wordpress: 4.7.3 security release

Debian Bug report logs - #857026
wordpress: 4.7.3 security release

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: wordpress: 4.7.3 security release

Date: Tue, 07 Mar 2017 21:30:05 +1100

Source: wordpress
Version: 4.7.2
Severity: grave
Tags: upstream security
Justification: user security hole

There are six security issues with wordpress 4.7.2 that wordpress 4.7.3
fixes.

* Cross-site scripting (XSS) via media file metadata.  Reported by Chris Andrè Dale, Yorick Koster, and Simon P. Briggs.
3.6.0 - 4.7.2
https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7

* Control characters can trick redirect URL validation.  Reported by Daniel Chatfield.
2.8.1 - 4.7.2
https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e

* Unintended files can be deleted by administrators using the plugin deletion functionality.  Reported by xuliang.
4.7.0 - 4.7.2
https://github.com/WordPress/WordPress/commit/4d80f8b3e1b00a3edcee0774dc9c2f4c78f9e663

* Cross-site scripting (XSS) via video URL in YouTube embeds.  Reported by Marc Montpas.
4.0 - 4.7.2
https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8

* Cross-site scripting (XSS) via taxonomy term names.  Reported by Delta.
4.7 - 4.7.2
no patch supplied

* Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources.  Reported by Sipke Mellema.
4,2 - 4.7.2
https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829


-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/6 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Message #10 received at 857026-close@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: 857026-close@bugs.debian.org

Subject: Bug#857026: fixed in wordpress 4.7.3+dfsg-1

Date: Tue, 07 Mar 2017 11:41:01 +0000

Source: wordpress
Source-Version: 4.7.3+dfsg-1

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 857026@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 07 Mar 2017 21:59:02 +1100
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentysixteen wordpress-theme-twentyfifteen wordpress-theme-twentyseventeen
Architecture: source all
Version: 4.7.3+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Description:
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
 wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files
 wordpress-theme-twentyseventeen - weblog manager - twentyseventeen theme files
 wordpress-theme-twentysixteen - weblog manager - twentysixteen theme files
Closes: 857026
Changes:
 wordpress (4.7.3+dfsg-1) unstable; urgency=high
 .
   * New upstream release fixes 6 security issues Closes: #857026
   * Will update CVE IDs when available
     - CVE-2016-XXX
       Cross-site scripting (XSS) via media file metadata.
     - CVE-2016-XXX
       Control characters can trick redirect URL validation.
     - CVE-2016-XXX
       Unintended files can be deleted by administrators using the plugin
       deletion functionality.
     - CVE-2016-XXX
       Cross-site scripting (XSS) via video URL in YouTube embeds.
     - CVE-2016-XXX
       Cross-site scripting (XSS) via taxonomy term names.
     - CVE-2016-XXX
       Cross-site request forgery (CSRF) in Press This leading to excessive
       use of server resources.
Checksums-Sha1:
 2f15dae41f74c6ad7c69b657e836ba2b0fc822b7 2539 wordpress_4.7.3+dfsg-1.dsc
 408204edc81639e31b3a0ae16c6231aafadf3ea7 6215144 wordpress_4.7.3+dfsg.orig.tar.xz
 e60ab47060f30fe6b5ea4d9485d0f14f67bbb3bd 6777004 wordpress_4.7.3+dfsg-1.debian.tar.xz
 6c420b7497c44a8e4bbee75096a1a89afe4153ee 4380930 wordpress-l10n_4.7.3+dfsg-1_all.deb
 f399a00ad9b47ccfa8de544b7c65773e4d6ac075 699742 wordpress-theme-twentyfifteen_4.7.3+dfsg-1_all.deb
 5ca9c2b1473da6626da7c0ba0f2e25db572830bb 939514 wordpress-theme-twentyseventeen_4.7.3+dfsg-1_all.deb
 8ca412c304d67da95145c212aa441d7d13409b1a 588552 wordpress-theme-twentysixteen_4.7.3+dfsg-1_all.deb
 9a096816b99068cb835bb5bd87fbf9151b763416 3975210 wordpress_4.7.3+dfsg-1_all.deb
 fe5c4c1391012fd494c35d6c2775d54d71dbeb35 6533 wordpress_4.7.3+dfsg-1_amd64.buildinfo
Checksums-Sha256:
 4574dbfe039c7a36bc956dee40d67058700c71960cddda3a8649876da9b98877 2539 wordpress_4.7.3+dfsg-1.dsc
 fb7c15caed064c9170041c887c4264f3bcab76a5b045e865e50db38ec8c2048d 6215144 wordpress_4.7.3+dfsg.orig.tar.xz
 5504ba9edae3bf7b8f3cf3cdff81977bea26a2051b9ba0ea132df8a9d31cade1 6777004 wordpress_4.7.3+dfsg-1.debian.tar.xz
 13ecd65e46a5666949b0b805da043c1abe832f2af05ebd59858fc7ddec0d41ae 4380930 wordpress-l10n_4.7.3+dfsg-1_all.deb
 0ce717d348f4f329ef794d499c8bbceebb55a6bffcd8cc51a07f0c3cbbd03335 699742 wordpress-theme-twentyfifteen_4.7.3+dfsg-1_all.deb
 ff8ed176063887cba64762770cbdf567cb0a391fd102a944ed4671e30e96c126 939514 wordpress-theme-twentyseventeen_4.7.3+dfsg-1_all.deb
 dbf3d45438b71e4d4cf38530c80fcd9c626994f44e07d92fb3e597cea042ec12 588552 wordpress-theme-twentysixteen_4.7.3+dfsg-1_all.deb
 aaf2f497cfd8d9742528160a6138763a3a1f6e08cf78c61b7d409c64f5832aa6 3975210 wordpress_4.7.3+dfsg-1_all.deb
 ffd6e64f5e2e62f0926f7d46e0f7b4bd20db4d1a69537269346bee5b882545e7 6533 wordpress_4.7.3+dfsg-1_amd64.buildinfo
Files:
 ebc8ee3be973f0617318a6bb38eabf6c 2539 web optional wordpress_4.7.3+dfsg-1.dsc
 949dae2501e4e9990e720dee50ee4510 6215144 web optional wordpress_4.7.3+dfsg.orig.tar.xz
 80b5a4401e3ccd5ba6e1e8c341681f60 6777004 web optional wordpress_4.7.3+dfsg-1.debian.tar.xz
 eca4a8a7cfafc9201759b94ed81c6e73 4380930 localization optional wordpress-l10n_4.7.3+dfsg-1_all.deb
 e3334077ac3ee46385c3325ccea9bbd2 699742 web optional wordpress-theme-twentyfifteen_4.7.3+dfsg-1_all.deb
 59f2398eb6242e066922058c81c4bb77 939514 web optional wordpress-theme-twentyseventeen_4.7.3+dfsg-1_all.deb
 ee9dd33c1a83ef07d6a15d1c412fd2fd 588552 web optional wordpress-theme-twentysixteen_4.7.3+dfsg-1_all.deb
 2096291aa04aaf0bded9992ef3c6b4db 3975210 web optional wordpress_4.7.3+dfsg-1_all.deb
 cd4e006f647b13a8796bbd6870270070 6533 web optional wordpress_4.7.3+dfsg-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAli+k2cACgkQAiFmwP88
hON9Dw//XlaodIW3fJJJwibl7lijp0jzSjlEtMUg6Hd01OyJnPl9NaJQGKUt8Ha2
41MOW0kujLuIhH6pCyudFK+I1vOyFhxL7tZT4O8ggDU65oo36OeWAIVoI+Olwx1S
d28p7qId8c+bWBLNJQWWJOGXz32FT9kDTKTtX5g3VN4LxGJuI/WtPYyfbTdhDmjg
Tzu0kgSIp5e6k+s8LLlfP03V/AFn3T1xNxLAwTOw3hymQittAK0XXzLoQAI+CGKj
g6P5LSX3ndwFGSHxoiq2T+q1x0Y6Wq1QMrxzHGjRYC4yySKVWBKDq0apLoqjq0XI
q1zVlLue1KNOFMO8+45+zDysHGCAcPCy14aXF2BFZyjJCU2Ax+s3AoFZ4nwCm1Ke
F78cOfbghxJnlZ7GNuqYs2k4NlNgWjw0AQkzTnsodOx3ZnECf0Ggh/eCkdfLm7x+
Ky67xnWhgzWygQ8aJsMe/ctpw6QZHFkOeEIACRYTtMkoBQQRFAmxc2otZkWZEce7
ppnXIJ6de2Jz25nIiOWGmcirC4ALLO8DaWKpc49LB8z2Rtxnr5lDnO85Ed85nwQj
XmIRbsuQRnJapv7as+/UW9MwWfxRBNMcB/S5ilqPf3+aYDWiM2hnX6uOpA/00L01
RIXg4TkGV6h5xKHsqQAtb9aTTffW1OSwYYPuusJhCLgeIhohaAk=
=JJZk
-----END PGP SIGNATURE-----

Message #15 received at 857026-submitter@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: 857026-submitter@bugs.debian.org

Subject: Bug#857026 marked as pending

Date: Thu, 09 Mar 2017 00:36:45 +0000

tag 857026 pending
thanks

Hello,

Bug #857026 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://git.debian.org/?p=collab-maint/wordpress.git;a=commitdiff;h=825b437

---
commit 825b4377310c6b64ffc9707def7393cbbebcb8eb
Author: Craig Small <csmall@debian.org>
Date:   Thu Mar 9 11:35:59 2017 +1100

    Backport the 4.7.3 changesets
    
    Security fixes for 6 security issues.

diff --git a/debian/changelog b/debian/changelog
index c06e802..3f85218 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,29 @@
+wordpress (4.1+dfsg-1+deb8u13) UNRELEASED; urgency=medium
+
+  * Backport patches from 4.7.3 Closes: #857026
+    - CVE-2016-XXX
+      Cross-site scripting (XSS) via media file metadata.
+      Changeset 40155
+    - CVE-2016-XXX
+      Control characters can trick redirect URL validation.
+      Changeset 40190
+    - CVE-2016-XXX
+      Unintended files can be deleted by administrators using the plugin
+      deletion functionality.
+      Changeset 40176
+    - CVE-2016-XXX
+      Cross-site scripting (XSS) via video URL in YouTube embeds.
+      Chamgeset 40167
+  * Not vulnerable:
+    - CVE-2016-XXX
+      Cross-site request forgery (CSRF) in Press This leading to excessive
+      use of server resources.
+      Press This introduced in 4.2
+    - CVE-2016-XXX
+      Cross-site scripting (XSS) via taxonomy term names.
+
+ -- Craig Small <csmall@debian.org>  Wed, 08 Mar 2017 14:26:42 +1100
+
 wordpress (4.1+dfsg-1+deb8u12) jessie-security; urgency=high
 
   *  Backport patches from 4.7.1 Closes: #851310

Message #20 received at 857026-close@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: 857026-close@bugs.debian.org

Subject: Bug#857026: fixed in wordpress 4.1+dfsg-1+deb8u13

Date: Wed, 29 Mar 2017 19:32:15 +0000

Source: wordpress
Source-Version: 4.1+dfsg-1+deb8u13

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 857026@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 16 Mar 2017 06:19:41 +1100
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentyfifteen wordpress-theme-twentyfourteen wordpress-theme-twentythirteen
Architecture: source all
Version: 4.1+dfsg-1+deb8u13
Distribution: jessie-security
Urgency: medium
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Description:
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
 wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files
 wordpress-theme-twentyfourteen - weblog manager - twentyfourteen theme files
 wordpress-theme-twentythirteen - weblog manager - twentythirteen theme files
Closes: 857026
Changes:
 wordpress (4.1+dfsg-1+deb8u13) jessie-security; urgency=medium
 .
   * Backport patches from 4.7.3 Closes: #857026
     - CVE-2017-6814
       Cross-site scripting (XSS) via media file metadata.
       Changeset 40155
     - CVE-2017-6815
       Control characters can trick redirect URL validation.
       Changeset 40190
     - CVE-2017-6816
       Unintended files can be deleted by administrators using the plugin
       deletion functionality.
       Changeset 40176
     - CVE-2017-6817
       Cross-site scripting (XSS) via video URL in YouTube embeds.
       Chamgeset 40167
   * Not vulnerable:
     - CVE-2017-6819
       Cross-site request forgery (CSRF) in Press This leading to excessive
       use of server resources.
       Press This introduced in 4.2
     - CVE-2017-6818
       Cross-site scripting (XSS) via taxonomy term names.
Checksums-Sha1:
 9dc6a86e174682f3449cd58be79d84eb3449e13c 2551 wordpress_4.1+dfsg-1+deb8u13.dsc
 c5eb50e0dfa3c2000f77c610c584b8b98d57c0c0 6159176 wordpress_4.1+dfsg-1+deb8u13.debian.tar.xz
 e5fa9d8bdc114d7e49cb0bb515fef4068865d2a5 3173472 wordpress_4.1+dfsg-1+deb8u13_all.deb
 c48ecab5fe72bf8752a08bab77779cd2f093508b 4239634 wordpress-l10n_4.1+dfsg-1+deb8u13_all.deb
 fe4449da60e2f40adaad880081580c44fd464262 502816 wordpress-theme-twentyfifteen_4.1+dfsg-1+deb8u13_all.deb
 273afa5c639e434a0b0550161c384caed19cf02e 804064 wordpress-theme-twentyfourteen_4.1+dfsg-1+deb8u13_all.deb
 21d37e2d4c14bccd69b19760fb7e09b2dd12f84d 321664 wordpress-theme-twentythirteen_4.1+dfsg-1+deb8u13_all.deb
Checksums-Sha256:
 2b3ac02a5a019fe03e517e1ee27bcbdb96c2bd4eae37cc71b8696798f36fef1b 2551 wordpress_4.1+dfsg-1+deb8u13.dsc
 6b84b39fc797e68864d08bfe6e11f455cc18a5b098d8f93d31f03429c4a368f3 6159176 wordpress_4.1+dfsg-1+deb8u13.debian.tar.xz
 6e79466486a79e1ec9e2e3eabbd33b94332586f69de03ed5b4e09127a80d96db 3173472 wordpress_4.1+dfsg-1+deb8u13_all.deb
 c261fd7e6600ec94c0cddb4c670cbb7a50d2c6d5640211ae1141cd47351ee543 4239634 wordpress-l10n_4.1+dfsg-1+deb8u13_all.deb
 ce299ba16a1a63823640191c63632cef4ff0915d6bf0140401f48f757a33602d 502816 wordpress-theme-twentyfifteen_4.1+dfsg-1+deb8u13_all.deb
 8f97ecac5f8e7d06b82e6a8b097b43695be4d000b8c5c06012bc99dbc547cfff 804064 wordpress-theme-twentyfourteen_4.1+dfsg-1+deb8u13_all.deb
 c7b8a9cffbb279f7613b922b64d80bd3adc6b0b621aba2060a2037f330cce3f7 321664 wordpress-theme-twentythirteen_4.1+dfsg-1+deb8u13_all.deb
Files:
 5e62aea8c65b5dd7efecf8069cdf6d9c 2551 web optional wordpress_4.1+dfsg-1+deb8u13.dsc
 40e7ac8123a1835746dbdbcbbd604364 6159176 web optional wordpress_4.1+dfsg-1+deb8u13.debian.tar.xz
 b1d97314c1ea13752e2dc6cfc07e928d 3173472 web optional wordpress_4.1+dfsg-1+deb8u13_all.deb
 68df51ca037579fb58cb035345dec217 4239634 localization optional wordpress-l10n_4.1+dfsg-1+deb8u13_all.deb
 2eac51ed1ff368258895e37b504a9e15 502816 web optional wordpress-theme-twentyfifteen_4.1+dfsg-1+deb8u13_all.deb
 85a6b8534707e3cdf6e57e333aff3b56 804064 web optional wordpress-theme-twentyfourteen_4.1+dfsg-1+deb8u13_all.deb
 654507f743bc36f588eba44bfcafc268 321664 web optional wordpress-theme-twentythirteen_4.1+dfsg-1+deb8u13_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAljMrl4ACgkQAiFmwP88
hOP9mBAAgZPI1aS+zf1Nqp6Za/zWU7gm2aF8pmtyrei7SwcBKiA6b1ohUfwlAomK
3sn7AX92nGcrN1Hq1hqX67sqtt9Z814x/ApskD/W5UtbsD0I4NMKjYzBiyrszaY6
u8ZmHOW4rI05U0LtCK1jOgD8VQk+hdPgZS+uhAbptMzCBBj63jNKFQCO1yIENlYP
aD1k6wWpRuvPa4i4MMB9oKuW9lDtn38OLSQP0N9j8qwaid419v7PykSMf5HuoWwe
Wz7Yg6Rjg1uezqh7AZNGIhsBoWHsO0FpgXDcZ5KqzVuRAUA6fZNkJvxpVuvUGzUC
zPm6zp8jAoiNuBU4FRtQwwZE+ojZvdYfY96Qq2Vp04uT5KiyWUQ2cn+fMh0IYZdj
cpsZRqtJogv+zrtjNNJFUPv2UWk/eeb5G2CYlCQ5EDPckvxkGESOTDRbVotBdWrA
VEisNylJ6WCXwaCXBcZGqbXQInlWIBoC7FfqhV4SaFpI1E3Xy4oHo39acO4ZwQiG
B0HX0PBbC88usTKKQQOpu05O5vDNR8NUrl0dTYf4lUQ1mUCQUqchhg9pYgSA0bZE
BTxg5habvfjhkkPpkwSYBX3TPqCdh70uHMr+2IjVPEODFLEIti4sirc3cPVgY0EG
FPKgJ/5CE60dU+DttWe0PsSOLSh6WxAd3GzCUrugIePzZh5AI18=
=Y0AY
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.