Debian Bug report logs -
#987065
wordpress: CVE-2021-29450: Authenticated disclosure of password-protected posts and pages
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 16 Apr 2021 20:51:01 UTC
Severity: grave
Tags: security, upstream
Found in versions wordpress/5.0.11+dfsg1-0+deb10u1, wordpress/5.7+dfsg1-1
Fixed in version wordpress/5.7.1+dfsg1-1
Done: Craig Small <csmall@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Craig Small <csmall@debian.org>:
Bug#987065; Package src:wordpress.
(Fri, 16 Apr 2021 20:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Craig Small <csmall@debian.org>.
(Fri, 16 Apr 2021 20:51:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: wordpress
Version: 5.7+dfsg1-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 5.0.11+dfsg1-0+deb10u1
Hi,
The following vulnerability was published for wordpress.
CVE-2021-29450[0]:
| Wordpress is an open source CMS. One of the blocks in the WordPress
| editor can be exploited in a way that exposes password-protected posts
| and pages. This requires at least contributor privileges. This has
| been patched in WordPress 5.7.1, along with the older affected
| versions via minor releases. It's strongly recommended that you keep
| auto-updates enabled to receive the fix.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-29450
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29450
[1] https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pmmh-2f36-wvhq
Regards,
Salvatore
Marked as found in versions wordpress/5.0.11+dfsg1-0+deb10u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Fri, 16 Apr 2021 20:51:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#987065; Package src:wordpress.
(Fri, 16 Apr 2021 22:36:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Craig Small <csmall@debian.org>:
Extra info received and forwarded to list.
(Fri, 16 Apr 2021 22:36:02 GMT) (full text, mbox, link).
Message #12 received at 987065@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Should CVE-2021-29447 [1] be also listed against this bug? I'll be putting
it in the changelog.
How good is it when WordPress raise their own CVEs! One glorious day they
will put them in their announcements too.
1:
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-rv47-pc52-qrhh
[Message part 2 (text/html, inline)]
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#987065.
(Fri, 16 Apr 2021 23:03:03 GMT) (full text, mbox, link).
Message #15 received at 987065-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #987065 in SOURCENAME reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/debian/wordpress/-/commit/482426d90c4065cbb6c2f9cac342bf9d10a8f6d5
------------------------------------------------------------------------
Security release, fixes 2 bugs Closes: #987065
- CVE-2021-29450 - Authenticated disclosure of password-protected
posts and pages.
- CVE-2021-29447 - Authenticated XXE attack when installation is
running PHP 8
At the moment the default PHP version is 7.4 so the second bug
won't trigger, but one day Debian will be using PHP 8 so let's
fix it now.
References:
https://security-tracker.debian.org/tracker/CVE-2021-29450
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29450
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pmmh-2f36-wvhq
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-rv47-pc52-qrhh
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/987065
Added tag(s) pending.
Request was from Craig Small <noreply@salsa.debian.org>
to 987065-submitter@bugs.debian.org.
(Fri, 16 Apr 2021 23:03:03 GMT) (full text, mbox, link).
Reply sent
to Craig Small <csmall@debian.org>:
You have taken responsibility.
(Fri, 16 Apr 2021 23:21:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 16 Apr 2021 23:21:03 GMT) (full text, mbox, link).
Message #22 received at 987065-close@bugs.debian.org (full text, mbox, reply):
Source: wordpress
Source-Version: 5.7.1+dfsg1-1
Done: Craig Small <csmall@debian.org>
We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 987065@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated wordpress package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 17 Apr 2021 08:46:05 +1000
Source: wordpress
Architecture: source
Version: 5.7.1+dfsg1-1
Distribution: unstable
Urgency: high
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Closes: 987065
Changes:
wordpress (5.7.1+dfsg1-1) unstable; urgency=high
.
* Security release, fixes 2 bugs Closes: #987065
- CVE-2021-29450 - Authenticated disclosure of password-protected
posts and pages.
- CVE-2021-29447 - Authenticated XXE attack when installation is
running PHP 8
Checksums-Sha1:
d4f81448a5086694f0206bdbde71cb4f49be0bb5 2392 wordpress_5.7.1+dfsg1-1.dsc
1847b90a47ce49edf3582f65a5a6ef72f907a18c 11475104 wordpress_5.7.1+dfsg1.orig.tar.xz
9495d1417b7191c69d2dc46ca90debe370b6e746 6824304 wordpress_5.7.1+dfsg1-1.debian.tar.xz
9760efe3d4dc1cae5dbb29e5852e60361be26643 7494 wordpress_5.7.1+dfsg1-1_amd64.buildinfo
Checksums-Sha256:
7b50f1925cedd8aa7a445f87a3ed0aa530dbab7a582052f862957fb076b775b8 2392 wordpress_5.7.1+dfsg1-1.dsc
890e231977bd75c0d883415510edaa9313e881f7c066d86f92472aefb9bfd8f3 11475104 wordpress_5.7.1+dfsg1.orig.tar.xz
7cda4e8aa53cbe9cf98b941d17c578547a0cf289d4abb88555ba58a5f552b745 6824304 wordpress_5.7.1+dfsg1-1.debian.tar.xz
87fec49914c719d1e99c5c05be0710c27e3872022ccf3638be2e5dd4c80ae9b9 7494 wordpress_5.7.1+dfsg1-1_amd64.buildinfo
Files:
e9c8e7896391783d04f53867f277b10c 2392 web optional wordpress_5.7.1+dfsg1-1.dsc
c511a42f1df7e3ef93e50f77aab56c3a 11475104 web optional wordpress_5.7.1+dfsg1.orig.tar.xz
e8d2622c7589210d6bb9c7f9ebe1afbd 6824304 web optional wordpress_5.7.1+dfsg1-1.debian.tar.xz
802f794dacb2426db25d39df05eda617 7494 web optional wordpress_5.7.1+dfsg1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAmB6FowACgkQAiFmwP88
hOMKcg/9H775CmnQYmtbrA7mTAJjsj3KXfGYpV3gOU1HdUOek02Dm5cXIx+GRuIt
2EUyiBROfUF9yie33SLelu6yyKi8Ax907J4URhnn+lu5sWjrsdmPtQ5r3noRgjTX
KRHE4rtvmuNjWdKMGXijZuz3dhjwMC+Ys2LM5zI7dh8JkVuE66SrG2+uoulp0pbT
7BNUUisPq49TzJwcm830r4uJkH7T6MQP8JXj/Ogn3soxRjm+4WJZLEo0ifkInzRF
bs+Ru9d4dfK/lcfYpTSMIpgedOk1bJWZvCbIhy9vkS/6yNe8F9COvAWVkbpOaldC
VDOKinkWq2RWi5loiOxQTtgheQI3yv3YhdL9B6/4BCglrynwoivQiqSNmeV46ML+
G7mA2k7B/+MWu8yagg5aiU5Kz5O8pvck1Dr2rzSq5dWYHcoGs3YzRWMqL5uGOKcs
yiV8fxWGyJVqfreI+SfrrQdpgQwSHTIuOGP+p/QY1rkzvANRrpNKUXTisgvt5feN
jgLQr4aUbK6TmNcbV1AxQEftIH5d+xvTBH9u5jtWmaj712ClmbMNCaORPRh8vkpx
Y7DoBIXd0ddukcQpqnCyXIjnmwzNi74jrkLdeMwUV7ZEvxHIUCqQd/c/hTGxlASX
9khVp8/b/ngifaVtXz41CQO+kHhOdhbd+vu3WRCnHkIvHyEWtKc=
=Eqrd
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Craig Small <csmall@debian.org>:
Bug#987065; Package src:wordpress.
(Sat, 17 Apr 2021 06:39:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Craig Small <csmall@debian.org>.
(Sat, 17 Apr 2021 06:39:02 GMT) (full text, mbox, link).
Message #27 received at 987065@bugs.debian.org (full text, mbox, reply):
Hi Craig,
On Sat, Apr 17, 2021 at 08:32:35AM +1000, Craig Small wrote:
> Should CVE-2021-29447 [1] be also listed against this bug? I'll be putting
> it in the changelog.
I choosed to explicitly cover only CVE-2021-29450 with this bug
because CVE-2021-29447 while fixed as well with 5.7.1, is only a
problem with PHP8, which is not the default version for bullseye/sid.
But clearly if you fix the issues by updating to 5.7.1 then by all
means yes list as well CVE-2021-29447 in the changelog entry.
Thanks for your work!
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Apr 17 08:06:57 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon