wordpress: CVE-2014-9031 CVE-2014-9032 CVE-2014-9033 CVE-2014-9034 CVE-2014-9035 CVE-2014-9036 CVE-2014-9037 CVE-2014-9038 CVE-2014-9039 (issues fixed in 4.0.1 security release)

Debian Bug report logs - #770425
wordpress: CVE-2014-9031 CVE-2014-9032 CVE-2014-9033 CVE-2014-9034 CVE-2014-9035 CVE-2014-9036 CVE-2014-9037 CVE-2014-9038 CVE-2014-9039 (issues fixed in 4.0.1 security release)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: wordpress: 4.0.1 security release

Date: Fri, 21 Nov 2014 08:19:03 +0100

Source: wordpress
Version: 3.6.1+dfsg-1
Severity: grave
Tags: security upstream fixed-upstream

Hi

Setting this as severity grave as it is mentioned as critical update.
See https://wordpress.org/news/2014/11/wordpress-4-0-1/ for details.

There are no CVEs assigned yet for these issues.

Regards,
Salvatore

Message #10 received at 770425@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 770425@bugs.debian.org

Subject: Re: Bug#770425: wordpress: 4.0.1 security release

Date: Sat, 22 Nov 2014 19:13:26 +1100

On Fri, Nov 21, 2014 at 08:19:03AM +0100, Salvatore Bonaccorso wrote:
> Setting this as severity grave as it is mentioned as critical update.
> See https://wordpress.org/news/2014/11/wordpress-4-0-1/ for details.
Thanks for the heads-up, I knew it was out there but was waiting for 
some free time. Better to be sure anyhow!

> There are no CVEs assigned yet for these issues.
Oh good, I couldn't find any either and figured I was doing something
wrong.

The 4.0.1 should be pretty easy, it will take some time for backporting
as that is a lot more fiddly as you know.

 - Craig

-- 
Craig Small (@smallsees)   http://enc.com.au/       csmall at : enc.com.au
Debian GNU/Linux           http://www.debian.org/   csmall at : debian.org
GPG fingerprint:        5D2F B320 B825 D939 04D2  0519 3938 F96B DF50 FEA5

Message #15 received at 770425-close@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: 770425-close@bugs.debian.org

Subject: Bug#770425: fixed in wordpress 4.0.1+dfsg-1

Date: Sat, 22 Nov 2014 09:20:11 +0000

Source: wordpress
Source-Version: 4.0.1+dfsg-1

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 770425@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 22 Nov 2014 19:29:37 +1100
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentyfourteen wordpress-theme-twentythirteen wordpress-theme-twentytwelve
Architecture: source all
Version: 4.0.1+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Description:
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
 wordpress-theme-twentyfourteen - weblog manager - twentyfourteen theme files
 wordpress-theme-twentythirteen - weblog manager - twentythirteen theme files
 wordpress-theme-twentytwelve - weblog manager - twentyttwelve theme files
Closes: 770425
Changes:
 wordpress (4.0.1+dfsg-1) unstable; urgency=high
 .
   * New upstream release
   * Fixes several security bugs Closes: #770425
     - Three cross-site scripting issues that a contributor or
       author could use to compromise a site.
     - A cross-site request forgery that could be used to trick a
       user into changing their password.
     - An issue that could lead to a denial of service when
       passwords are checked.
     - Additional protections for server-side request forgery
       attacks when WordPress makes HTTP requests.
     - An extremely unlikely hash collision could allow a user’s
       account to be compromised, that also required that they
       haven’t logged in since 2008.
     - WordPress now invalidates the links in a password reset email
       if the user remembers their password, logs in, and changes
       their email address.
Checksums-Sha1:
 e81ec6d142376daa49bd071abfa1b542d912f31a 2514 wordpress_4.0.1+dfsg-1.dsc
 c23e3f0af7957f31de78d002290dc067ca536bd6 4767212 wordpress_4.0.1+dfsg.orig.tar.xz
 58bdb60bdd50b166a98be6f9315af56f7fb2e035 5234184 wordpress_4.0.1+dfsg-1.debian.tar.xz
 1d683b49644925084dad60ce4c6986fa6ae042ad 3509564 wordpress_4.0.1+dfsg-1_all.deb
 3bb1d38be1d9045d4f973bb5152be58d39241656 3730236 wordpress-l10n_4.0.1+dfsg-1_all.deb
 a877ab5bd429688756523ba0758f123e46dbd44f 778060 wordpress-theme-twentyfourteen_4.0.1+dfsg-1_all.deb
 3065a3dafeadaf6560e240c0e2825f05727d0eb2 306672 wordpress-theme-twentythirteen_4.0.1+dfsg-1_all.deb
 ad09b824d4e98f2f83b5228a7035ccf8fe49af4b 384000 wordpress-theme-twentytwelve_4.0.1+dfsg-1_all.deb
Checksums-Sha256:
 2872fcb8b510be49d71c7f933c4d095446ba998ad6c8a4917fc94c26e4e7f678 2514 wordpress_4.0.1+dfsg-1.dsc
 01dd39c08137252ddd9adf8b87bb0a2175404b4ac04568724aa4fbe5600c086b 4767212 wordpress_4.0.1+dfsg.orig.tar.xz
 641779f1defc66e6a3f289eca3af6008ee59b5f7fd5acb1377d6a998d5184b9c 5234184 wordpress_4.0.1+dfsg-1.debian.tar.xz
 a45c500f126b672d2b1210c75450ecb24f8ea7775ac86ac72027993b051cc6dd 3509564 wordpress_4.0.1+dfsg-1_all.deb
 605a7b0774a97ce0f08b93a664fca58647fb0f43e9dbe855aef8acf8053e44bf 3730236 wordpress-l10n_4.0.1+dfsg-1_all.deb
 ca153e7deceb136776eb24140d5d16e5203122c5491a48f7900fbef0c03f606f 778060 wordpress-theme-twentyfourteen_4.0.1+dfsg-1_all.deb
 4697bbe91a90490757186e359a3a66db167699b238b283fb1c5e895f1e4aa24a 306672 wordpress-theme-twentythirteen_4.0.1+dfsg-1_all.deb
 5e426ea3ac6d142befa698483d972a0e70eccaa0e22a4733dd1007d99a69e9d8 384000 wordpress-theme-twentytwelve_4.0.1+dfsg-1_all.deb
Files:
 77dc4a39aae7ccc90566de745c8109be 2514 web optional wordpress_4.0.1+dfsg-1.dsc
 f152c306a54fa3b7dd58d8e46cc9edc9 4767212 web optional wordpress_4.0.1+dfsg.orig.tar.xz
 70321179ecee0a74806d5ffde34b84fc 5234184 web optional wordpress_4.0.1+dfsg-1.debian.tar.xz
 9fa85a0532dae923a679db5fb1f7f19f 3509564 web optional wordpress_4.0.1+dfsg-1_all.deb
 8901e6677a3031092e485bc23deb2f60 3730236 localization optional wordpress-l10n_4.0.1+dfsg-1_all.deb
 c2fede0f7e72eff28dc501db47c3eb44 778060 web optional wordpress-theme-twentyfourteen_4.0.1+dfsg-1_all.deb
 08d5835d8d48b74902691f0e490ba1e4 306672 web optional wordpress-theme-twentythirteen_4.0.1+dfsg-1_all.deb
 37723d4a8af949bad485bb73b651f273 384000 web optional wordpress-theme-twentytwelve_4.0.1+dfsg-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJUcErDAAoJEDk4+WvfUP6lFzgP/inSWwl49/2l4q1qxNvEdME4
s8Lvoarmpqquh0Vc22jLC1QLTlbk4E9sROZUNwBh9D+hGsfjXfm7xi392I+KKqvc
1yqVjporuHvIPGSkosiVoLYvi1bEhn6sqDk/Yf/iq2PwsZt5esVCbZ8bxPAq1Q4d
leAVgcsF0qaTyfVD2BRgOlgHoxp1BwoQNb4xeIJ6G2AkYP8c0EiraRZqXYemtAgv
cTGSX65RqR3gJaWXwUdaqHSZ6TxZKslfdyA4E64VP1L8CUh4bOTVfrU4y4UEaEQl
+eIwQwRgH7IBbw/4wauiQKV/7Ubtvt44wV/Vh4TpD8WW2sQY/xGr3gicZBh+/9Fk
jbiqAgwY78i0fG52CgG7ZU+sng5N7xev9hdidZ/kCTm1QsEF6fKmV171FizEJZMb
YX6vhOE3zEpDY1hrhFjRvwUNqqC0Hf5Fr/VIpRUYUJ/R8w3zU6PPJ5f/Okyr+aTj
Xr/eoPnR1vX1MVZYOIhg+G9+3ACUbGZ1ZNXkk+AJ8vNWrYQvXe5L50DfryX9vrpc
cAbGecxcSVyZSCHUIGMpf2Pv+ZBgKfataIXXO6T3o+9NB3XQROombpBYylNpnzMK
qszVgMGsaDlz1W6oGgJd9BV6a+FO4uAwdziGJ9baMHZyeq8za1qDL7/IQOF8VXbk
ik5wPwMTT2jouBNTMMww
=E9Gv
-----END PGP SIGNATURE-----

Message #20 received at 770425@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: 770425@bugs.debian.org

Cc: Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: Bug#770425: wordpress: 4.0.1 security release

Date: Sat, 22 Nov 2014 21:45:24 +0100

[Message part 1 (text/plain, inline)]

On Sat, 22 Nov 2014 19:13:26 +1100 Craig Small <csmall@debian.org> wrote:
> On Fri, Nov 21, 2014 at 08:19:03AM +0100, Salvatore Bonaccorso wrote:
> > Setting this as severity grave as it is mentioned as critical update.
> > See https://wordpress.org/news/2014/11/wordpress-4-0-1/ for details.
> Thanks for the heads-up, I knew it was out there but was waiting for 
> some free time. Better to be sure anyhow!
> 
> > There are no CVEs assigned yet for these issues.
> Oh good, I couldn't find any either and figured I was doing something
> wrong.
> 
> The 4.0.1 should be pretty easy, it will take some time for backporting
> as that is a lot more fiddly as you know.
> 
By the way, as 3.6 is now unsupported, would it make sense to update
stable to 3.7 (or later), like we did in DSA 2670-1, DSA 2718-1 and DSA
2757-1?

Regards,
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

Message #29 received at 770425@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 770425@bugs.debian.org

Subject: Re: Bug#770425: wordpress: 4.0.1 security release

Date: Tue, 25 Nov 2014 22:22:56 +0100

Control: retitle -1 wordpress: CVE-2014-9031 CVE-2014-9032 CVE-2014-9033 CVE-2014-9034 CVE-2014-9035 CVE-2014-9036 CVE-2014-9037 CVE-2014-9038 CVE-2014-9039 (issues fixed in 4.0.1 security release)

Hi,

On Fri, Nov 21, 2014 at 08:19:03AM +0100, Salvatore Bonaccorso wrote:
> Source: wordpress
> Version: 3.6.1+dfsg-1
> Severity: grave
> Tags: security upstream fixed-upstream
> 
> Hi
> 
> Setting this as severity grave as it is mentioned as critical update.
> See https://wordpress.org/news/2014/11/wordpress-4-0-1/ for details.
> 
> There are no CVEs assigned yet for these issues.

Nine CVEs were now assigned for this issue. See [1] for more details.

http://www.openwall.com/lists/oss-security/2014/11/25/12

Regards,
Salvatore

Message #36 received at 770425@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: 770425@bugs.debian.org

Cc: Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: Bug#770425: wordpress: 4.0.1 security release

Date: Wed, 26 Nov 2014 22:33:49 +0100

[Message part 1 (text/plain, inline)]

On sam., 2014-11-22 at 21:45 +0100, Yves-Alexis Perez wrote:
> On Sat, 22 Nov 2014 19:13:26 +1100 Craig Small <csmall@debian.org> wrote:
> > On Fri, Nov 21, 2014 at 08:19:03AM +0100, Salvatore Bonaccorso wrote:
> > > Setting this as severity grave as it is mentioned as critical update.
> > > See https://wordpress.org/news/2014/11/wordpress-4-0-1/ for details.
> > Thanks for the heads-up, I knew it was out there but was waiting for 
> > some free time. Better to be sure anyhow!
> > 
> > > There are no CVEs assigned yet for these issues.
> > Oh good, I couldn't find any either and figured I was doing something
> > wrong.
> > 
> > The 4.0.1 should be pretty easy, it will take some time for backporting
> > as that is a lot more fiddly as you know.
> > 
> By the way, as 3.6 is now unsupported, would it make sense to update
> stable to 3.7 (or later), like we did in DSA 2670-1, DSA 2718-1 and DSA
> 2757-1?

Also, any idea where are the changes currently living in stable? I
didn't found them in the git tree
(http://anonscm.debian.org/cgit/collab-maint/wordpress.git/log/?h=wheezy)

Regards,
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

Message #41 received at 770425@bugs.debian.org (full text, mbox, reply):

From: Nick Phillips <nick.phillips@otago.ac.nz>

To: "770425@bugs.debian.org" <770425@bugs.debian.org>

Cc: "corsac@debian.org" <corsac@debian.org>

Subject: Possibility of update to 4.x

Date: Wed, 26 Nov 2014 23:45:29 +0000

FYI...

* 4.0.1+dfsg-1 appears to build fine with a wheezy-only pbuilder.
* Review at
http://premium.wpmudev.org/blog/wordpress-4-0-hugely-underwhelming/
claims that "The fact is, users who upgrade to 4.0 when it’s released on
August 27 won’t even realize there are any changes."

It's worked smoothly on 2 out of 3 of my machines. The other relied on
customisations in /etc/wordpress/wp-config.php (which warns you not to
make changes, despite being a config file).


Issues:
* New package splits out the themes into separate packages.
* New package no longer links /usr/share/wordpress/wp-config.php
to /etc/wordpress/wp-config.php - customisations there will be ignored
until admin intervenes.

Both of these issues could fairly easily be reverted to old behaviour, I
think.


Cheers,


Nick
-- 
Nick Phillips / nwp@debian.org / 03 479 4195
# These statements are mine, not those of the University of Otago

Message #46 received at 770425@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: Nick Phillips <nick.phillips@otago.ac.nz>

Cc: "770425@bugs.debian.org" <770425@bugs.debian.org>

Subject: Re: Possibility of update to 4.x

Date: Thu, 27 Nov 2014 08:05:04 +0100

[Message part 1 (text/plain, inline)]

On mer., 2014-11-26 at 23:45 +0000, Nick Phillips wrote:
> FYI...
> 
> * 4.0.1+dfsg-1 appears to build fine with a wheezy-only pbuilder.
> * Review at
> http://premium.wpmudev.org/blog/wordpress-4-0-hugely-underwhelming/
> claims that "The fact is, users who upgrade to 4.0 when it’s released on
> August 27 won’t even realize there are any changes."
> 
> It's worked smoothly on 2 out of 3 of my machines. The other relied on
> customisations in /etc/wordpress/wp-config.php (which warns you not to
> make changes, despite being a config file).
> 
> 
> Issues:
> * New package splits out the themes into separate packages.
> * New package no longer links /usr/share/wordpress/wp-config.php
> to /etc/wordpress/wp-config.php - customisations there will be ignored
> until admin intervenes.
> 
> Both of these issues could fairly easily be reverted to old behaviour, I
> think.
> 
Thanks for the investigation. From the various updates I did in the
past, I remember having to deal with the removal of embedded stuff,
which was different in stable, but maybe that's not the case anymore.

Regards,
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

Message #51 received at 770425@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: "770425@bugs.debian.org" <770425@bugs.debian.org>

Subject: Re: Bug#770425: Possibility of update to 4.x

Date: Thu, 27 Nov 2014 22:36:43 +1100

On Wed, Nov 26, 2014 at 11:45:29PM +0000, Nick Phillips wrote:
> Issues:
> * New package splits out the themes into separate packages.
> * New package no longer links /usr/share/wordpress/wp-config.php
> to /etc/wordpress/wp-config.php - customisations there will be ignored
> until admin intervenes.
> 
> Both of these issues could fairly easily be reverted to old behaviour, I
> think.
It's tricky because on the one hand I can back-port the patches
(hopefully) to the version in stable. Alternatively I can push 4.0.1
down to stable and try to fix up the difference such as dependencies.

Stable security fixes should have the minimal set of changes, but at
what point does it become better to abandon that ideal?
 - Craig

-- 
Craig Small (@smallsees)   http://enc.com.au/       csmall at : enc.com.au
Debian GNU/Linux           http://www.debian.org/   csmall at : debian.org
GPG fingerprint:        5D2F B320 B825 D939 04D2  0519 3938 F96B DF50 FEA5

Message #56 received at 770425@bugs.debian.org (full text, mbox, reply):

From: Nick Phillips <nick.phillips@otago.ac.nz>

To: "770425@bugs.debian.org" <770425@bugs.debian.org>

Subject: Dependencies

Date: Thu, 27 Nov 2014 20:05:36 +0000

Seems that the only new dep in 4.0.1 (besides the themes, which should
probably be re-merged if taking this route) is on ca-certificates.

In a pbuilder vanilla wheezy chroot, just installed current stable
wordpress, then replaced with the built version and 3 themes using dpkg.
Only extra package needed was ca-certificates. Which, obviously, is in
stable.

Craig - if you're going to do the work on backporting the fixes, you
might also consider the likelihood of there being further such fixes
required during the stable security support window.

In this case already, the delay in getting a fixed version into the
archive is probably long enough for these issues to be being exploited.
Is there any reason to think we'd be able to be quicker next time?


Cheers,


Nick
-- 
Nick Phillips / nwp@debian.org / 03 479 4195
# These statements are mine, not those of the University of Otago

Message #61 received at 770425@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: Nick Phillips <nick.phillips@otago.ac.nz>, 770425@bugs.debian.org

Cc: "corsac@debian.org" <corsac@debian.org>

Subject: Re: Bug#770425: Possibility of update to 4.x

Date: Sat, 29 Nov 2014 14:53:03 +1100

Hi Nick,
  The security update will only be 3.6.1 with the 4.7.4->4.7.5 patches.
It's difficult balancing act really but the whole purpose of the
security updates is just to update for security.

It's not ideal for certain situations. The proposed update went to the
security team a few minutes ago and should mean an update for wordpress
in wheezy will be out today.

 - Craig

-- 
Craig Small (@smallsees)   http://enc.com.au/       csmall at : enc.com.au
Debian GNU/Linux           http://www.debian.org/   csmall at : debian.org
GPG fingerprint:        5D2F B320 B825 D939 04D2  0519 3938 F96B DF50 FEA5

Message #66 received at 770425@bugs.debian.org (full text, mbox, reply):

From: Nick Phillips <nick.phillips@otago.ac.nz>

To: "770425@bugs.debian.org" <770425@bugs.debian.org>

Subject: Re: Bug#770425: Possibility of update to 4.x

Date: Sun, 30 Nov 2014 22:48:21 +0000

On Sat, 2014-11-29 at 14:53 +1100, Craig Small wrote: 
> Hi Nick,
>   The security update will only be 3.6.1 with the 4.7.4->4.7.5 patches.
> It's difficult balancing act really but the whole purpose of the
> security updates is just to update for security.
> 
> It's not ideal for certain situations. The proposed update went to the
> security team a few minutes ago and should mean an update for wordpress
> in wheezy will be out today.


Thanks for that. Doesn't actually concern me which solution was picked,
as long as one was chosen and implemented reasonably quickly (I'll stick
with the 4.x packages I now have anyway).


Cheers,


Nick
-- 
Nick Phillips / nick.phillips@otago.ac.nz / 03 479 4195
# These statements are mine, not those of the University of Otago

Message #71 received at 770425@bugs.debian.org (full text, mbox, reply):

From: Rodrigo Campos <rodrigo@sdfg.com.ar>

To: 770425@bugs.debian.org

Subject: Fixes for debian stable ?

Date: Tue, 2 Dec 2014 14:17:37 +0000

Hi,

The upstream release was on Nov 20, it's been almost 2 weeks and the bug seem
kind of serious. Any chance to do a quick fix and then continue to discuss
changing wordpress version in stable ? Or any ETA on when the fixes will come to
stable ?

I've manually applied the workaround suggested here[1], although it doesn't seem
ideal. But seems to fix the attacks reported here[2] and here[3] at least.






Thanks a lot,
Rodrigo

[1]: http://klikki.fi/adv/wordpress.html
[2]: http://klikki.fi/unquote/
[3]: http://klikki.fi/adv/wordpress_update.html

Message #76 received at 770425@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: Rodrigo Campos <rodrigo@sdfg.com.ar>, 770425@bugs.debian.org

Subject: Re: Bug#770425: Fixes for debian stable ?

Date: Wed, 3 Dec 2014 17:58:11 +1100

On Tue, Dec 02, 2014 at 02:17:37PM +0000, Rodrigo Campos wrote:
> The upstream release was on Nov 20, it's been almost 2 weeks and the bug seem
> kind of serious. Any chance to do a quick fix and then continue to discuss
> changing wordpress version in stable ? Or any ETA on when the fixes will come to
> stable ?
The stable fix is being uploaded to the security master now.

 - Craig

-- 
Craig Small (@smallsees)   http://enc.com.au/       csmall at : enc.com.au
Debian GNU/Linux           http://www.debian.org/   csmall at : debian.org
GPG fingerprint:        5D2F B320 B825 D939 04D2  0519 3938 F96B DF50 FEA5

Message #81 received at 770425@bugs.debian.org (full text, mbox, reply):

From: Rodrigo Campos <rodrigo@sdfg.com.ar>

To: Craig Small <csmall@debian.org>, 770425@bugs.debian.org

Subject: Re: Bug#770425: Fixes for debian stable ?

Date: Wed, 3 Dec 2014 21:09:16 +0000

On Wed, Dec 03, 2014 at 05:58:11PM +1100, Craig Small wrote:
> On Tue, Dec 02, 2014 at 02:17:37PM +0000, Rodrigo Campos wrote:
> > The upstream release was on Nov 20, it's been almost 2 weeks and the bug seem
> > kind of serious. Any chance to do a quick fix and then continue to discuss
> > changing wordpress version in stable ? Or any ETA on when the fixes will come to
> > stable ?
> The stable fix is being uploaded to the security master now.

Great, thanks a lot!

Message #86 received at 770425-submitter@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: 770425-submitter@bugs.debian.org

Subject: Bug#770425 marked as pending

Date: Sat, 06 Dec 2014 07:42:44 +0000

tag 770425 pending
thanks

Hello,

Bug #770425 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://git.debian.org/?p=collab-maint/wordpress.git;a=commitdiff;h=77ac53d

---
commit 77ac53dbe5eba0eca7ad992fdbf1f4b1f855203a
Author: Craig Small <csmall@debian.org>
Date:   Sat Nov 22 19:24:40 2014 +1100

    Updated changelog for 4.0.1 fixes

diff --git a/debian/changelog b/debian/changelog
index 18ba38e..efabe22 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,23 @@
+wordpress (4.0.1+dfsg-1) UNRELEASED; urgency=medium
+
+  * New upstream release
+  * Fixes several security bugs Closes: #770425
+    - Three cross-site scripting issues that a contributor or
+      author could use to compromise a site.
+    - A cross-site request forgery that could be used to trick a
+      user into changing their password.
+    - An issue that could lead to a denial of service when
+      passwords are checked.
+    - Additional protections for server-side request forgery
+      attacks when WordPress makes HTTP requests.
+    - An extremely unlikely hash collision could allow a user’s
+      account to be compromised, that also required that they
+      haven’t logged in since 2008.
+    - WordPress now invalidates the links in a password reset email
+      if the user remembers their password, logs in, and changes
+      their email address.
+ -- Craig Small <csmall@debian.org>  Sat, 22 Nov 2014 19:17:33 +1100
+
 wordpress (4.0+dfsg-1) unstable; urgency=medium
 
   * New upstream release

Message #91 received at 770425-close@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: 770425-close@bugs.debian.org

Subject: Bug#770425: fixed in wordpress 3.6.1+dfsg-1~deb7u5

Date: Mon, 08 Dec 2014 15:33:51 +0000

Source: wordpress
Source-Version: 3.6.1+dfsg-1~deb7u5

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 770425@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 03 Dec 2014 17:49:41 +1100
Source: wordpress
Binary: wordpress wordpress-l10n
Architecture: source all
Version: 3.6.1+dfsg-1~deb7u5
Distribution: wheezy-security
Urgency: high
Maintainer: Giuseppe Iuculano <iuculano@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Description: 
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
Closes: 770425
Changes: 
 wordpress (3.6.1+dfsg-1~deb7u5) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Backport patches for 3.7.4->3.7.5 Closes: #770425
   * The patches fix the following security bugs:
     - CVE-2014-9031 XSS in wptexturize() via comments or posts
     - CVE-2014-9033 CSRF in the password reset process
     - CVE-2014-9034 Denial of service for giant passwords
     - CVE-2014-9035 XSS in Press This
     - CVE-2014-9036 XSS in HTML filtering of CSS in posts
     - CVE-2014-9037 Hash comparison vulnerability in old passwords
     - CVE-2014-9038 SSRF: Safe HTTP requests did not sufficiently block
       the loopback IP address space
     - CVE-2014-9039 Email address change didn't invalidate previously sent
       password reset
Checksums-Sha1: 
 c20253a8fb57bbb7ee21b02e45a56f4b72df6845 2319 wordpress_3.6.1+dfsg-1~deb7u5.dsc
 e7d8a19929661cede1cc16952b4c837f0cc66af6 5248764 wordpress_3.6.1+dfsg-1~deb7u5.debian.tar.xz
 f74318f890320346775b3cb11a907ccd3a3c9046 3963774 wordpress_3.6.1+dfsg-1~deb7u5_all.deb
 b95f473d2c20d20d21413733bd1215d06297fc7d 8871382 wordpress-l10n_3.6.1+dfsg-1~deb7u5_all.deb
Checksums-Sha256: 
 ca1357404b89b5e5d9062d658bce22b1d86d1c385c8f0ab8318435ad8abe1545 2319 wordpress_3.6.1+dfsg-1~deb7u5.dsc
 4ffaeaf4766edd68478f8a9e2d6aa5182a6265b1c79ff27525651b01083503a0 5248764 wordpress_3.6.1+dfsg-1~deb7u5.debian.tar.xz
 ee286acae3ee7280507b23bd6d9218b61023ede2349ccc9a865624b3cffb77d4 3963774 wordpress_3.6.1+dfsg-1~deb7u5_all.deb
 623cd45b8c1c20976cf84397cdc376babc7570b94b5bfc3542cc918cd03bebb6 8871382 wordpress-l10n_3.6.1+dfsg-1~deb7u5_all.deb
Files: 
 afa4c48ad2294d72638ca3fabd3451bd 2319 web optional wordpress_3.6.1+dfsg-1~deb7u5.dsc
 216db17b0d13b2c82243c79726bc2a9b 5248764 web optional wordpress_3.6.1+dfsg-1~deb7u5.debian.tar.xz
 cc1201f346a9a2d39f2b60cf498df130 3963774 web optional wordpress_3.6.1+dfsg-1~deb7u5_all.deb
 518c9bc812ce553515c4203421fbc85c 8871382 localization optional wordpress-l10n_3.6.1+dfsg-1~deb7u5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJUfrOLAAoJEDk4+WvfUP6ld6sP/RfDjF8LwaXJCPIUxtFV4XxM
6JUspwrpSGFklbkHbSd9qFEKb/9FK1pcSX5Ptvv/R6kAZTB6J9eLdwxR596xBdAy
DqCwX9X1Chb30ricjh6AOvfloDyY0y0MCkuZUAvm3aptzfST9vhOZ4W+b5ysWBqX
VbiZwi0aoMDJIkpSane9ItGwILt6469ZKXXZp2zXk/riDGZnepAmXC3DMbBSSzOa
aHI0u4BfgFUBoHB+Ne7P3CVp3JFp1BdhQ9upDZ/HPY0QWL8NSlibaQv3qyjkkovj
G6yc3g2I6W6b2H+PFj7HMOvgN3n/CgKtoLgUT6uU6XkwpP2LzmGfrJaNWYoiL3OK
syhSLFAgsijaaXiEZpYr1DMumcS0mOgYI0FVF64r8I66LasBVAglQeRz65GsL/fs
bC3LuTZPbT/qzsLJeECqNK9bplY+vyUF33jaybNKvb4BAixQfHqXgyJVSD4fP2Y6
DS2WTcLq4N6wAB4cUuxXrQoXyDBX67ZC9JY1sKOAW7WOOm5+6Ud5+eal/Wi4f0lj
7a0RoqmFkwE3gujBqcOwdtu1zQsIbliOVi0alcLlMTnbdWqtdHgmonNKGYg7UQVn
S9j4+qxcZYncwhHncRVosdcvNv1zLVEgPRcegNH06dpQtWCZZ6rN92aDhFYx6SXR
nwVI5EqIQyaFgh4GZd94
=O05/
-----END PGP SIGNATURE-----

Message #100 received at 770425-submitter@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: 770425-submitter@bugs.debian.org

Subject: Bug#770425 marked as pending

Date: Sat, 31 Jan 2015 22:07:34 +0000

tag 770425 pending
thanks

Hello,

Bug #770425 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://git.debian.org/?p=collab-maint/wordpress.git;a=commitdiff;h=c02018b

---
commit c02018b182919a91941d7d898a85c2a8a70eb865
Author: Craig Small <csmall@debian.org>
Date:   Wed Dec 3 17:49:41 2014 +1100

    Imported Debian patch 3.6.1+dfsg-1~deb7u5

diff --git a/debian/changelog b/debian/changelog
index 0f573f8..a0781c0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,21 @@
+wordpress (3.6.1+dfsg-1~deb7u5) wheezy-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Backport patches for 3.7.4->3.7.5 Closes: #770425
+  * The patches fix the following security bugs:
+    - CVE-2014-9031 XSS in wptexturize() via comments or posts
+    - CVE-2014-9033 CSRF in the password reset process
+    - CVE-2014-9034 Denial of service for giant passwords
+    - CVE-2014-9035 XSS in Press This
+    - CVE-2014-9036 XSS in HTML filtering of CSS in posts
+    - CVE-2014-9037 Hash comparison vulnerability in old passwords
+    - CVE-2014-9038 SSRF: Safe HTTP requests did not sufficiently block
+      the loopback IP address space
+    - CVE-2014-9039 Email address change didn't invalidate previously sent
+      password reset
+
+ -- Craig Small <csmall@debian.org>  Wed, 03 Dec 2014 17:49:41 +1100
+
 wordpress (3.6.1+dfsg-1~deb7u4) wheezy-security; urgency=high
 
   * Non-maintainer upload by the Security Team.

Send a report that this bug log contains spam.