Debian Bug report logs -
#1003243
wordpress: WordPress 5.8.3 Security Release
Reported by: Craig Small <csmall@debian.org>
Date: Thu, 6 Jan 2022 21:48:01 UTC
Severity: grave
Tags: security, upstream
Found in version wordpress/5.8.2+dfsg1-1
Fixed in version wordpress/5.8.3+dfsg1-1
Done: Craig Small <csmall@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org:
Bug#1003243; Package wordpress.
(Thu, 06 Jan 2022 21:48:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Craig Small <csmall@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org.
(Thu, 06 Jan 2022 21:48:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: wordpress
Version: 5.8.2+dfsg1-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
WordPress have released version 5.8.3 which fixes 4 security bugs.
https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/
* An issue with stored XSS through post slugs.
CVE-2022-21662 - Stored XSS through authenticated users
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-699q-3hj9-889w
https://hackerone.com/reports/425342
* An issue with Object injection in some multisite installations.
CVE-2022-21663 - Authenticated Object Injection in Multisites
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jmmq-m8p8-332h
https://hackerone.com/reports/541469
* A SQL injection vulnerability in WP_Query.
CVE-2022-21661 - WordPress: SQL Injection through WP_Query
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-6676-cqfm-gw84
https://hackerone.com/reports/1378209
* A SQL injection vulnerability in WP_Meta_Query
CVE-2022-21664 - SQL injection due to improper sanitization in WP_Meta_Query
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jp3p-gw8h-6x86
Message sent on
to Craig Small <csmall@debian.org>:
Bug#1003243.
(Fri, 07 Jan 2022 04:51:06 GMT) (full text, mbox, link).
Message #8 received at 1003243-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #1003243 in wordpress reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/debian/wordpress/-/commit/11a90b4eea98a745ad6e6005b9b9bf0e2fdf6ce6
------------------------------------------------------------------------
Upstream secrutiy release Closes: #1003243
* Upstream secrutiy release Closes: #1003243
- CVE-2022-21662 - Stored XSS through authenticated users
- CVE-2022-21663 - Authenticated Object Injection in Multisites
- CVE-2022-21661 - WordPress: SQL Injection through WP_Query
- CVE-2022-21664 - SQL injection due to improper sanitization
in WP_Meta_Query
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/1003243
Added tag(s) pending.
Request was from Craig Small <noreply@salsa.debian.org>
to 1003243-submitter@bugs.debian.org.
(Fri, 07 Jan 2022 04:51:06 GMT) (full text, mbox, link).
Message sent on
to Craig Small <csmall@debian.org>:
Bug#1003243.
(Fri, 07 Jan 2022 04:51:07 GMT) (full text, mbox, link).
Message #13 received at 1003243-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #1003243 in wordpress reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/debian/wordpress/-/commit/11a90b4eea98a745ad6e6005b9b9bf0e2fdf6ce6
------------------------------------------------------------------------
Upstream secrutiy release Closes: #1003243
* Upstream secrutiy release Closes: #1003243
- CVE-2022-21662 - Stored XSS through authenticated users
- CVE-2022-21663 - Authenticated Object Injection in Multisites
- CVE-2022-21661 - WordPress: SQL Injection through WP_Query
- CVE-2022-21664 - SQL injection due to improper sanitization
in WP_Meta_Query
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/1003243
Reply sent
to Craig Small <csmall@debian.org>:
You have taken responsibility.
(Fri, 07 Jan 2022 05:24:05 GMT) (full text, mbox, link).
Notification sent
to Craig Small <csmall@debian.org>:
Bug acknowledged by developer.
(Fri, 07 Jan 2022 05:24:05 GMT) (full text, mbox, link).
Message #18 received at 1003243-close@bugs.debian.org (full text, mbox, reply):
Source: wordpress
Source-Version: 5.8.3+dfsg1-1
Done: Craig Small <csmall@debian.org>
We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1003243@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated wordpress package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 07 Jan 2022 15:57:14 +1100
Source: wordpress
Architecture: source
Version: 5.8.3+dfsg1-1
Distribution: unstable
Urgency: high
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Closes: 1003243
Changes:
wordpress (5.8.3+dfsg1-1) unstable; urgency=high
.
* Upstream security release Closes: #1003243
- CVE-2022-21662 - Stored XSS through authenticated users
- CVE-2022-21663 - Authenticated Object Injection in Multisites
- CVE-2022-21661 - WordPress: SQL Injection through WP_Query
- CVE-2022-21664 - SQL injection due to improper sanitization
in WP_Meta_Query
Checksums-Sha1:
b9cf7db9f184c6c5a2518ef5a36e80a5ef1cd5ed 2392 wordpress_5.8.3+dfsg1-1.dsc
9006c624ef62350753b6d64e6fe7c3c28739b272 11015192 wordpress_5.8.3+dfsg1.orig.tar.xz
3b53da7d3d9385c85f5cbfdb96851f0ce4afc448 6825408 wordpress_5.8.3+dfsg1-1.debian.tar.xz
b2e699ef9e2808c0dbe9f8a046076d25fcf4a153 7428 wordpress_5.8.3+dfsg1-1_amd64.buildinfo
Checksums-Sha256:
86ee6745cf39450a85c3ba7b403f414906f4d62723e13bdc244e973d864421c7 2392 wordpress_5.8.3+dfsg1-1.dsc
996388aba49f794dd8df9f2a6a22b81aef574909e07a29b69178ac4608c86ca9 11015192 wordpress_5.8.3+dfsg1.orig.tar.xz
37947d03ee2ccaa6c941d1b2fa2174d2d2ca0d20b5e8d3cc3803a1429a9548d6 6825408 wordpress_5.8.3+dfsg1-1.debian.tar.xz
d1ce6c08482533f747f4f3246d41a4b50c383083c2e2dd27e365bd21b218ccfa 7428 wordpress_5.8.3+dfsg1-1_amd64.buildinfo
Files:
2f36a0073eaafcb5295cc519975c704d 2392 web optional wordpress_5.8.3+dfsg1-1.dsc
1e7169b1e66338824a4f7a3e79d94874 11015192 web optional wordpress_5.8.3+dfsg1.orig.tar.xz
518d443263ecdfba274dd2614f422cd1 6825408 web optional wordpress_5.8.3+dfsg1-1.debian.tar.xz
3319d067b0cd9e39d1ba314d3a575228 7428 web optional wordpress_5.8.3+dfsg1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAmHXyRkACgkQAiFmwP88
hOOG6g/+M0rq7FaSXX1w5SaCDX++Y2BcQiNqqVxo4mp8CVqjM48cSs+jZL1LvW1f
x01ZGJpe1Al7/MngPPYLOJBiQFc80qEZJ4bvFIaQDtdUZYtX/OQWLLNKftYUIwRZ
NMwxZR7snLt0JL0oexDGZTn+zWeaDcs5PDcw1OZaIP7rieXsbmfuEbQiBh4FC540
6BsFWg0gIpmdUrLRSEpO2tFsWlXA4/9g6RaXJ0VEf9rlJg4Okx8ACHxX3AWJqiZw
B6s6ylSCa8DDC/JpM3a6X9LKTltmhszjEyzUv49tQs2jPsyzAIaKN5bqHy+LCv38
iavNDfute3SAX7INbhV7uxKzmM7gnWaxpNhT35Ycg3ssn1wmQdgSrpgMNRZZuSCE
7ADoDRiRwME91szYSjEosRqb90oXkwpWio8ZCZ4ziTEUP6TR+fJ9Og99EMRL9O7w
Uv/nC2v4x6gHNvjl0rGjkcdNmpy8ArnzAYC99XD0VwI/kuFMRnp1Cu7colpX5Vgr
IB430yGkWOqaTXX8OLeGCc2G4yg9pMdN09IVGS2hnktkb7vgax8DT4ThgCd/b+IS
EW8wUDejS61WVvBFFULd4gmZPiqnxEs+G0ZmLkrzywI8o1r1owaCweqai9ZZmbkM
3bCPIRFn+1dGaKqHHJAXxxSoztay20xtPIN+uIqb2IBOwifz99E=
=52QB
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Jan 7 16:10:21 2022;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon