Debian Bug report logs -
#883314
wordpress: CVE-2017-17091 CVE-2017-17092 CVE-2017-17093 CVE-2017-17094
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 2 Dec 2017 09:15:01 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Found in version wordpress/4.1+dfsg-1
Fixed in versions wordpress/4.9.1+dfsg-1, wordpress/4.7.5+dfsg-2+deb9u2
Done: Craig Small <csmall@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Craig Small <csmall@debian.org>:
Bug#883314; Package src:wordpress.
(Sat, 02 Dec 2017 09:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Craig Small <csmall@debian.org>.
(Sat, 02 Dec 2017 09:15:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: wordpress
Version: 4.1+dfsg-1
X-Debbugs-CC: team@security.debian.org secure-testing-team@lists.alioth.debian.org
Severity: grave
Tags: security upstream fixed-upstream
Hi,
the following vulnerabilities were published for wordpress.
CVE-2017-17091[0]:
| wp-admin/user-new.php in WordPress before 4.9.1 sets the newbloguser
| key to a string that can be directly derived from the user ID, which
| allows remote attackers to bypass intended access restrictions by
| entering this string.
CVE-2017-17092[1]:
| wp-includes/functions.php in WordPress before 4.9.1 does not require
| the unfiltered_html capability for upload of .js files, which might
| allow remote attackers to conduct XSS attacks via a crafted file.
CVE-2017-17093[2]:
| wp-includes/general-template.php in WordPress before 4.9.1 does not
| properly restrict the lang attribute of an HTML element, which might
| allow attackers to conduct XSS attacks via the language setting of a
| site.
CVE-2017-17094[3]:
| wp-includes/feed.php in WordPress before 4.9.1 does not properly
| restrict enclosures in RSS and Atom fields, which might allow attackers
| to conduct XSS attacks via a crafted URL.
Published at [4]. The respective commits are all referenced in the
corresponding CVE page on the security-tracker and were used for the
CVE request.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-17091
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17091
[1] https://security-tracker.debian.org/tracker/CVE-2017-17092
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17092
[2] https://security-tracker.debian.org/tracker/CVE-2017-17093
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17093
[3] https://security-tracker.debian.org/tracker/CVE-2017-17094
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17094
[4] https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Regards,
Salvatore
Reply sent
to Craig Small <csmall@debian.org>:
You have taken responsibility.
(Sat, 09 Dec 2017 06:39:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 09 Dec 2017 06:39:04 GMT) (full text, mbox, link).
Message #10 received at 883314-close@bugs.debian.org (full text, mbox, reply):
Source: wordpress
Source-Version: 4.9.1+dfsg-1
We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 883314@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated wordpress package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 09 Dec 2017 16:57:09 +1100
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentysixteen wordpress-theme-twentyfifteen wordpress-theme-twentyseventeen
Architecture: source all
Version: 4.9.1+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Description:
wordpress - weblog manager
wordpress-l10n - weblog manager - language files
wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files
wordpress-theme-twentyseventeen - weblog manager - twentyseventeen theme files
wordpress-theme-twentysixteen - weblog manager - twentysixteen theme files
Closes: 883314
Changes:
wordpress (4.9.1+dfsg-1) unstable; urgency=high
.
* New upstream release
* Release 4.9 was never packaged due to licensing problems
* This release fixes 6 security issues Closes: #883314
- CVE-2017-17091
Use a properly generated hash for the newbloguser key instead
of a determinate substring.
- CVE-2017-17092
Remove the ability to upload JavaScript files for users who
do not have the unfiltered_html capability
- CVE-2017-17093
Add escaping to the language attributes used on html elements
- CVE-2017-17094
Ensure the attributes of enclosures are correctly escaped in
RSS and Atom feeds
* Updated to standards 4.1.1
* New linting for Javascript is disabled due to jshint.js licensing
issues
Checksums-Sha1:
66290bb6f7303e0de8893ce5ee34a77aa0c97d24 2539 wordpress_4.9.1+dfsg-1.dsc
51871a35fb17876e9a127c586f03e78e2e9c816b 7543940 wordpress_4.9.1+dfsg.orig.tar.xz
48c7257134771885293db1bead9ef1fc431af028 6780544 wordpress_4.9.1+dfsg-1.debian.tar.xz
b256186bdf44d0cdad7198578251d6b5a353d7cb 4381960 wordpress-l10n_4.9.1+dfsg-1_all.deb
e75ebb47a0cfe7fae0e410990190ebab20950c90 701008 wordpress-theme-twentyfifteen_4.9.1+dfsg-1_all.deb
cf9d59ca506cf72f644c273a19c3bf117a2ed89d 941700 wordpress-theme-twentyseventeen_4.9.1+dfsg-1_all.deb
6b542602f46ace17db3af7166f1d1eef37635334 589600 wordpress-theme-twentysixteen_4.9.1+dfsg-1_all.deb
e5f9838ab94c33b50bcf1bfe80b6334f0956c4ba 5291468 wordpress_4.9.1+dfsg-1_all.deb
5dd852a46eeedd11b90efbbb8701a2a1a0fe3114 7231 wordpress_4.9.1+dfsg-1_amd64.buildinfo
Checksums-Sha256:
9254944cc6d052b7cf3b56c6391d1674266276e8299c69dfa310767a179918da 2539 wordpress_4.9.1+dfsg-1.dsc
eec4bc81caed1fc9274870fc1e766ed1f4ad265af788662e72dcd644ff7f10b1 7543940 wordpress_4.9.1+dfsg.orig.tar.xz
50a00f3be6ed320a19b39b165ef9666931290e2cc064ca577bb1ccc657af5d15 6780544 wordpress_4.9.1+dfsg-1.debian.tar.xz
826fc8bf236473d23fca566215485d2b6019933fd65d0684acf029251f0f8243 4381960 wordpress-l10n_4.9.1+dfsg-1_all.deb
aab07c6b30ef4c1d13575ec119e0c37e9d7e429934134c195c9b93fd08c7ad7a 701008 wordpress-theme-twentyfifteen_4.9.1+dfsg-1_all.deb
50dffbfd01114c8d5a7b9c28b0203e599595ae31717a352aa34b5964ed183073 941700 wordpress-theme-twentyseventeen_4.9.1+dfsg-1_all.deb
afc5b71bd29a85bdc18f3fa37b990dd841c3890e60c9b0a1a1d9d23bd90c4d9a 589600 wordpress-theme-twentysixteen_4.9.1+dfsg-1_all.deb
3c07763932b4971d1a94b068f89b4aef01efb0feffca5dc81fc1563c54e7d115 5291468 wordpress_4.9.1+dfsg-1_all.deb
ef5cbac029b172b68b82f0ce88d4a4a243698d25c4a1ec7cef12204514714aa8 7231 wordpress_4.9.1+dfsg-1_amd64.buildinfo
Files:
f33c7b1afe9ffdf2b43f6ae20df0994e 2539 web optional wordpress_4.9.1+dfsg-1.dsc
ca9f295c4ea3c82a43d20f7bb988e99c 7543940 web optional wordpress_4.9.1+dfsg.orig.tar.xz
b42bedab8101ca40e64dd61e2088c4a6 6780544 web optional wordpress_4.9.1+dfsg-1.debian.tar.xz
4de15590b9e316227e9c95b7c9ef04fd 4381960 localization optional wordpress-l10n_4.9.1+dfsg-1_all.deb
9efdbcf6c2aa3dcf6028ff404535f45d 701008 web optional wordpress-theme-twentyfifteen_4.9.1+dfsg-1_all.deb
e0de8fd05ee5b3163ecf4a65cf346f09 941700 web optional wordpress-theme-twentyseventeen_4.9.1+dfsg-1_all.deb
cd086d75cd1abdb3fb035c981663470d 589600 web optional wordpress-theme-twentysixteen_4.9.1+dfsg-1_all.deb
3a1e02bfdc251e0a9900b61707701d72 5291468 web optional wordpress_4.9.1+dfsg-1_all.deb
5f46f0ea6caa1cbafb0931f2636afbea 7231 web optional wordpress_4.9.1+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAlorfF4ACgkQAiFmwP88
hOPcFg/9FWan1Dn+d3Xlj564m/X03ZqeOFDjXbyuh4H0MNCm+ifgOa3/jmZTKZyT
+mkMqhC7EE9NGkWGAm+XANUJd8ZDT/aJ5WooSqUy1nUm0MiQyssbzJ7CQOe9T4xX
BzL2E25J6MhAVKoECsh92L8mgCPqccfI3cz++o14hPA18kLyQM6CodJCr8QLw4//
6UFLQ/+oq2FH5eBcQNmNbdizCKESYj3mLqDIhErq8DOKoBAOWrRrH4k6uagxE/rV
JTNcRyAFXC2VICQvVpZh71HowU8LpvyQpOPN+KBF/AUjVXxQzXtZfhuwxb3bG8Qi
ap+uj2eJATOHDyl5nQv789n/VbQl7JpsKbFJV4vG1GNSGSO/k3fg4n21okVtTcn6
+pnoznxEIPXJ0Oh4vbeQRFdTHWSnIPrjoA5P9/xf3noeDAi5LVIaPp3Wnb2yd00y
nPZW1CjLeHzCOiF8qpnzUeBXpqUPBcm4rnbGRsK1j3BPcTqGzE2YQtYRW6mnR8L7
YoYJHIl5KCWH5H58SnYrg7BwvdXWhIUJT9WDjziSysbvnubajndbL4XSpaux/0UU
vupjapvLT/jQmueeZ4zLCzaxeU9tLh5ZZVvqPxXfYtm8jGVKWjg9gYkZuIOS6lLO
BDsGCP4EIn/61xfs/KCDcddDERAOqXPyqvvxiwx4QOvkhUni19U=
=28Iw
-----END PGP SIGNATURE-----
Added tag(s) pending.
Request was from Craig Small <csmall@debian.org>
to control@bugs.debian.org.
(Sat, 09 Dec 2017 08:06:03 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#883314.
(Sat, 09 Dec 2017 08:06:05 GMT) (full text, mbox, link).
Message #15 received at 883314-submitter@bugs.debian.org (full text, mbox, reply):
tag 883314 pending
thanks
Hello,
Bug #883314 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
https://anonscm.debian.org/cgit/collab-maint/wordpress.git/commit/?id=5d5ab9f
---
commit 5d5ab9f7749187a352c3db3bc765972c5cbf176e
Author: Craig Small <csmall@debian.org>
Date: Sat Dec 9 18:30:08 2017 +1100
Security backport from 4.9.1
Backport of 4 patches from 4.9.1 to address security issues.
Addresses CVE-2017-17091 CVE-2017-17092 CVE-2017-17093
and CVE-2017-17094
diff --git a/debian/changelog b/debian/changelog
index 5610d83..b18edcf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,24 @@
+wordpress (4.7.5+dfsg-2+deb9u2) stretch-security; urgency=high
+
+ * Backport security patches from 4.9.1 Closes: #883314
+ - CVE-2017-17091
+ Use a properly generated hash for the newbloguser key instead
+ of a determinate substring.
+ Changeset 42272
+ - CVE-2017-17092
+ Remove the ability to upload JavaScript files for users who
+ do not have the unfiltered_html capability
+ Changeset 42275
+ - CVE-2017-17093
+ Add escaping to the language attributes used on html elements
+ Changeset 42273
+ - CVE-2017-17094
+ Ensure the attributes of enclosures are correctly escaped in
+ RSS and Atom feeds
+ Changeset 42274
+
+ -- Craig Small <csmall@debian.org> Sat, 09 Dec 2017 18:13:16 +1100
+
wordpress (4.7.5+dfsg-2+deb9u1) stretch-security; urgency=medium
* Backport patches from 4.8.2 Closes: #876274
Reply sent
to Craig Small <csmall@debian.org>:
You have taken responsibility.
(Fri, 09 Feb 2018 23:51:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 09 Feb 2018 23:51:06 GMT) (full text, mbox, link).
Message #20 received at 883314-close@bugs.debian.org (full text, mbox, reply):
Source: wordpress
Source-Version: 4.7.5+dfsg-2+deb9u2
We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 883314@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated wordpress package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 04 Jan 2018 18:19:44 +1100
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentysixteen wordpress-theme-twentyfifteen wordpress-theme-twentyseventeen
Architecture: source all
Version: 4.7.5+dfsg-2+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Description:
wordpress - weblog manager
wordpress-l10n - weblog manager - language files
wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files
wordpress-theme-twentyseventeen - weblog manager - twentyseventeen theme files
wordpress-theme-twentysixteen - weblog manager - twentysixteen theme files
Closes: 880528 883314
Changes:
wordpress (4.7.5+dfsg-2+deb9u2) stretch-security; urgency=high
.
* Backport security patches from 4.9.1 Closes: #883314
- CVE-2017-17091
Use a properly generated hash for the newbloguser key instead
of a determinate substring.
Changeset 42272
- CVE-2017-17092
Remove the ability to upload JavaScript files for users who
do not have the unfiltered_html capability
Changeset 42275
- CVE-2017-17093
Add escaping to the language attributes used on html elements
Changeset 42273
- CVE-2017-17094
Ensure the attributes of enclosures are correctly escaped in
RSS and Atom feeds
Changeset 42274
* Also backport patch for $wpdb->prepare CVE-2017-16510
Closes: 880528
Checksums-Sha1:
55cb71b5cd94997ba75dbe7bb0e4e33396a6390e 2567 wordpress_4.7.5+dfsg-2+deb9u2.dsc
df248276f0f664089b31893d2caada20e98dabf1 6789772 wordpress_4.7.5+dfsg-2+deb9u2.debian.tar.xz
385ea0764ef23cb7e7d1f6dc6760267c56480e70 4381066 wordpress-l10n_4.7.5+dfsg-2+deb9u2_all.deb
435025d32b6ec95a0bb1524d39f9deb87aaf657f 700666 wordpress-theme-twentyfifteen_4.7.5+dfsg-2+deb9u2_all.deb
4c042c43df8db620fbcb2d41c3e83ab8f2202a6d 940400 wordpress-theme-twentyseventeen_4.7.5+dfsg-2+deb9u2_all.deb
b39181a1c44506e5ded048ff71bb71ec01f9a359 589388 wordpress-theme-twentysixteen_4.7.5+dfsg-2+deb9u2_all.deb
e61f52bf9556463131077cd1dc45c4f6ce87a421 4001636 wordpress_4.7.5+dfsg-2+deb9u2_all.deb
85c59079a60f85004a4ac9e7c083efbc06775ea7 7445 wordpress_4.7.5+dfsg-2+deb9u2_amd64.buildinfo
Checksums-Sha256:
1d2f5008528222dbf7c14a7f31ea487779adbc51b52bb73996b945566c72dcfd 2567 wordpress_4.7.5+dfsg-2+deb9u2.dsc
a20936583082cdd5919e0b8c204c74007d8588ce2b60f96e07a6a7e843af1b74 6789772 wordpress_4.7.5+dfsg-2+deb9u2.debian.tar.xz
b5b02cbfcf3c6b4c0ca14fe462dca7b55b12cc0fbbe0a062507c7aee7df6f36e 4381066 wordpress-l10n_4.7.5+dfsg-2+deb9u2_all.deb
dfeb9ede00697bea5b2006d74d334e9a8c5c18b78e6ac1997ffcf25ed0870d25 700666 wordpress-theme-twentyfifteen_4.7.5+dfsg-2+deb9u2_all.deb
067fa464da20513c7b695eb2e62138161ee0f64710aa919cd117120941bf4648 940400 wordpress-theme-twentyseventeen_4.7.5+dfsg-2+deb9u2_all.deb
fa8416e21f1b0bb940a541427b2ba7560f914dd165edf4b8a21bdff654e98f9d 589388 wordpress-theme-twentysixteen_4.7.5+dfsg-2+deb9u2_all.deb
2521a497c9461bf04cd5bceca1ea6cea641cbc8c7654c70c5f063b08b2c1b52a 4001636 wordpress_4.7.5+dfsg-2+deb9u2_all.deb
a4e1690c432675a2944b561c5fdcca179ae95a15105d734a540ac6acdea6bfa1 7445 wordpress_4.7.5+dfsg-2+deb9u2_amd64.buildinfo
Files:
2dbec2a04d3b82680024bda07e49d7e7 2567 web optional wordpress_4.7.5+dfsg-2+deb9u2.dsc
35709d7aef2653226f8ed7c338639a5e 6789772 web optional wordpress_4.7.5+dfsg-2+deb9u2.debian.tar.xz
f874980bbf4286ec90b4a6bc11d0aacc 4381066 localization optional wordpress-l10n_4.7.5+dfsg-2+deb9u2_all.deb
96362e78e49b6d2f7bb8aedd42d070ec 700666 web optional wordpress-theme-twentyfifteen_4.7.5+dfsg-2+deb9u2_all.deb
cd094c5961dcfc0b3fc0cefa0fb3cb98 940400 web optional wordpress-theme-twentyseventeen_4.7.5+dfsg-2+deb9u2_all.deb
ac33f61cafadf2011b7f2a33df12c889 589388 web optional wordpress-theme-twentysixteen_4.7.5+dfsg-2+deb9u2_all.deb
61244d755847cfc450cb8491082f9be2 4001636 web optional wordpress_4.7.5+dfsg-2+deb9u2_all.deb
e928e27308338f4bf61b08ee1a5cce70 7445 web optional wordpress_4.7.5+dfsg-2+deb9u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAlpQDa0ACgkQAiFmwP88
hOOrpRAAkgFRFSEVJUQS5xf8CgYRU1IuneIWAEw9kwaZZuhuNglzhaO4jeXoTw0q
m6uVbuBfsmonIqw8mTh9oMuGtVvaYs3+TjDnxPPbUo6hUM4qaOqvIP0vimI2fge0
zgqhG6i9hQUNDgONkZtzX4vWDjSuHfGFD+jOzrUKL9f6KCfbZbuSx1B5Y74S2mVG
lPYug35oyRLWSjghwf3EJNSoq/5iY3LqQitShsxX3IAC6HEdWiijtYQIcW4NmMak
JBtWn5/Y5yLflqubfscSddgWcaG0v4QDcGD89CMZ+QBzK6pc6PDCyBthzUszKXRZ
Da5wHWi+OGO5PdGzANPUOeelr9zVr3jnTihIZrVYJybuYr0cUU6cB2JXzTP20yvT
BzWzgrxrS2hz3hLOWIi+S5c9kn/8t7e7xCLQ8S5Wv7oiZ1GLgRmWqnFf4AjposGn
KZrkX3bw02oAFmFbv1HMjhAgN3VfEqwgRLHb/UPAqq7HqRJ43v0gPuZVSOb7MBV4
h4Xzs4QFaScR0Cg7g8L1kHqccbgkmp4VLSDz3SY4hJj0hDIts/PwZtJve+NViTdc
gKJqsbe4IjraBZhIilXjYi85OFVWKQdwQpm62U1NwsDhXcDWep48bV6olkHjvk3f
1eraIYm4YJ1WqGo2sjscqIcQTAnEtT3DE2frjtBXJONxgXvMQok=
=SZzV
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 14 Mar 2018 07:26:46 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:57:40 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon