Debian Bug report logs -
#895034
wordpress: CVE-2018-10100 CVE-2018-10101 CVE-2018-10102
Reported by: Craig Small <csmall@debian.org>
Date: Fri, 6 Apr 2018 12:30:01 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Found in versions wordpress/4.9.4+dfsg1-1, wordpress/4.1+dfsg-1
Fixed in versions wordpress/4.9.5+dfsg1-1, wordpress/4.7.5+dfsg-2+deb9u3, wordpress/4.1+dfsg-1+deb8u17
Done: Markus Koschany <apo@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org:
Bug#895034; Package src:wordpress.
(Fri, 06 Apr 2018 12:30:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Craig Small <csmall@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org.
(Fri, 06 Apr 2018 12:30:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: wordpress
Version: 4.9.4-1
Severity: grave
Tags: security upstream
Justification: user security hole
WordPress 4.9.5 fixes 3 security issues:
1) Don't treat localhost as same host by default.
2) Use safe redirects when redirecting the login page if SSL is forced.
3) Make sure the version string is correctly escaped for use in generator tags.
The patches are:
1) 42894 - https://core.trac.wordpress.org/changeset/42894
2) 42892 - https://core.trac.wordpress.org/changeset/42892
3) 42893 - https://core.trac.wordpress.org/changeset/42893
Sid, Buster, Stretch and Jessie all have these issues.
- Craig
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.15.0-2-amd64 (SMP w/6 CPU cores)
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8), LANGUAGE=en_AU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Information forwarded
to debian-bugs-dist@lists.debian.org, Craig Small <csmall@debian.org>:
Bug#895034; Package src:wordpress.
(Fri, 06 Apr 2018 19:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Craig Small <csmall@debian.org>.
(Fri, 06 Apr 2018 19:21:03 GMT) (full text, mbox, link).
Message #10 received at 895034@bugs.debian.org (full text, mbox, reply):
Hi Craig,
On Thu, Apr 05, 2018 at 09:12:45PM +1000, Craig Small wrote:
> Source: wordpress
> Version: 4.9.4-1
> Severity: grave
> Tags: security upstream
> Justification: user security hole
>
> WordPress 4.9.5 fixes 3 security issues:
> 1) Don't treat localhost as same host by default.
> 2) Use safe redirects when redirecting the login page if SSL is forced.
> 3) Make sure the version string is correctly escaped for use in generator tags.
>
> The patches are:
> 1) 42894 - https://core.trac.wordpress.org/changeset/42894
> 2) 42892 - https://core.trac.wordpress.org/changeset/42892
> 3) 42893 - https://core.trac.wordpress.org/changeset/42893
Have you requested CVEs for those three new issues?
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#895034; Package src:wordpress.
(Fri, 06 Apr 2018 22:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Craig Small <csmall@debian.org>:
Extra info received and forwarded to list.
(Fri, 06 Apr 2018 22:45:03 GMT) (full text, mbox, link).
Message #15 received at 895034@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sat, 7 Apr 2018 at 05:19 Salvatore Bonaccorso <carnil@debian.org> wrote:
> Have you requested CVEs for those three new issues?
>
Yes I have, through SWF with their JSON templates.
I'll see how that goes.
- Craig
--
Craig Small https://dropbear.xyz/ csmall at : dropbear.xyz
Debian GNU/Linux https://www.debian.org/ csmall at : debian.org
Mastodon: @smallsees@social.dropbear.xyz Twitter: @smallsees
GPG fingerprint: 5D2F B320 B825 D939 04D2 0519 3938 F96B DF50 FEA5
[Message part 2 (text/html, inline)]
Reply sent
to Craig Small <csmall@debian.org>:
You have taken responsibility.
(Sat, 07 Apr 2018 22:57:03 GMT) (full text, mbox, link).
Notification sent
to Craig Small <csmall@debian.org>:
Bug acknowledged by developer.
(Sat, 07 Apr 2018 22:57:03 GMT) (full text, mbox, link).
Message #20 received at 895034-close@bugs.debian.org (full text, mbox, reply):
Source: wordpress
Source-Version: 4.9.5+dfsg1-1
We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 895034@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated wordpress package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 08 Apr 2018 08:11:40 +1000
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentysixteen wordpress-theme-twentyfifteen wordpress-theme-twentyseventeen
Architecture: source all
Version: 4.9.5+dfsg1-1
Distribution: unstable
Urgency: medium
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Description:
wordpress - weblog manager
wordpress-l10n - weblog manager - language files
wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files
wordpress-theme-twentyseventeen - weblog manager - twentyseventeen theme files
wordpress-theme-twentysixteen - weblog manager - twentysixteen theme files
Closes: 895034
Changes:
wordpress (4.9.5+dfsg1-1) unstable; urgency=medium
.
* New upstream source, fixes 3 Security issues Closes: #895034
- CVE-2018-TBA
Don't treat localhost as same host by default.
- CVE-2018-TBA
Use safe redirects when redirecting login page if SSL is forced
- CVE-2018-TBA
Make sure version string is correctly escaped for use in
generator tags
* Update to standards version 4.1.4
* Remove get-orig-source in rules and use uscan
Checksums-Sha1:
a2616b03d3d40c3ce27ad1619c80ec8f1a911077 2518 wordpress_4.9.5+dfsg1-1.dsc
760b6bcf4837bac8cbbd6c8c7ccc7c6c3568603a 6757484 wordpress_4.9.5+dfsg1.orig.tar.xz
ca91f692d6e1443760288ea4b2534b27ba9be475 6779144 wordpress_4.9.5+dfsg1-1.debian.tar.xz
159dd12e1099403c26920d361a8a3a357d051a9c 4381856 wordpress-l10n_4.9.5+dfsg1-1_all.deb
bb021a1aa7c9590e1f763c176acd5c777ffc5d36 701108 wordpress-theme-twentyfifteen_4.9.5+dfsg1-1_all.deb
af62dd94db2f056413bd067915478e0edfbeb030 941908 wordpress-theme-twentyseventeen_4.9.5+dfsg1-1_all.deb
7f7ffd71e02321bb34d364514bbaa6a2e9001ae2 589612 wordpress-theme-twentysixteen_4.9.5+dfsg1-1_all.deb
93f921d2356274a20cf196c36b2e3d0ba184eb23 4503936 wordpress_4.9.5+dfsg1-1_all.deb
2195b52a1343ee5eee9c91f50df03755d4e401d3 7331 wordpress_4.9.5+dfsg1-1_amd64.buildinfo
Checksums-Sha256:
3208965666884b9886ad821b457da678b75a8863568ed5031b4bb61eac4d5f69 2518 wordpress_4.9.5+dfsg1-1.dsc
7db44a17f112c0955328b9051d3299449c86dcb706370283627e14912722a1ab 6757484 wordpress_4.9.5+dfsg1.orig.tar.xz
7c10dd86b4c2906e5c24cbc8c4d4c9b72a474fb2e60bf87fb2f72cc93d512664 6779144 wordpress_4.9.5+dfsg1-1.debian.tar.xz
5632fad106c11930189edafdbffdcd34781cb5550c4564fae2093fc2a9b897be 4381856 wordpress-l10n_4.9.5+dfsg1-1_all.deb
622802c4c380ac76765d47079d8afe80ffa7eb049e3ddc16e327e997d7d114c6 701108 wordpress-theme-twentyfifteen_4.9.5+dfsg1-1_all.deb
0cb59befdc62314af6f7813116be7a0dd164d277c357a97c9bedaf6277c8aec1 941908 wordpress-theme-twentyseventeen_4.9.5+dfsg1-1_all.deb
927e7cb7214760784c735ab5a33a71b55471cd163dcd9c0142ab721ee20ebcbe 589612 wordpress-theme-twentysixteen_4.9.5+dfsg1-1_all.deb
4e51913694b2cf22283f14d6f54ad19360abbe080969416653a8fc567277049d 4503936 wordpress_4.9.5+dfsg1-1_all.deb
1840ebbc4ed8ca6ec190127fcbe5e819521a754c17e430b5149fb8520571e95a 7331 wordpress_4.9.5+dfsg1-1_amd64.buildinfo
Files:
e7d26eb4f926653483bce05ca69a37c0 2518 web optional wordpress_4.9.5+dfsg1-1.dsc
8f0bcb0c075e00342438b01ff89e2872 6757484 web optional wordpress_4.9.5+dfsg1.orig.tar.xz
3d7695dc1a4ccce3df98685953a5fdfd 6779144 web optional wordpress_4.9.5+dfsg1-1.debian.tar.xz
00c25669c6f2de642e20dab20a0750c9 4381856 localization optional wordpress-l10n_4.9.5+dfsg1-1_all.deb
adcf0b11449b6f53c86ff6228323068d 701108 web optional wordpress-theme-twentyfifteen_4.9.5+dfsg1-1_all.deb
85d301d3df2acd8f612a9eb3ab6b3c77 941908 web optional wordpress-theme-twentyseventeen_4.9.5+dfsg1-1_all.deb
700986a5df75c7826204369b8036d843 589612 web optional wordpress-theme-twentysixteen_4.9.5+dfsg1-1_all.deb
7217b9bd4790ed8158ab0396c61ce7d7 4503936 web optional wordpress_4.9.5+dfsg1-1_all.deb
f8c0f4e6888a7b2b3994ab2b365c4674 7331 web optional wordpress_4.9.5+dfsg1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAlrJQ6QACgkQAiFmwP88
hOMJZQ//ctHYEV7LyO+fgL66An9LWEkaa3BkLovxSgmWXnaxElfgpmLNYFw3hRry
pOxlKYH0Onn5gURLh86gYe6H/loxqRZ7iLYfhEfjV+fMWXnUtxcwUnFQSEJ6ddU8
OIbWSoGehNTGX0/+cYJxXRAJrgCeu3Pq7ZYykgcx1+2QQU4byrqld/0n1lYhs9Bw
zUUCfWp8ZyMVkPgS+bOX/9oFAh4a4XeHqU44JHox2wTkV0Mkuie0MeDQKPE6LtB0
HSWvm1abeqaVoiBXjua85qd3D7hffAu9fZ3j6GwUk05mudyCcrHFVy7x2tRPQKFX
1Il5tfOZJ4DbtfWcP7+pdKxLX/HoWUmcrMIAzdZwOdr5LdgDv4M9tcwGAeALbz3e
gYisYNA10rvNy2uLqjjjFoz8axQTk7ghAo3WTUvrK4h8UZnQeWQZtSbBaV/cUmE+
ImB11dblzRH0Y2moREycWli7ggUU+QMgQIT2MUzA7YHmgW8bhsuraInHkSVJwmjz
GrYjeuWj+0pHSRwVwNBnhx4wV95YuQXJxcjuwU1jMZIc16wqChtVp4LkjX0E4SI/
b3DAu/hpu8ZRlCB03bHhqLXbPnj+FrLYGZypuHMveOFhEcMr1Egmoq6Z3BxT7oh/
4fTlgXhAcGhSXGyF8Z0YdLsqzF0vTPw3X21wRwZMkSv6/nIVfOA=
=aRfT
-----END PGP SIGNATURE-----
Changed Bug title to 'wordpress: CVE-2018-10100 CVE-2018-10101 CVE-2018-10102' from 'wordpress: versions 4.9.4 and earlier are affected by three security issues'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 14 Apr 2018 19:12:03 GMT) (full text, mbox, link).
No longer marked as found in versions wordpress/4.9.4-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 14 Apr 2018 19:12:03 GMT) (full text, mbox, link).
Marked as found in versions wordpress/4.9.4+dfsg1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 14 Apr 2018 19:12:04 GMT) (full text, mbox, link).
Marked as found in versions wordpress/4.1+dfsg-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 14 Apr 2018 19:12:06 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 14 Apr 2018 19:21:05 GMT) (full text, mbox, link).
Reply sent
to Craig Small <csmall@debian.org>:
You have taken responsibility.
(Mon, 07 May 2018 11:39:09 GMT) (full text, mbox, link).
Notification sent
to Craig Small <csmall@debian.org>:
Bug acknowledged by developer.
(Mon, 07 May 2018 11:39:09 GMT) (full text, mbox, link).
Message #35 received at 895034-close@bugs.debian.org (full text, mbox, reply):
Source: wordpress
Source-Version: 4.7.5+dfsg-2+deb9u3
We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 895034@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated wordpress package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 16 Apr 2018 21:05:38 +1000
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentysixteen wordpress-theme-twentyfifteen wordpress-theme-twentyseventeen
Architecture: source all
Version: 4.7.5+dfsg-2+deb9u3
Distribution: stretch-security
Urgency: high
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Description:
wordpress - weblog manager
wordpress-l10n - weblog manager - language files
wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files
wordpress-theme-twentyseventeen - weblog manager - twentyseventeen theme files
wordpress-theme-twentysixteen - weblog manager - twentysixteen theme files
Closes: 895034
Changes:
wordpress (4.7.5+dfsg-2+deb9u3) stretch-security; urgency=high
.
* Backport security patches from 4.9.5 Closes: #895034
- CVE-2018-10101
Don't treat localhost as same host by default.
- CVE-2018-10100
Use safe redirects when redirecting login page if SSL is forced
- CVE-2018-10102
Make sure version string is correctly escaped for use in
generator tags
Checksums-Sha1:
6b5695a510b1564d90b4dc69f18be936b41c2df6 2567 wordpress_4.7.5+dfsg-2+deb9u3.dsc
ea340714d6db18e575f6b256861b713249f23af5 6790072 wordpress_4.7.5+dfsg-2+deb9u3.debian.tar.xz
0adfb9adc4bff7ceeee08afe2674073297e7c5de 4383450 wordpress-l10n_4.7.5+dfsg-2+deb9u3_all.deb
3eba3041d752c3607b07269369552e792c5edbab 700758 wordpress-theme-twentyfifteen_4.7.5+dfsg-2+deb9u3_all.deb
e9060b99b89796befa29825aef5a748c3e14075b 940498 wordpress-theme-twentyseventeen_4.7.5+dfsg-2+deb9u3_all.deb
ce83ed58daf077f1e5372b8ad43bb75987341379 589548 wordpress-theme-twentysixteen_4.7.5+dfsg-2+deb9u3_all.deb
02e4f90e9882f2dfc23070502d99bc824e0e4eeb 4001794 wordpress_4.7.5+dfsg-2+deb9u3_all.deb
105836d07c7a0618b8f40af633fced75ffb38508 7445 wordpress_4.7.5+dfsg-2+deb9u3_amd64.buildinfo
Checksums-Sha256:
a8d8c4d8df547ad5c29ef274751737adcf9d841c3c6d6a55fb9912057c3c1363 2567 wordpress_4.7.5+dfsg-2+deb9u3.dsc
ee83a5db1fc83265db8d1fb06d9ae773237c934abc870f8763dea1a286a60532 6790072 wordpress_4.7.5+dfsg-2+deb9u3.debian.tar.xz
e83e955a5e5013809401f66fe9e5e564086293695d46f5f02f5fe813f46699ff 4383450 wordpress-l10n_4.7.5+dfsg-2+deb9u3_all.deb
96055dc98335cce11c442eacb7453233c125a46b3aef71e18f78cdd72ad63190 700758 wordpress-theme-twentyfifteen_4.7.5+dfsg-2+deb9u3_all.deb
a89398c49334f787d027bc9e1d85f685dbacb8d1cdeec548ca9a6c2bb6c39582 940498 wordpress-theme-twentyseventeen_4.7.5+dfsg-2+deb9u3_all.deb
0b1a30f2a79f5a934b0375d10be9d09d3974959323be1078eda885b8a6ae8b32 589548 wordpress-theme-twentysixteen_4.7.5+dfsg-2+deb9u3_all.deb
08c702f2f5811767478129ea3c8ef4e0b9c46efe9fd2c381cd4baed0b4fb78ad 4001794 wordpress_4.7.5+dfsg-2+deb9u3_all.deb
2258e317ea282a385d498349cc2e0f8cabf68e51a8682431958ca875f9e7e28b 7445 wordpress_4.7.5+dfsg-2+deb9u3_amd64.buildinfo
Files:
05d97cf990d1831b428bd1c283aef6c6 2567 web optional wordpress_4.7.5+dfsg-2+deb9u3.dsc
220291c4a904926922abfbce283503aa 6790072 web optional wordpress_4.7.5+dfsg-2+deb9u3.debian.tar.xz
0110a76eaf878305a800db72bf659fe6 4383450 localization optional wordpress-l10n_4.7.5+dfsg-2+deb9u3_all.deb
78d358f3a2a1c52007b319418a582931 700758 web optional wordpress-theme-twentyfifteen_4.7.5+dfsg-2+deb9u3_all.deb
07be591415a201d217a20d0faca11637 940498 web optional wordpress-theme-twentyseventeen_4.7.5+dfsg-2+deb9u3_all.deb
233d57a41b5b14eba3cf719f3785624c 589548 web optional wordpress-theme-twentysixteen_4.7.5+dfsg-2+deb9u3_all.deb
720ef8211916ec8ef1fdb60cf8d37f0c 4001794 web optional wordpress_4.7.5+dfsg-2+deb9u3_all.deb
3495d2302ddc76fbe92a33001463d97a 7445 web optional wordpress_4.7.5+dfsg-2+deb9u3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAlrUhN0ACgkQAiFmwP88
hOMQ/Q/9Hs/gt8QR0O70p+0f9GllWF+MwvXYZUTMT4829z88g2HIayLselKJMe1D
48jTZxjhqkai/w8gxgEhQfmcWidoQXRI52FEQcuRdU7XyACfpsHEcBR0x0+ObQ0Z
CFG3bwpxJjHj3iJHomD27585VelZh5NKgrvf/k4pFxRhJn77+ZZsqBeFqTVSH5nk
deTUAfkcNfMyc+pN+5Nhgr/APCh4WfjNUQqJYpGCsjbK3tQN5ST6wp8zSNGPcMH5
BJFPSLHd2tIHxhAfysEqg+ta97uFDCNPvVspOgVfM6W4uuh9oK0t3hIoq+Bz9h4z
VzcJyfs5uRp9lAUgVVCLcJBerYy8sORDBox2O6biFdCRgh8tjpCt8E5A/lXcijt/
TOhNeFYhB/HijMh4hTGiYiqu3rwTLXaFUWdwWlByTabwWZlIOV/Lw5M4Chp+c1fu
avTQsG0S9xJbsxdPZLwqSHAmINm40t1UecM9ceAZroYeHru0jdNpxVwwQ/WjVuhV
3VRCpRmTau/huJGTvKXHMB317DV75DcnAuSHgKk09a8V32VWE5BUOCUrTWi06Tra
4n07eFqxxhOh/qmDhZAco9F56+A2GENpk3wXglQZXObaikn6aZa9G479V+o8T6YY
mb9ulKBmo7f2NaH/xVrE6zxiUT80b3+OlXpHnHxi3svbpPjV6Rw=
=2373
-----END PGP SIGNATURE-----
Reply sent
to Markus Koschany <apo@debian.org>:
You have taken responsibility.
(Mon, 07 May 2018 11:39:11 GMT) (full text, mbox, link).
Notification sent
to Craig Small <csmall@debian.org>:
Bug acknowledged by developer.
(Mon, 07 May 2018 11:39:11 GMT) (full text, mbox, link).
Message #40 received at 895034-close@bugs.debian.org (full text, mbox, reply):
Source: wordpress
Source-Version: 4.1+dfsg-1+deb8u17
We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 895034@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated wordpress package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 28 Apr 2018 22:49:06 +0200
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentyfifteen wordpress-theme-twentyfourteen wordpress-theme-twentythirteen
Architecture: source all
Version: 4.1+dfsg-1+deb8u17
Distribution: jessie-security
Urgency: high
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
wordpress - weblog manager
wordpress-l10n - weblog manager - language files
wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files
wordpress-theme-twentyfourteen - weblog manager - twentyfourteen theme files
wordpress-theme-twentythirteen - weblog manager - twentythirteen theme files
Closes: 895034
Changes:
wordpress (4.1+dfsg-1+deb8u17) jessie-security; urgency=high
.
* Non-maintainer upload.
* Fix CVE-2018-10100: the redirection URL for the login page was not
validated or sanitized if forced to use HTTPS.
* Fix CVE-2018-10102: the version string was not escaped in the
get_the_generator function, and could lead to XSS in a generator tag.
(Closes: #895034)
Checksums-Sha1:
abd0524fe8c3da6b5be11b02a6515075c1411c73 2702 wordpress_4.1+dfsg-1+deb8u17.dsc
52917f2617ac2c18013e11754f7211e923a99b0f 5897412 wordpress_4.1+dfsg-1+deb8u17.debian.tar.xz
b92f5568c353295720e720cb4e369a9e3d6fc477 3172772 wordpress_4.1+dfsg-1+deb8u17_all.deb
be26a67c4c5e56d6812506130e0013a29eac521d 4242184 wordpress-l10n_4.1+dfsg-1+deb8u17_all.deb
6d71758a4ddb6c51646b88cdaec4f7b474794b5d 504512 wordpress-theme-twentyfifteen_4.1+dfsg-1+deb8u17_all.deb
0bdb09fcf0cb44348c6bf375d18c2651dbf59673 805978 wordpress-theme-twentyfourteen_4.1+dfsg-1+deb8u17_all.deb
1377933c253119281765fbea5192f9e0115e9a57 322872 wordpress-theme-twentythirteen_4.1+dfsg-1+deb8u17_all.deb
Checksums-Sha256:
523e4e8a5b0f035f99735d0354bd5092e2a378e9ed0cb8e9380dec9a9b2b26d3 2702 wordpress_4.1+dfsg-1+deb8u17.dsc
e882087217f24a04133a847adbc66ea14b92ca92a6f1d1b01d0643046edb5618 5897412 wordpress_4.1+dfsg-1+deb8u17.debian.tar.xz
5803fe7d8d35256158bf1a6e1ba72b25b3d2eb8d686316b29f04eae3b451fb91 3172772 wordpress_4.1+dfsg-1+deb8u17_all.deb
427ff88fcc3cc8d3e180261195cd95fa49f171c9c7b28cfa8d8f71c72c47d4bb 4242184 wordpress-l10n_4.1+dfsg-1+deb8u17_all.deb
722a1d8953a32fbc04ca2ccc198f613dbf179477488a3b1d06524931db6c4995 504512 wordpress-theme-twentyfifteen_4.1+dfsg-1+deb8u17_all.deb
d61261e011437ff574780aa39e6c2e0b4806dce91eccf2849b8d9ed8ac87e5d1 805978 wordpress-theme-twentyfourteen_4.1+dfsg-1+deb8u17_all.deb
26fa626f4ca5d67f5b382ff3c5617a7978882ecc4585f46399e05d9635d9561e 322872 wordpress-theme-twentythirteen_4.1+dfsg-1+deb8u17_all.deb
Files:
bb303f51ad113ab31d300adb40da4460 2702 web optional wordpress_4.1+dfsg-1+deb8u17.dsc
bfde339ba7d059062acffcf8778baa99 5897412 web optional wordpress_4.1+dfsg-1+deb8u17.debian.tar.xz
4e2709f80a17c3a0855f79f5bfb18061 3172772 web optional wordpress_4.1+dfsg-1+deb8u17_all.deb
bd989cf4405dab02574b7bb3536e83c1 4242184 localization optional wordpress-l10n_4.1+dfsg-1+deb8u17_all.deb
8e4cdee77adc90f832fcc8443d7e3b60 504512 web optional wordpress-theme-twentyfifteen_4.1+dfsg-1+deb8u17_all.deb
df61bff84f69b6fe312fed157e2bd9bf 805978 web optional wordpress-theme-twentyfourteen_4.1+dfsg-1+deb8u17_all.deb
0b5c5fc23d0e350c520c738aed0b9171 322872 web optional wordpress-theme-twentythirteen_4.1+dfsg-1+deb8u17_all.deb
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlrlzvJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hkuw4P/joXeCGNOMpLL5/BnBhGZ18t7n3UbmOPXGLC
G4OehkWZX8/t/AAC89FzLQ66HN1zgDjp4Y6fC0EIlXgqKlX6f5wLaIkjCvaErR6v
ebBkkckaIdOwQdDtg0JBp6hTg+d1UxuV3nDle6AyBXjnoUfXdc7KIaSkmw5DIPgH
8yPNxmcjs8ECp2h4C0l4RxxG+fSe20of/GsVgBrY+J2Sxh4IeGrLjWZbT4Gdb4Vn
nEgZd7Xe3CzjJsmEFnJZAEXlMsIlJ21JuZictVZYcQNBaYdFuNGstC9+efO+nZ8d
sk0TBWLCldgXnkcVSXcHHsoTl51vp3hKlJ7NuQy8vWpQzswMHdT7kKLuf7mip947
aR4Ks0v8sK7tXSc5I6FSPmN1Zr8X1IJ0gXCuHdp7SkXtmIwyXgjWmCkRQd4kPyTK
vdGcCBBx+lYX0kSp+qhkrG/CRjKsJsJzmh0SbixsUJfhpeaQI0qWnVv9dtlRcONi
N3m9VghAUP+hzTz1wAAMJB1X2xAwR96BsblNadiEORuLX+wVFLodvXWTYG9HuTTC
OKQF/M1rlIjal99Rb52Fnul0EvhvFdujIXNIOMRMIds+6NWA25mbMw0GgxoNj6sU
GwQLdYn7q7r0N7X5Pu6Izn9J3jnCcl2aXiR9kaunCnN0/xupGxfTa2QoyC5m14KQ
M5/BJN4Q
=lfdZ
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 06 Aug 2018 07:30:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:47:58 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon