-Sha256:
 1258cca305b545ebee78e151a860812ce8bc78dc0d691c4c1d261324c73d4685 2442 wordpress_5.0.4+dfsg1-1.dsc
 0887eb0a3d0c6b2a7402d6c036b093bacc902b286b3555301c3c4a0d2e5acc7e 7841492 wordpress_5.0.4+dfsg1.orig.tar.xz
 5b126a82519b6b82b7bdccab6ff610d8ddbd4c0232995c8a25703e8e25f9f6db 6817812 wordpress_5.0.4+dfsg1-1.debian.tar.xz
 49f1ea07511469f3270caedabdea3416671393d1a00b6b8724bb706fea5a417e 4384352 wordpress-l10n_5.0.4+dfsg1-1_all.deb
 14759fac92a9968d05276886cadf1abd98dba6b0a25f72a24e285f8a144301e4 306000 wordpress-theme-twentynineteen_5.0.4+dfsg1-1_all.deb
 a624b3a16ab795499c65f1c95b817058d46f649c69cc25ee222bb0f8e66f42fe 945588 wordpress-theme-twentyseventeen_5.0.4+dfsg1-1_all.deb
 ce57215d5c99fa470582ed39d6d4d2ecc3d1375800566a0d77a1d8822890ba08 593208 wordpress-theme-twentysixteen_5.0.4+dfsg1-1_all.deb
 5e9a4712f1c66b4522b1c3880d34843338502e1b59b5467d6f4170f2114e6c23 5998120 wordpress_5.0.4+dfsg1-1_all.deb
 e62dbd9b2edb019ae99c51d5df57f00a7fd5337e9daf08071396dc6303953d44 7017 wordpress_5.0.4+dfsg1-1_amd64.buildinfo
Files:
 e6b60be9004d4ad2176bb65b89aa9303 2442 web optional wordpress_5.0.4+dfsg1-1.dsc
 8213279cb75bd9fc7712853aed80458b 7841492 web optional wordpress_5.0.4+dfsg1.orig.tar.xz
 196c3ed0fda8f3fd19bc8cae69b22b0a 6817812 web optional wordpress_5.0.4+dfsg1-1.debian.tar.xz
 1b136d92840ee43b317bd0f29c500c9f 4384352 localization optional wordpress-l10n_5.0.4+dfsg1-1_all.deb
 88010ecd442380bf0d2f973ef0a5b669 306000 web optional wordpress-theme-twentynineteen_5.0.4+dfsg1-1_all.deb
 611e079f1e2ff30f3cece3b42f6a03b3 945588 web optional wordpress-theme-twentyseventeen_5.0.4+dfsg1-1_all.deb
 dae9194f9af4a149080e9cfa2b4da8a1 593208 web optional wordpress-theme-twentysixteen_5.0.4+dfsg1-1_all.deb
 9338f3f045085b0117e5d5945a2d330a 5998120 web optional wordpress_5.0.4+dfsg1-1_all.deb
 4997a532e84d66e667e0f6caa29ad759 7017 web optional wordpress_5.0.4+dfsg1-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAly4QqMACgkQAiFmwP88
hONsQA/8D3YapjigIiv9xp08XWCXX8RKNUa7zruyP1ngfPn8YgoT5aBCTBn/zygj
ZVr847MoQaKRYBS4YFY39tdKPOf7EzfsKhBCuGV0ZHryhqaPiID9a+2U8ytM/nVa
qYyFvJDJEfOkIZegp1W5cKf07cFeFG4mMIalmXsrRq2o5FFsHnLiTA/MzOROhMlB
yXbUC8rD+BWrWtXRv0eRITXmwxgzVJgYGmrLb3gvfmqD/x1YqtaProV7rAb7wwsI
n63yWIUFJYHgDAMftXiaCV0vGBRqn6061yIm5SV2RWhgLR4n5Sfve4+6Pp254Ajd
DEE2GalTgIsLnMf9faoeUlWF47V/VMAE9lgyPHO/FNA69tEiOIBNoPx5P2jZ1y02
hFRQGT6xx+A7cYcD1z20gNp4za1CnFJdW5GCFJMMyJmAxkIJVWOKULBPZXtMJM35
Xe4fadNF8d7XyYOBf1AZIR9kMVyExoGPVcGjToc+S06mTGq7Cmw09/3z/xTlYg2K
VVv6SP+wmFkbKNMOpX6bqFbvdfNxNx1rWFp3NLRFUf5ewonkZ9VIhgxuYVhciX1x
55g587CAlC0w3NcSK5Q01g1wdzvMmrUE7GBQlyyNmEUMT7nBslbel1DwG04w++Ia
2PudiSvUJeHegq1tg06iZu/ZsZb+ahMudhVKoI0vxBFVbPMokbU=
=+g8f
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.