Debian Bug report logs -
#823640
wordpress: CVE-2016-4566: Reflected XSS in PLupload and mediaelement
Reported by: Craig Small <csmall@debian.org>
Date: Fri, 6 May 2016 21:48:01 UTC
Severity: important
Tags: pending, security, upstream
Found in version wordpress/4.2+dfsg-1
Fixed in version wordpress/4.5.2+dfsg-1
Done: Craig Small <csmall@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org:
Bug#823640; Package wordpress.
(Fri, 06 May 2016 21:48:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Craig Small <csmall@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org.
(Fri, 06 May 2016 21:48:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: wordpress
Version: 4.5.1
Severity: important
Tags: security upstream
Wordpress 4.2 to 4.5.1 has a XSS vulnerability in Plupload and
mediaelement. I haven't yet done the analysis to see if we are
fully vulnerable (some mediaelement items are removed due to DFSG
problems) but most likely it is.
No CVE items as yet from what I can tell.
Given this problem was introduced in 4.2 then jessie and wheezy should
not be impacted. I'll have a look at them in case they no longer care
about such old versions.
They mention an imagemagick problem too, but sounds more about the
library. Cannot find a DSA about it though.
https://wordpress.org/news/2016/05/wordpress-4-5-2/
-- System Information:
Debian Release: stretch/sid
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.4.0-1-amd64 (SMP w/6 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages wordpress depends on:
pn apache2 | httpd <none>
ii ca-certificates 20160104
ii libjs-cropper 1.2.2-1
ii libphp-phpmailer 5.2.14+dfsg-2
ii libphp-snoopy 2.0.0-1
ii mysql-client 5.6.28-1
ii php5 5.6.19+dfsg-2
pn php5-gd <none>
ii php5-mysql 5.6.19+dfsg-2+b1
pn wordpress-theme-twentyfourteen <none>
Versions of packages wordpress recommends:
pn wordpress-l10n <none>
pn wordpress-theme-twentytwelve <none>
Versions of packages wordpress suggests:
ii mysql-server 5.6.28-1
Information stored
:
Bug#823640; Package wordpress.
(Sat, 07 May 2016 01:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Craig Small <csmall@debian.org>:
Extra info received and filed, but not forwarded.
(Sat, 07 May 2016 01:15:04 GMT) (full text, mbox, link).
Message #10 received at 823640-quiet@bugs.debian.org (full text, mbox, reply):
plupload is changeset 37382
https://core.trac.wordpress.org/browser/branches/4.5?rev=37382
mediaelement.js is changeset 37371
https://core.trac.wordpress.org/browser/branches/4.5?rev=37371
--
Craig Small (@smallsees) http://enc.com.au/ csmall at : enc.com.au
Debian GNU/Linux http://www.debian.org/ csmall at : debian.org
GPG fingerprint: 5D2F B320 B825 D939 04D2 0519 3938 F96B DF50 FEA5
No longer marked as found in versions 4.5.1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 07 May 2016 03:48:03 GMT) (full text, mbox, link).
Marked as found in versions wordpress/4.2+dfsg-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 07 May 2016 03:48:04 GMT) (full text, mbox, link).
Reply sent
to Craig Small <csmall@debian.org>:
You have taken responsibility.
(Sat, 07 May 2016 04:03:10 GMT) (full text, mbox, link).
Notification sent
to Craig Small <csmall@debian.org>:
Bug acknowledged by developer.
(Sat, 07 May 2016 04:03:10 GMT) (full text, mbox, link).
Message #19 received at 823640-close@bugs.debian.org (full text, mbox, reply):
Source: wordpress
Source-Version: 4.5.2+dfsg-1
We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 823640@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated wordpress package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 07 May 2016 12:39:47 +1000
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentysixteen wordpress-theme-twentyfifteen wordpress-theme-twentyfourteen
Architecture: source all
Version: 4.5.2+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Description:
wordpress - weblog manager
wordpress-l10n - weblog manager - language files
wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files
wordpress-theme-twentyfourteen - weblog manager - twentyfourteen theme files
wordpress-theme-twentysixteen - weblog manager - twentysixteen theme files
Closes: 823640
Changes:
wordpress (4.5.2+dfsg-1) unstable; urgency=high
.
* New upstream release
* Fixes reflected XSS attack in plupload Closes: #823640
* Do not use old mediaelelement
Checksums-Sha1:
7a8b2321bca388e01d7d38e2dc73547e58561064 2521 wordpress_4.5.2+dfsg-1.dsc
448cb6e58385c8be4082f498eb854848a68006e8 6027876 wordpress_4.5.2+dfsg.orig.tar.xz
41912ff2cf3bf964bc593b3b4ecb003199444f0f 6054920 wordpress_4.5.2+dfsg-1.debian.tar.xz
c9e7e72c269f0db12e716159d9aa6ea50633aed2 4364886 wordpress-l10n_4.5.2+dfsg-1_all.deb
cd6e890b6272f07c8c88fd9bf5cb158309c558b8 699832 wordpress-theme-twentyfifteen_4.5.2+dfsg-1_all.deb
d45dfeac7ceb19552e718e3686a8f1760902b7b7 1119018 wordpress-theme-twentyfourteen_4.5.2+dfsg-1_all.deb
077287025fd3c9a2db66c038f81e16b97fc4afd9 588412 wordpress-theme-twentysixteen_4.5.2+dfsg-1_all.deb
6389c0e22b4e8773f9088288e4f536a8023641d8 3716538 wordpress_4.5.2+dfsg-1_all.deb
Checksums-Sha256:
b09a91feeaea2dd9b1aea63b9ddb891e24f1f925889a661265fb3162c2045c14 2521 wordpress_4.5.2+dfsg-1.dsc
3063c0d3ba39fdc0106a19d3855a8ae555530dfdf435bd3d352dd2707722e7ac 6027876 wordpress_4.5.2+dfsg.orig.tar.xz
55a2f34ea5765996f756477b7b30617d20e8a32204800cbd310351a0df7371f4 6054920 wordpress_4.5.2+dfsg-1.debian.tar.xz
6cebd701639132e8ea752b2af7e2f56010154347cdf3012d332723de2b936bee 4364886 wordpress-l10n_4.5.2+dfsg-1_all.deb
175070ec7e5e7f28d113797cf3a382a37f8312b14846f09ceddadb41f53575db 699832 wordpress-theme-twentyfifteen_4.5.2+dfsg-1_all.deb
1d75b49cd9b77bc8ffa16fb37e68a3b69c501827707ccd9823be83dc84331c8f 1119018 wordpress-theme-twentyfourteen_4.5.2+dfsg-1_all.deb
30e67b645eae889260b7707063f02227318e151ffb18fb8859da3305965ad8d1 588412 wordpress-theme-twentysixteen_4.5.2+dfsg-1_all.deb
d44f9ecb960eaeec6ad409d28cb91685bf4c0cd62f6be8253618d96f22bae96a 3716538 wordpress_4.5.2+dfsg-1_all.deb
Files:
292ab1f6dddffc5168b03d1819b7ed67 2521 web optional wordpress_4.5.2+dfsg-1.dsc
fbbc17a38dc083d764e52e2e7648901e 6027876 web optional wordpress_4.5.2+dfsg.orig.tar.xz
fe47b85657167451d5b0a23c753160fa 6054920 web optional wordpress_4.5.2+dfsg-1.debian.tar.xz
2bbb0092d0ec41a6f75df1fd9f6937dd 4364886 localization optional wordpress-l10n_4.5.2+dfsg-1_all.deb
0b2d92f3a84110a8ab277d063225bb86 699832 web optional wordpress-theme-twentyfifteen_4.5.2+dfsg-1_all.deb
2625b3c88fd7d6e498060a1630a71372 1119018 web optional wordpress-theme-twentyfourteen_4.5.2+dfsg-1_all.deb
45229d8c4169bcd07b4ad0e3a791a0f3 588412 web optional wordpress-theme-twentysixteen_4.5.2+dfsg-1_all.deb
054d6c3005f02143f7e5920a7360a6b8 3716538 web optional wordpress_4.5.2+dfsg-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJXLVaAAAoJEAIhZsD/PITjmfcP/3c0XVyqmb7Um4jQzDfc5fsu
y9Wa9tSrM1MGBKlc0o9z7y0Q1DYMv9H+VNNpYucL1r61s6ck7NLxl70RPVagWgAj
R0SE7TQ2b7uaTUxVDczGeY862HTgdlqrOu0L+7epmWIptEyxbrKPIpAwmC+iFwwF
fVenyCxgQQZuK1LQ1h57JGuZT2bGWHuwZlU/RZs5M1ZYX+4ZRL5KZmmPFIvnT0yM
edd/veRXNFIH6WTKGOtQJPUxQ+1e956coGFWjkV2VDLLDnswzft+0AlAGp07roS4
8GWQRjeESzUreBhaLsOF/E6Ekad0QURubdLqXgiOwPdfxOyp/XK3/o2RAsxrZi/j
k23kDYZj7/ijfg00sOCPmv7pCHU1g+5nOD9btpvLpaGllu+ms3NDcF/7SLcb7Iz8
GeNmZCPqs/7mcO3qC6aBTQZAofa0t6RqARbs5n0jHZQ4njZnvClV11rc8xujysHI
r7O13SScfG2fuSMCx/Xew0E4V5dyDFkFMydBn260ykG5zz7wq+sBcf4RrFq86bIm
tGuCnq7Na3s96Mdk6MvPZ3A/660ZxvGfshyuKJG3dLzT3bCNlcxybOl/EQfOOTuq
WdHcLaEqj+/ygCugJWuwseB8V7O2TZQ0+Q+eJboOYeJ0gLaTapvpHo+UBOrCiOGU
V6OLmhwG4/SJ9Yoq8cW1
=PBVN
-----END PGP SIGNATURE-----
Added tag(s) pending.
Request was from Craig Small <csmall@debian.org>
to control@bugs.debian.org.
(Sat, 07 May 2016 04:18:04 GMT) (full text, mbox, link).
Message sent on
to Craig Small <csmall@debian.org>:
Bug#823640.
(Sat, 07 May 2016 04:18:08 GMT) (full text, mbox, link).
Message #24 received at 823640-submitter@bugs.debian.org (full text, mbox, reply):
tag 823640 pending
thanks
Hello,
Bug #823640 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
http://git.debian.org/?p=collab-maint/wordpress.git;a=commitdiff;h=ddce5e6
---
commit ddce5e66df052da49cc28c2afd4c7aa85bf9a8d4
Author: Craig Small <csmall@debian.org>
Date: Sat May 7 12:10:05 2016 +1000
update changelog for 4.5.2
diff --git a/debian/changelog b/debian/changelog
index 335de24..eecb86d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+wordpress (4.5.2+dfsg-1) UNRELEASED; urgency=medium
+
+ * New upstream release
+ * Fixes reflected XSS attacks in mediaelement and plupload
+ Closes: #823640
+
+ -- Craig Small <csmall@debian.org> Sat, 07 May 2016 12:08:23 +1000
+
wordpress (4.5.1+dfsg-1) unstable; urgency=medium
* New upstream release
Changed Bug title to 'wordpress: CVE-2016-4566: Reflected XSS in PLupload and mediaelement' from 'wordpress: Reflected XSS in PLupload and mediaelement'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 08 May 2016 11:27:06 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 06 Jun 2016 07:27:32 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 12:57:03 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon