wordpress: CVE-2015-5714 CVE-2015-5715

Debian Bug report logs - #799140
wordpress: CVE-2015-5714 CVE-2015-5715

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: wordpress: CVE-2015-5714 CVE-2015-5715

Date: Wed, 16 Sep 2015 10:54:27 +0200

Source: wordpress
Version: 4.3+dfsg-1
Severity: grave
Tags: security upstream fixed-upstream

Hi

See https://wordpress.org/news/2015/09/wordpress-4-3-1/ for details. I
have not checked older versions in jessie and wheezy. Are they
affected? If so can you update the BTS version information as needed?

Regards,
Salvatore

Message #10 received at 799140@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 799140@bugs.debian.org

Subject: Re: Bug#799140: wordpress: CVE-2015-5714 CVE-2015-5715

Date: Wed, 16 Sep 2015 18:47:04 +0200

Hi,

On Wed, Sep 16, 2015 at 10:54:27AM +0200, Salvatore Bonaccorso wrote:
> See https://wordpress.org/news/2015/09/wordpress-4-3-1/ for details. I
> have not checked older versions in jessie and wheezy. Are they
> affected? If so can you update the BTS version information as needed?

Btw, there is as well one issue which does not have a CVE (Cross-site
scripting vulnerability in the user list table). All commits are
references as well in
https://bugzilla.redhat.com/show_bug.cgi?id=1263657 .

Regards,
Salvatore

Message #15 received at 799140@bugs.debian.org (full text, mbox, reply):

From: Rodrigo Campos <rodrigo@sdfg.com.ar>

To: Salvatore Bonaccorso <carnil@debian.org>, 799140@bugs.debian.org

Subject: Re: Bug#799140: wordpress: CVE-2015-5714 CVE-2015-5715

Date: Thu, 17 Sep 2015 16:31:47 +0100

On Wed, Sep 16, 2015 at 06:47:04PM +0200, Salvatore Bonaccorso wrote:
> Hi,
> 
> On Wed, Sep 16, 2015 at 10:54:27AM +0200, Salvatore Bonaccorso wrote:
> > See https://wordpress.org/news/2015/09/wordpress-4-3-1/ for details. I
> > have not checked older versions in jessie and wheezy. Are they

Not sure about wheezy, but jessie is affected for sure.

There is a new 4.1 release (4.1.8) fixing this. The commits can be seen here:

https://github.com/WordPress/WordPress/commits/4.1-branch


And, of course, jessie-backports. But that can't be updated till the package is
in sid.




Thanks a lot,
Rodrigo

Message #20 received at 799140-close@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: 799140-close@bugs.debian.org

Subject: Bug#799140: fixed in wordpress 4.3.1+dfsg-1

Date: Fri, 18 Sep 2015 11:22:25 +0000

Source: wordpress
Source-Version: 4.3.1+dfsg-1

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 799140@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 18 Sep 2015 20:54:53 +1000
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentyfifteen wordpress-theme-twentyfourteen wordpress-theme-twentythirteen
Architecture: source all
Version: 4.3.1+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Description:
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
 wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files
 wordpress-theme-twentyfourteen - weblog manager - twentyfourteen theme files
 wordpress-theme-twentythirteen - weblog manager - twentythirteen theme files
Closes: 799140
Changes:
 wordpress (4.3.1+dfsg-1) unstable; urgency=medium
 .
   * New upstream release
   * Fixes CVE-2015-5714 CVE-2015-5715 Closes: #799140
Checksums-Sha1:
 33e0628cad5811d13de0de5ed4cea494f4a6b816 2519 wordpress_4.3.1+dfsg-1.dsc
 6b7417d5cdb0fea3b764a71f905aace05c8ae417 4984864 wordpress_4.3.1+dfsg.orig.tar.xz
 c79c2ff8231f0119e4e3a5b33e2f7699ae702313 5980696 wordpress_4.3.1+dfsg-1.debian.tar.xz
 db114a7e1af0131eb474a59f457e75fabef41e5a 4239248 wordpress-l10n_4.3.1+dfsg-1_all.deb
 115bb53e00f3c409dc0a13c67e39737bc0422b8a 502136 wordpress-theme-twentyfifteen_4.3.1+dfsg-1_all.deb
 50a9831cf4cc615980a538270edcdf22d1cf0671 801556 wordpress-theme-twentyfourteen_4.3.1+dfsg-1_all.deb
 ee570ce82799db7dc5957da15ce6a33d14b145d8 320890 wordpress-theme-twentythirteen_4.3.1+dfsg-1_all.deb
 a4c47a035bb47510293b8d5cc2bb89a73c8fb949 3416484 wordpress_4.3.1+dfsg-1_all.deb
Checksums-Sha256:
 95d85cf5009dbd039664033c56f13010a97506a43491ed47d9ec50831ab49d37 2519 wordpress_4.3.1+dfsg-1.dsc
 6f65c639d8100f74159e3d24159f1149f042c17bc9e185038571a3840b227351 4984864 wordpress_4.3.1+dfsg.orig.tar.xz
 f3708af482987f64aae8f19f905050cc944afb9a23a73df91e1654cb56f05b37 5980696 wordpress_4.3.1+dfsg-1.debian.tar.xz
 ac2b3714b1c41df149f26606b38dd76b4181bc60d09dbe23ef1ccab28b3d7960 4239248 wordpress-l10n_4.3.1+dfsg-1_all.deb
 02391e0491719772729c9f78b1ba4ea29d42904e7ebde196fc102bcb7d36c41a 502136 wordpress-theme-twentyfifteen_4.3.1+dfsg-1_all.deb
 11309018fdf1d79415d6fe6d7fa6a1d78adac14975604309004e54c140a2179a 801556 wordpress-theme-twentyfourteen_4.3.1+dfsg-1_all.deb
 be4fda64a14e8eefac55cadbb67ec9160e7c28e4270c738bf5a4bc43b101fa60 320890 wordpress-theme-twentythirteen_4.3.1+dfsg-1_all.deb
 25fe91c0450082dcd7829b885acb06bde42d7f97fd64029be51aaf361a94c4c0 3416484 wordpress_4.3.1+dfsg-1_all.deb
Files:
 82f03cba463860c0fbf7d47670cb43f1 2519 web optional wordpress_4.3.1+dfsg-1.dsc
 cd5e69fb0a02e6eae658643cda0e5b63 4984864 web optional wordpress_4.3.1+dfsg.orig.tar.xz
 4ba36908354b9c13acd574791bb78c10 5980696 web optional wordpress_4.3.1+dfsg-1.debian.tar.xz
 29bc87f53b918d4d7e3ac6fff8eb9973 4239248 localization optional wordpress-l10n_4.3.1+dfsg-1_all.deb
 d268cb3358a1ae97b932359b471c6a67 502136 web optional wordpress-theme-twentyfifteen_4.3.1+dfsg-1_all.deb
 d813e528595c29f28bf7b7fc0d05c7bf 801556 web optional wordpress-theme-twentyfourteen_4.3.1+dfsg-1_all.deb
 2dd85927a5e7d743089b60b2e4fb0787 320890 web optional wordpress-theme-twentythirteen_4.3.1+dfsg-1_all.deb
 8311a5ebbe2f6b0e852f8ad3c127812d 3416484 web optional wordpress_4.3.1+dfsg-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJV++9yAAoJEDk4+WvfUP6lKkkP/0BkEORQWXG2iI7My42fzTGI
RiQCort4l8k+0G4Y0IbvExKLgm4ObaiE2WMuHA1dr9cceEWJKwV7pwTvLLPGjq8s
a1YP29SW0n882qf5ehGOPT/Zr82+ni23wL3MWj1IkrOmUVm7JIw0JOeZJxnY9r14
a0luKExBoVl63HoQwzISWiSvLXK15U4UCebADmLMo5dtqgE3V4Oposkph+tyPTj6
b6TzpOAUB2F8yGOD09Fn/1TZ8drwRBP31+eQgPxWxiJz/8CglWDxhRnQrikDUJjP
VeS/8jQ5+aH78/f6NWO3fmkfKXZ0d4PP1AaZh/h4/Nksp5cSWEyHAK+G92Qg2gNv
2SkQLiKhlwggsIELQwAdQuTFJ0rWFwE2dIEARY5QvbUWeWNZWX4nPe/YvhLNIoUr
ZbFTC4mK8wrBdFFG7koTFXmy1RuJvYWoUU8u4AUXRzX9HcWmoewwEpFXfSZ175/o
dBvF9uf3USpHz+dDfr11j7qmvhmWYAbbavfDTb5y2+OyxLy3FrhcjuXnz5CNvalO
u3tgaVcT8sYT0dDJdKCEFOa0QIPrYrA63dBKQabpE5ejvp2OH1xl0J1JE8PFi3Jt
WhtzTURhjGrvjwqJnnoRwzhfus+wQbr/RdESTvJDSRshqLrc0DjWOj189ouBRq58
wK0tx5JU1qXY8H4661v1
=mUfM
-----END PGP SIGNATURE-----

Message #25 received at 799140-submitter@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: 799140-submitter@bugs.debian.org

Subject: Bug#799140 marked as pending

Date: Fri, 18 Sep 2015 21:19:34 +0000

tag 799140 pending
thanks

Hello,

Bug #799140 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://git.debian.org/?p=collab-maint/wordpress.git;a=commitdiff;h=9267d45

---
commit 9267d45f8d19f9a4fd278cf9495e29baf006be6e
Author: Craig Small <csmall@debian.org>
Date:   Sat Sep 19 07:19:02 2015 +1000

    Backport changeset 34137
    
    Fixes XSS in user table, from wordpress 4.3.1

diff --git a/debian/changelog b/debian/changelog
index 11d1585..2ecdb4c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+wordpress (4.1+dfsg-1+deb8u5) UNRELEASED; urgency=medium
+
+  * Backport of 4.3.1 security fixes Closes: #799140
+  * Changeset 34137 XSS in user list table
+
+ -- Craig Small <csmall@debian.org>  Sat, 19 Sep 2015 06:57:27 +1000
+
 wordpress (4.1+dfsg-1+deb8u4) jessie-security; urgency=high
 
   * Rework changeset 33359 reliable shortcodes CVE-2015-5622 Closes: #794548

Message #30 received at 799140@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Craig Small <csmall@debian.org>

Cc: debian-lts@lists.debian.org, 799140@bugs.debian.org

Subject: squeeze update of wordpress?

Date: Tue, 29 Sep 2015 16:22:29 +0200

Hello Craig,

I just checked and the security issues reported in #799140 also apply to
the version in jessie, wheezy and squeeze.

Do you plan to prepare updates for those suites?

As usual, the same fixes can be used in wheezy and squeeze since
both suites have version 3.6.1 of the package.

I have marked wordpress as needing an update in squeeze and
if you can't handle it yourself, someone from the LTS team might
pick it up.

Thank you very much.

Raphaël Hertzog,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Message #35 received at 799140@bugs.debian.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

To: Raphael Hertzog <hertzog@debian.org>

Cc: Craig Small <csmall@debian.org>, debian-lts@lists.debian.org, 799140@bugs.debian.org

Subject: Re: squeeze update of wordpress?

Date: Wed, 30 Sep 2015 09:29:23 +0000

[Message part 1 (text/plain, inline)]

Hi Craig,

On  Di 29 Sep 2015 16:22:29 CEST, Raphael Hertzog wrote:

> Hello Craig,
>
> I just checked and the security issues reported in #799140 also apply to
> the version in jessie, wheezy and squeeze.
>
> Do you plan to prepare updates for those suites?
>
> As usual, the same fixes can be used in wheezy and squeeze since
> both suites have version 3.6.1 of the package.
>
> I have marked wordpress as needing an update in squeeze and
> if you can't handle it yourself, someone from the LTS team might
> pick it up.
>
> Thank you very much.
>
> Raphaël Hertzog,
>   on behalf of the Debian LTS team.
>
> PS: A member of the LTS team might start working on this update at
> any point in time. You can verify whether someone is registered
> on this update in this file:
> https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup

I (with my Debian LTS Team member hat on) am about to start working on  
fixing wordpress in squeeze-lts now.

Regards,
Mike

-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb

[Message part 2 (application/pgp-signature, inline)]

Message #40 received at 799140-close@bugs.debian.org (full text, mbox, reply):

From: Mike Gabriel <sunweaver@debian.org>

To: 799140-close@bugs.debian.org

Subject: Bug#799140: fixed in wordpress 3.6.1+dfsg-1~deb6u8

Date: Wed, 30 Sep 2015 10:34:40 +0000

Source: wordpress
Source-Version: 3.6.1+dfsg-1~deb6u8

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 799140@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Gabriel <sunweaver@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 30 Sep 2015 12:12:11 +0200
Source: wordpress
Binary: wordpress wordpress-l10n
Architecture: source all
Version: 3.6.1+dfsg-1~deb6u8
Distribution: squeeze-lts
Urgency: medium
Maintainer: Giuseppe Iuculano <iuculano@debian.org>
Changed-By: Mike Gabriel <sunweaver@debian.org>
Description: 
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
Closes: 799140
Changes: 
 wordpress (3.6.1+dfsg-1~deb6u8) squeeze-lts; urgency=medium
 .
   * Non-maintainer upload by the Debian LTS Team.
   * debian/patches (Closes: #799140):
     + Add cs34112_no-unclosed-html-elements-in-attributes. Shortcodes: don't
       allow unclosed HTML elements in attributes (CVE-2015-5714).
     + Add cs34137_list-tables-escape-user-emails. Escape emails in user list
       tables.
     + Add cs34151_XMLRPC-dont-allow-private-posts-to-be-sticky. XMLRPC: Don't
       allow private posts to be sticky (CVE-2015-5715).
Checksums-Sha1: 
 d0a0e938cf7fcfbc7d9f48967ee2ba24e46eb7ff 2194 wordpress_3.6.1+dfsg-1~deb6u8.dsc
 ca621d60a7b44ee904a116cedd0e4914687f2b28 11028097 wordpress_3.6.1+dfsg-1~deb6u8.debian.tar.gz
 3c4476e10bada6061b0810b83585a076bd98497c 3998592 wordpress_3.6.1+dfsg-1~deb6u8_all.deb
 c4fed85016d200f0aa95f1175ccc02627463beeb 8870198 wordpress-l10n_3.6.1+dfsg-1~deb6u8_all.deb
Checksums-Sha256: 
 1e1dbb424fd510d3b1001d2697d31dedcaaa12cef048e8daa20bbcf67bfae7b0 2194 wordpress_3.6.1+dfsg-1~deb6u8.dsc
 29d05f88c6bf009c3b335ec658e113532fc9745ae81b1da0617c0d6f7d9690c8 11028097 wordpress_3.6.1+dfsg-1~deb6u8.debian.tar.gz
 3e0f4ac8b19f8d30459427c2eb6cab2a1063f956eeaa1101e1d88dd45005a2bf 3998592 wordpress_3.6.1+dfsg-1~deb6u8_all.deb
 a3ff887e87010758bd91db255605c964e8c29f2cd17660f8831a0134660bbe9f 8870198 wordpress-l10n_3.6.1+dfsg-1~deb6u8_all.deb
Files: 
 e39508e4232569a8a30bcad5f44afa8f 2194 web optional wordpress_3.6.1+dfsg-1~deb6u8.dsc
 d16e0fd3ca7469c2d2e5f8538ecfc095 11028097 web optional wordpress_3.6.1+dfsg-1~deb6u8.debian.tar.gz
 750332dd5b7dbb29ab5ecb481746be14 3998592 web optional wordpress_3.6.1+dfsg-1~deb6u8_all.deb
 9369bae7f9b68cb96e89f0717b6ff186 8870198 localization optional wordpress-l10n_3.6.1+dfsg-1~deb6u8_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWC7hsAAoJEJr0azAldxsxwmoP/0reCkmVBpg21BUxbZdek70C
ESD9m6QWftwi2W1XeQ0o3izBEyaPSQDqcQwE9loCu8OQ17ZOwa0xWOhwSv9eY8Oh
zs+jHGyfesT7yDHbKQAGynN53y+f0K8X0fPq81w5j1tqi2zAZwJOWlNAoRhB1Df4
oqtQnNiFgZ5SbiOdrM4JtaY844AOvDHvyUyBcdlOtphTF6VqIHrm34kz8XSJpVIU
fjT86/J65BcuZsDsAqCwKL0m2Zy9JdVHSNnm1zGuE0AszVXhNdyN5djWXo9mM2SC
Y+ootSKdTaQhfO5iMy3OjnhZ0T/k+uhhswPZRTO4HsQzDbJadDBqo06gR7LqkGWY
HUASzKd2rx6CqoxeYDYg0G7lSz764Hol90MxLtbPW8eRaC5YAleigYCnuclP6qIz
VGQk8U4W2ckHQ3gxjIiKTwGgzsiq1l5I+3vUVNhjf8T2s9+Frif6gwwrLpHBFNtC
OTKyqgL5DxNZYpgoBNr/aNKCl+XdsrBBa9+CPQs+O6cFV8jIu08laLtW+CmvzXVK
SD3aUN4U6QVWaSN7vg4JnA9a5oP8dSUYETIWvJOXJcxRgap7jDdXFYVANXRro+eo
GXCiYkY5IBRLVUoDvw4EZXeBkPczD6jfuDJtYq6xntHj3+cITSDvSY5mDUZ+44Rl
LIofqEMFTIveyXAH9rEy
=dE9k
-----END PGP SIGNATURE-----

Message #49 received at 799140-submitter@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: 799140-submitter@bugs.debian.org

Subject: Bug#799140 marked as pending

Date: Fri, 23 Oct 2015 21:04:54 +0000

tag 799140 pending
thanks

Hello,

Bug #799140 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://git.debian.org/?p=collab-maint/wordpress.git;a=commitdiff;h=e9c41d0

---
commit e9c41d0bc09e75136574a680de176646e894a247
Author: Craig Small <csmall@debian.org>
Date:   Wed Sep 23 22:15:10 2015 +1000

    Backport of 4.3.1 security updates

diff --git a/debian/changelog b/debian/changelog
index ded71b7..e5a869e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+wordpress (3.6.1+dfsg-1~deb7u8) UNRELEASED; urgency=medium
+
+  * Backport of 4.3.1 security fixes Closes: #799140
+  * Changeset 34137 XSS in user list table
+  * Changeset 34144 unclosed HTML elements CVE-2015-5714
+  * Changeset 34151 unsticky private posts CVE-2015-5715
+
+ -- Craig Small <csmall@debian.org>  Wed, 23 Sep 2015 22:12:30 +1000
+
 wordpress (3.6.1+dfsg-1~deb7u7) wheezy-security; urgency=medium
 
   * Backports of Wordpress 4.2.4 security fixes

Message #54 received at 799140-close@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: 799140-close@bugs.debian.org

Subject: Bug#799140: fixed in wordpress 4.1+dfsg-1+deb8u5

Date: Sun, 25 Oct 2015 13:48:13 +0000

Source: wordpress
Source-Version: 4.1+dfsg-1+deb8u5

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 799140@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 21 Sep 2015 21:37:40 +1000
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentyfifteen wordpress-theme-twentyfourteen wordpress-theme-twentythirteen
Architecture: source all
Version: 4.1+dfsg-1+deb8u5
Distribution: jessie-security
Urgency: medium
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Description:
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
 wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files
 wordpress-theme-twentyfourteen - weblog manager - twentyfourteen theme files
 wordpress-theme-twentythirteen - weblog manager - twentythirteen theme files
Closes: 799140
Changes:
 wordpress (4.1+dfsg-1+deb8u5) jessie-security; urgency=medium
 .
   * Backport of 4.3.1 security fixes Closes: #799140
   * Changeset 34137 XSS in user list table
   * Changeset 34144 unclosed HTML elements CVE-2015-5714
   * Changeset 34151 unsticky private posts CVE-2015-5715
Checksums-Sha1:
 0cf085c043a7aa6d469ab46daa4a13a70ead59d2 2533 wordpress_4.1+dfsg-1+deb8u5.dsc
 3d396436682c840f3914d530939e8140ead723dd 6116740 wordpress_4.1+dfsg-1+deb8u5.debian.tar.xz
 09c1bbd8ba3f3c4b80727e383468167875dd3eb6 3169428 wordpress_4.1+dfsg-1+deb8u5_all.deb
 19f1d1f7703d79b32665eea864f46466b2843bb0 4239444 wordpress-l10n_4.1+dfsg-1+deb8u5_all.deb
 ab85a3d2b163b90c0f8b0e08dc0578980ae1213e 501376 wordpress-theme-twentyfifteen_4.1+dfsg-1+deb8u5_all.deb
 a6497df5cae3ab2128077a747b98b9d5e6dfa229 800584 wordpress-theme-twentyfourteen_4.1+dfsg-1+deb8u5_all.deb
 3941c22e1cda4a7238834a81e288170c2072a9d7 320174 wordpress-theme-twentythirteen_4.1+dfsg-1+deb8u5_all.deb
Checksums-Sha256:
 5866b4042ef40c4150036d8985a2b59250bc20247091ac4e85ca16e329dc8cda 2533 wordpress_4.1+dfsg-1+deb8u5.dsc
 67aa898f0278de2e1b81116843ef753edac7cb168d7cbdb550f4e61cc6b75460 6116740 wordpress_4.1+dfsg-1+deb8u5.debian.tar.xz
 e6a195aefca765382c45e64f0c064d15fb4ca17279691d9820cee63b1935dde9 3169428 wordpress_4.1+dfsg-1+deb8u5_all.deb
 f4314539ab24404d95c06dff147b3586b07e8f7491a1e6075fc800af5c41b7d9 4239444 wordpress-l10n_4.1+dfsg-1+deb8u5_all.deb
 2732e7c55b27c7010e052dc68ead3a031044e002b91c291078b3d99d6f0cc75d 501376 wordpress-theme-twentyfifteen_4.1+dfsg-1+deb8u5_all.deb
 8cf6f57c9d4b5f305a3e17fb6d39d6481197238e8c3eb6bd5ca96922d4c8ab2e 800584 wordpress-theme-twentyfourteen_4.1+dfsg-1+deb8u5_all.deb
 85eb2db15628af2cff4816b89958b1db101dad530b7d2db464f8f69062a1b5f0 320174 wordpress-theme-twentythirteen_4.1+dfsg-1+deb8u5_all.deb
Files:
 430ff2746e4e2e53495dfa5b860b0280 2533 web optional wordpress_4.1+dfsg-1+deb8u5.dsc
 75fe03a706745752d341911df8aabfca 6116740 web optional wordpress_4.1+dfsg-1+deb8u5.debian.tar.xz
 c7ba58634b4dad5111122eba2b6c8012 3169428 web optional wordpress_4.1+dfsg-1+deb8u5_all.deb
 99386484d8b5d8b321e08e38c822a1e5 4239444 localization optional wordpress-l10n_4.1+dfsg-1+deb8u5_all.deb
 755dd5f55429e1cd64237cb3162e4817 501376 web optional wordpress-theme-twentyfifteen_4.1+dfsg-1+deb8u5_all.deb
 6c6fc0148115eb59218646e2f935a84f 800584 web optional wordpress-theme-twentyfourteen_4.1+dfsg-1+deb8u5_all.deb
 1cd05c7ee5fd3c0c5145ba0989b395ba 320174 web optional wordpress-theme-twentythirteen_4.1+dfsg-1+deb8u5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJWAUVqAAoJEDk4+WvfUP6lMyIP/iLEsdvbPby9UOebDQED9rI2
OFtva44OA3+7vjmmHMZ/adIFFiMhMaJ0OI5wGcGFLv/Qxk4Er9K7I1DaP5H8zR1m
pKiVuKE8IOyxGVu/imLk+yV2zciMVklgWs7pvwo9iiGPcSaGSQpsS8L3UawkshvO
Wj7GY2b+IvU2nWO30nscUqbJ5+h7jpu33e654B+zsb1AOXzBetMtpEh/4T/STJbc
P00jxqZObyBWRvA8SFlDQpzd9xTYpaGAIDY/X+9x75w6hM+nbc+qmk36rRVmuNe6
7MWgQvg0fJL2O4BiqEwNuB//oMi0n8g3BnrZE8fq8YAvagSDlkLOonUTsqoXXhXe
vkBbJ5/NPJ/jzZC/EyoQ/bJ8ZzOA/ShJlkspuQ/hcElKTiDvrxHrfDDOVPYsUd+c
gJXb69tO7KVurXUHrUmbe+YAfzeaf8fbIc2ZJ1cLS2dE8azxplrdE4nwW22bClrT
o3XslLP90Cq+tVDhNoDpN4kSpHSqMhRcBCmjZIcxmQzG3bJVZqCAnHumW7JpTaEc
Dlu61HYd1F5A3DuJ8dw4d9zPAhtlc0qoVugqKLnCO4fLRktXjhmcibnysu9xJBr5
9g91EX5C8RAZ0eabCNDhNYkDCGG73kyUh81wm3zFOT3sVkSK/oUdVeFzOABVwmzb
cz91hbpnEQzDCflBQ+BB
=i9Gy
-----END PGP SIGNATURE-----

Message #59 received at 799140-close@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: 799140-close@bugs.debian.org

Subject: Bug#799140: fixed in wordpress 3.6.1+dfsg-1~deb7u8

Date: Fri, 30 Oct 2015 18:02:51 +0000

Source: wordpress
Source-Version: 3.6.1+dfsg-1~deb7u8

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 799140@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 28 Oct 2015 20:45:31 +1100
Source: wordpress
Binary: wordpress wordpress-l10n
Architecture: source all
Version: 3.6.1+dfsg-1~deb7u8
Distribution: wheezy-security
Urgency: high
Maintainer: Giuseppe Iuculano <iuculano@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Description: 
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
Closes: 799140
Changes: 
 wordpress (3.6.1+dfsg-1~deb7u8) wheezy-security; urgency=high
 .
   * Backport of 4.3.1 security fixes Closes: #799140
   * Changeset 34137 XSS in user list table CVE-2015-7989
   * Changeset 34144 unclosed HTML elements CVE-2015-5714
   * Changeset 34151 unsticky private posts CVE-2015-5715
Checksums-Sha1: 
 436b47f89f578c9cdfabb026eff22cc0ba9ade81 2319 wordpress_3.6.1+dfsg-1~deb7u8.dsc
 2e13da4b6a6cef11866ab63fc43ac7ac15b50a3b 5264688 wordpress_3.6.1+dfsg-1~deb7u8.debian.tar.xz
 420f2f39a7624aa55067375285ad46ac934f5abb 3971758 wordpress_3.6.1+dfsg-1~deb7u8_all.deb
 6ff7cc0389b5bb05378790f2911328d464d7e1be 8871462 wordpress-l10n_3.6.1+dfsg-1~deb7u8_all.deb
Checksums-Sha256: 
 4a99efec3aa389dada704c774bf25a985324edffd4775f0fc6a495c6582fde47 2319 wordpress_3.6.1+dfsg-1~deb7u8.dsc
 31b570f1a8c683788810c949a2690848f15c06615d3a4687309d5b93f5553472 5264688 wordpress_3.6.1+dfsg-1~deb7u8.debian.tar.xz
 26808c84ccf984003cb9cdcccb2588d80091a0e864a267b02e86ed3c047e596b 3971758 wordpress_3.6.1+dfsg-1~deb7u8_all.deb
 5cf0db35a2b61e62a4bc501bb1e6674a82ec4fb7bd3c2f0884eafafb768de487 8871462 wordpress-l10n_3.6.1+dfsg-1~deb7u8_all.deb
Files: 
 abdc8e52073e1e15593def6301b95781 2319 web optional wordpress_3.6.1+dfsg-1~deb7u8.dsc
 f4adff41b52946d3236fb32d6dad2841 5264688 web optional wordpress_3.6.1+dfsg-1~deb7u8.debian.tar.xz
 8cd82914e18a6d087473adb941fdac2d 3971758 web optional wordpress_3.6.1+dfsg-1~deb7u8_all.deb
 f995c8f24b796c8ffe058605382f126c 8871462 localization optional wordpress-l10n_3.6.1+dfsg-1~deb7u8_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJWMJ3wAAoJEAIhZsD/PITjH4oQAIy4bY6UIrkodjbvBjsF9srE
jyz0cxuQS8aHgEYDnMJnlygTu79x5ND5OuhP7+3fwqyPgLZo0eo9hYDSG+M5JOou
RxXE4htLEs3/eJcPMu2SqRy5su5DygA/iNLrgnqpLzE9rTQwfhpNSYbyJddfFxGH
gX7ab1CsIHxQYnwWpgCOXdJMPRhLZ7ta+e25mn61Eu25TIryaHWt+1AsMvNHtHvK
EyDB/HRs4b28HvKTMiPFTGuUKwSoVu3iQvxDpCjmDZa5kIpM/rImeFzclU8km2O6
f0GwOp0TDP5tlv/zJeloCbdmyBfQoLVcp7HQfaFf7LRWHhTQDtygrRh8gR28+eOK
+c/2D05aKS7VQ2KnM7kJXt3iMYrkU9yfS1xlA4H+sJLgazIb7fwmccAbqtuzFkxj
0MW6+7Zuq1VXG03hhGploSXtPz4bXUPH42sZHoSGPCWxaZZCZUE5RiDFLPejmXYb
xTsZb3cxZECm/mCBav3Yizo9xtnRaAybiF3dDMiUuuzrf3hg7Hlq7hMbYVJtAAtJ
o7fTOFMpLYuOP6Wn8wENz0+RkxCLoQcX9sx0QbhOCqCALDg/MLCtoZY0QH7WcdJ1
BxswrlO0MLDkCuag6Qx9H8khHoFsCbi46p4FRYzVsiVHW42NfogUZIlzFkqaaDi7
KrqjMbY07OJflSAVDzzW
=COI2
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.