wordpress: CVE-2017-14990

Debian Bug report logs - #877629
wordpress: CVE-2017-14990

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: wordpress: CVE-2017-14990

Date: Tue, 03 Oct 2017 17:17:08 +0200

Source: wordpress
Version: 4.8.2+dfsg-1
Severity: important
Tags: upstream security
Forwarded: https://core.trac.wordpress.org/ticket/38474

Hi,

the following vulnerability was published for wordpress.

CVE-2017-14990[0]:
| WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but
| stores the analogous wp_users.user_activation_key values as hashes),
| which might make it easier for remote attackers to hijack unactivated
| user accounts by leveraging database read access (such as access gained
| through an unspecified SQL injection vulnerability).

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-14990
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14990
[1] https://core.trac.wordpress.org/ticket/38474

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 877629@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: Craig Small <csmall@debian.org>

Cc: 877629@bugs.debian.org

Subject: Re: Bug#877629: wordpress: CVE-2017-14990

Date: Tue, 03 Oct 2017 22:21:16 +0200

[Message part 1 (text/plain, inline)]

On Tue, 2017-10-03 at 17:17 +0200, Salvatore Bonaccorso wrote:
> Source: wordpress
> Version: 4.8.2+dfsg-1
> Severity: important
> Tags: upstream security
> Forwarded: https://core.trac.wordpress.org/ticket/38474
> 
> Hi,
> 
> the following vulnerability was published for wordpress.
> 
> CVE-2017-14990[0]:
> > WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but
> > stores the analogous wp_users.user_activation_key values as hashes),
> > which might make it easier for remote attackers to hijack unactivated
> > user accounts by leveraging database read access (such as access gained
> > through an unspecified SQL injection vulnerability).
> 
Hi Craig,

will you handle this one as well, squeezing it in the upcoming DSA?

Regards,
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 877629@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: Yves-Alexis Perez <corsac@debian.org>

Cc: 877629@bugs.debian.org

Subject: Re: Bug#877629: wordpress: CVE-2017-14990

Date: Tue, 03 Oct 2017 23:06:05 +0000

[Message part 1 (text/plain, inline)]

I will add this to the security release you just reviewed and get you to
re-review it :/

 - Craig

-- 
Craig Small             https://dropbear.xyz/     csmall at : enc.com.au
Debian GNU/Linux        https://www.debian.org/   csmall at : debian.org
Mastodon: @smallsees@social.dropbear.xyz             Twitter: @smallsees
GPG fingerprint:      5D2F B320 B825 D939 04D2  0519 3938 F96B DF50 FEA5

[Message part 2 (text/html, inline)]

Message #20 received at 877629@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: Craig Small <csmall@debian.org>

Cc: 877629@bugs.debian.org

Subject: Re: Bug#877629: wordpress: CVE-2017-14990

Date: Wed, 04 Oct 2017 09:48:24 +0200

[Message part 1 (text/plain, inline)]

On Tue, 2017-10-03 at 23:06 +0000, Craig Small wrote:
> I will add this to the security release you just reviewed and get you to re-
> review it :/
> 

Thanks, don't worry it's not that bad, it's just one patch after all. No need
to send a new debdiff, just push your changes to git and I'll review there.

Regards,
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

Message #25 received at 877629-submitter@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: 877629-submitter@bugs.debian.org

Subject: Bug#877629 marked as pending

Date: Wed, 04 Oct 2017 11:48:51 +0000

tag 877629 pending
thanks

Hello,

Bug #877629 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    https://anonscm.debian.org/cgit/collab-maint/wordpress.git/commit/?id=f44db60

---
commit f44db60ecc92e071b69159dda54e19435474cf37
Author: Craig Small <csmall@debian.org>
Date:   Wed Oct 4 22:14:32 2017 +1100

    Patch 38474 for CVE-2017-14990

diff --git a/debian/changelog b/debian/changelog
index 1c20725..7570b2c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+wordpress (4.8.2+dfsg-2) unstable; urgency=high
+
+  * Hash user activation key Closes: #877629
+    Fixes CVE-2017-14990
+
+ -- Craig Small <csmall@debian.org>  Wed, 04 Oct 2017 21:59:11 +1100
+
 wordpress (4.8.2+dfsg-1) unstable; urgency=high
 
   * New upstream security release fixes 9 security issues closes: #876274

Message #30 received at 877629-close@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: 877629-close@bugs.debian.org

Subject: Bug#877629: fixed in wordpress 4.8.2+dfsg-2

Date: Wed, 04 Oct 2017 12:05:24 +0000

Source: wordpress
Source-Version: 4.8.2+dfsg-2

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 877629@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 04 Oct 2017 21:59:11 +1100
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentysixteen wordpress-theme-twentyfifteen wordpress-theme-twentyseventeen
Architecture: source all
Version: 4.8.2+dfsg-2
Distribution: unstable
Urgency: high
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Description:
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
 wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files
 wordpress-theme-twentyseventeen - weblog manager - twentyseventeen theme files
 wordpress-theme-twentysixteen - weblog manager - twentysixteen theme files
Closes: 877629
Changes:
 wordpress (4.8.2+dfsg-2) unstable; urgency=high
 .
   * Hash user activation key Closes: #877629
     Fixes CVE-2017-14990
Checksums-Sha1:
 791db1fb15ca8f950a5b8ac34e71171f1bc2c7bd 2539 wordpress_4.8.2+dfsg-2.dsc
 9c3e6e3a0c4f1e50bebddddc662fedac195b4b9a 6780088 wordpress_4.8.2+dfsg-2.debian.tar.xz
 5cc9d91b8e5e2b7afad06bce2047f78d1e70ceb5 4382752 wordpress-l10n_4.8.2+dfsg-2_all.deb
 dcb200644d14d8d7a541b5f17a688efdc32be7d4 700460 wordpress-theme-twentyfifteen_4.8.2+dfsg-2_all.deb
 7fcefc51ef9fab14165a70aec888dafcfa730b4e 940428 wordpress-theme-twentyseventeen_4.8.2+dfsg-2_all.deb
 cb51237516568f25d328d408cdf9118798dc3489 589148 wordpress-theme-twentysixteen_4.8.2+dfsg-2_all.deb
 2639d9b6db5c9a10da14f51698299ae6e2e35213 4140198 wordpress_4.8.2+dfsg-2_all.deb
 dbcef5e3349df5bea3ac1f41f66d8b07e728ad97 7190 wordpress_4.8.2+dfsg-2_amd64.buildinfo
Checksums-Sha256:
 c0db670a3d53add90a1a78a6a150c733ea1cd43145d40c2ebc9e51651fe808c5 2539 wordpress_4.8.2+dfsg-2.dsc
 2e6c67a29b7c830c9e770eff6aa54dc681a6aad4e86034cec0380b5cf5572754 6780088 wordpress_4.8.2+dfsg-2.debian.tar.xz
 cf1be0b5ee4430e37df3feb4dbcb9ea58db06915f69d9cb72b98766f36d67b63 4382752 wordpress-l10n_4.8.2+dfsg-2_all.deb
 d9a1fded275827ef6078976623771b82e27e87a55867f58745020e08504db24d 700460 wordpress-theme-twentyfifteen_4.8.2+dfsg-2_all.deb
 e4710965ea92df164034cc010325c148b76db72f2a248c4b5da0d5311e1a764e 940428 wordpress-theme-twentyseventeen_4.8.2+dfsg-2_all.deb
 fac5a44d5684d94d880ed9c5cfbe3f0556d325de69b80d2313b6bbe9f139b55e 589148 wordpress-theme-twentysixteen_4.8.2+dfsg-2_all.deb
 fc0f9f80bba33fd9382dc74525cc2e9260260170df0a20a892f53392235f947c 4140198 wordpress_4.8.2+dfsg-2_all.deb
 b4deb66f6e95f5a0d27f9acb012ca7e5e0addde7f9ad20155a15470d3976a3b5 7190 wordpress_4.8.2+dfsg-2_amd64.buildinfo
Files:
 7bbb6499acfc9bd83f13fc6724154535 2539 web optional wordpress_4.8.2+dfsg-2.dsc
 630bec2a6406c8149a2bf1f2dfcff0c2 6780088 web optional wordpress_4.8.2+dfsg-2.debian.tar.xz
 3098fc5c506ccc9f425f5dc429d9516b 4382752 localization optional wordpress-l10n_4.8.2+dfsg-2_all.deb
 3b93e3d5b9d1d80abf6dca0924a51207 700460 web optional wordpress-theme-twentyfifteen_4.8.2+dfsg-2_all.deb
 8f89dd5acfdac616b1d6e1c3da0ef657 940428 web optional wordpress-theme-twentyseventeen_4.8.2+dfsg-2_all.deb
 310ad8d22b6aa46620206da79466007f 589148 web optional wordpress-theme-twentysixteen_4.8.2+dfsg-2_all.deb
 817ee387ad2f3b3285a243e89cde3197 4140198 web optional wordpress_4.8.2+dfsg-2_all.deb
 ee19a6c48ab3b5f0cd15e2e378c7ed3d 7190 web optional wordpress_4.8.2+dfsg-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAlnUyoQACgkQAiFmwP88
hOOdhxAAmX02AxhQ4rQRSW75mgP34Y/33+HjdOY0ge4amo34u/2+cg52iHYElSii
8Wh8PvLT/T1mQ7cvBsyrOn3M7Lxayyr+4Iaysbqw78dKlf/QVP+KfukBowHcUOGx
BDTMI9WhcMtG+dhMP0CJrZClZI4JL5UMpX0FREMMbTIzD0K51JlAGOaspb/0wKAU
sOnHDVL2vkQCi3Dw5unFIkLCARfJok+YivOu6uMqj8I/By7oIO5vt0Uy0FjFfc6+
uv+ZlBtnawvOa1WOfndXEXVmPyNbvfM9B97zpZD7e/fQQaXJeQSy21+R4MmHDI8B
qaALhp99DF9WuN1Fmhg0jSh6B9Tq4SmwcJcgTZSl8lFqINQ7QYSULWJ34SmTEr2U
6ObX42ZhDxOfHxiTMeJ6D6d8m65+70IuMRBxDdYLalfBrs8SduLmsbbFiQMHfgan
oZ0jcDOXLHioFP6iYgK6envT/OF7kqDEnCQNQFEr9BlUAM8Uv6+x2wVcE6UOdNNZ
TithhC9jlQWDeIsnl9Zoj+IO6DXu2C66Tn+mD2a27K5DAZ7bXzzjxtiC6sfIGFKg
Qn6QDQuuMhntrTXoAJd0ssepJ0WWGvcAJV6XwiwfOIDRvzEvtIcz/HTiNxVZuOgH
4QdxCZZMBiDwMDXNHHoD/vSUAN31uOrCx+nWHimNgCBJjEEJFtU=
=7v+g
-----END PGP SIGNATURE-----

Message #35 received at 877629@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: Yves-Alexis Perez <corsac@debian.org>

Cc: 877629@bugs.debian.org

Subject: Re: Bug#877629: wordpress: CVE-2017-14990

Date: Fri, 06 Oct 2017 20:35:12 +0000

[Message part 1 (text/plain, inline)]

Hi Yves-Alexis,
  I have now applied that patch to the stretch version of wordpress. Other
than some minor problems (some comments had changed) the patch applied
cleanly.
You'll find the update at

https://anonscm.debian.org/git/collab-maint/wordpress.git/commit/?h=stretch&id=5c88ea7390caed18e9c986294d45f6c7f718740b

Hopefully we can get the security release out before the next set of
WordPress security issues!

 - Craig

-- 
Craig Small             https://dropbear.xyz/     csmall at : enc.com.au
Debian GNU/Linux        https://www.debian.org/   csmall at : debian.org
Mastodon: @smallsees@social.dropbear.xyz             Twitter: @smallsees
GPG fingerprint:      5D2F B320 B825 D939 04D2  0519 3938 F96B DF50 FEA5

[Message part 2 (text/html, inline)]

Message #40 received at 877629@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: Craig Small <csmall@debian.org>

Cc: 877629@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#877629: wordpress: CVE-2017-14990

Date: Sat, 07 Oct 2017 21:19:48 +0200

[Message part 1 (text/plain, inline)]

On Fri, 2017-10-06 at 20:35 +0000, Craig Small wrote:
> Hi Yves-Alexis,
>   I have now applied that patch to the stretch version of wordpress. Other
> than some minor problems (some comments had changed) the patch applied
> cleanly.
> You'll find the update at
> 
> https://anonscm.debian.org/git/collab-maint/wordpress.git/commit/?h=stretch&
> id=5c88ea7390caed18e9c986294d45f6c7f718740b
> 
> Hopefully we can get the security release out before the next set of
> WordPress security issues!

Thanks, please proceed with the upload to security-master (remember to build
with -sa since it's the first stretch security upload for wordpress). You can
upload a source-only package but you need to make sure there's no .buildinfo
uploaded then.

Regards,
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

Message #45 received at 877629@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: Craig Small <csmall@debian.org>

Cc: 877629@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#877629: wordpress: CVE-2017-14990

Date: Sat, 07 Oct 2017 21:54:25 +0200

[Message part 1 (text/plain, inline)]

On Sat, 2017-10-07 at 21:19 +0200, Yves-Alexis Perez wrote:
> Thanks, please proceed with the upload to security-master (remember to build
> with -sa since it's the first stretch security upload for wordpress). You can
> upload a source-only package but you need to make sure there's no .buildinfo
> uploaded then.

By the way, what are your plans wrt. Jessie?

Regards,
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

Message #50 received at 877629-submitter@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: 877629-submitter@bugs.debian.org

Subject: Bug#877629 marked as pending

Date: Tue, 10 Oct 2017 12:16:17 +0000

tag 877629 pending
thanks

Hello,

Bug #877629 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    https://anonscm.debian.org/cgit/collab-maint/wordpress.git/commit/?id=084ee8d

---
commit 084ee8dfa21e5dd89130c7ffbee633abfd726230
Author: Craig Small <csmall@debian.org>
Date:   Tue Oct 10 23:14:49 2017 +1100

    Patches from 4.8.2 security release
    
    All relevant patches from 4.8.2-1 and 4.8.2-2 which are in the
    security release

diff --git a/debian/changelog b/debian/changelog
index 9366144..7dc0ca0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,41 @@
+wordpress (4.1+dfsg-1+deb8u15) UNRELEASED; urgency=medium
+
+  * Backport security patches from 4.8.2
+     - CVE-2017-14723
+       $wpdb->prepare() can create unexpected and unsafe queries leading to
+       potential SQL injection (SQLi)
+       Changeset 41472, 41498
+     - CVE-2017-14726
+       Cross-site scripting (XSS) vulnerability in the visual editor
+       Changeset 41436
+     - CVE-2017-14719
+       Path traversal vulnerability in the file unzipping code
+       Changeset 41459
+     - CVE-2017-14721
+       Cross-site scripting (XSS) vulnerability in the plugin editor
+       Changeset 41413
+     - CVE-2017-14725
+       Open redirect in the user edit screens
+       The term/tag edit screen does not have this issue.
+       Changeset 41424
+     - CVE-2017-14722
+       Path traversal vulnerability in the customizer
+       Changeset 41430
+     - CVE-2017-14720
+       Cross-site scripting (XSS) vulnerability in template names
+       Changeset 41413 (same as plugin editor)
+     - CVE-2017-14718
+       Cross-site scripting (XSS) vulnerability in the link modal
+  * Not vulnerable:
+     - CVE-2017-14724
+       Cross-site scripting (XSS) vulnerability in the oEmbed discovery
+       oEmbed feature not present in this version
+  * Hash user activation key Closes: #877629
+    Fixes CVE-2017-14990
+
+
+ -- Craig Small <csmall@debian.org>  Mon, 09 Oct 2017 06:52:52 +1100
+
 wordpress (4.1+dfsg-1+deb8u14) jessie-security; urgency=medium
 
   * Backport patches from 4.7.5 Closes: #862816

Message #55 received at 877629-close@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: 877629-close@bugs.debian.org

Subject: Bug#877629: fixed in wordpress 4.7.5+dfsg-2+deb9u1

Date: Thu, 19 Oct 2017 17:32:51 +0000

Source: wordpress
Source-Version: 4.7.5+dfsg-2+deb9u1

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 877629@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 07 Oct 2017 07:11:32 +1100
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentysixteen wordpress-theme-twentyfifteen wordpress-theme-twentyseventeen
Architecture: source all
Version: 4.7.5+dfsg-2+deb9u1
Distribution: stretch-security
Urgency: medium
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Description:
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
 wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files
 wordpress-theme-twentyseventeen - weblog manager - twentyseventeen theme files
 wordpress-theme-twentysixteen - weblog manager - twentysixteen theme files
Closes: 876274 877629
Changes:
 wordpress (4.7.5+dfsg-2+deb9u1) stretch-security; urgency=medium
 .
   * Backport patches from 4.8.2 Closes: #876274
      - CVE-2017-14723
        $wpdb->prepare() can create unexpected and unsafe queries leading to
        potential SQL injection (SQLi)
        Changeset 41472, 41498
      - CVE-2017-14724
        Cross-site scripting (XSS) vulnerability in the oEmbed discovery
        Changeset 41451
      - CVE-2017-14726
        Cross-site scripting (XSS) vulnerability in the visual editor
        Changeset 41436
      - CVE-2017-14719
        Path traversal vulnerability in the file unzipping code
        Changeset 41459
      - CVE-2017-14721
        Cross-site scripting (XSS) vulnerability in the plugin editor
        Changeset 41413
      - CVE-2017-14725
        Open redirect in the user and term edit screens
        Changeset 41418
      - CVE-2017-14722
        Path traversal vulnerability in the customizer
        Changeset 41430
      - CVE-2017-14720
        Cross-site scripting (XSS) vulnerability in template names
        Changeset 41413 (same as plugin editor)
      - CVE-2017-14718
        Cross-site scripting (XSS) vulnerability in the link modal
   * Hash user activation key Closes: #877629
     Fixes CVE-2017-14990
Checksums-Sha1:
 a9e488c4df0b36dd39b41d462f810102f26435df 2567 wordpress_4.7.5+dfsg-2+deb9u1.dsc
 edf2c207b6c6c173d8958c0d9191e1e0d532e042 6240440 wordpress_4.7.5+dfsg.orig.tar.xz
 e0417f8708cc10ca56041e972fb4ca083bdac5e4 6785340 wordpress_4.7.5+dfsg-2+deb9u1.debian.tar.xz
 014d493c433949581827abb22faad2d3f6297844 4382638 wordpress-l10n_4.7.5+dfsg-2+deb9u1_all.deb
 99a9c6e1853fc992fb8645dedc7fe1302353cbbf 700472 wordpress-theme-twentyfifteen_4.7.5+dfsg-2+deb9u1_all.deb
 db0d15595516b0867938d9fe49b7bd15bbd64ef0 940094 wordpress-theme-twentyseventeen_4.7.5+dfsg-2+deb9u1_all.deb
 35adf0a11c5958aac424850a4e4304f019fced52 589188 wordpress-theme-twentysixteen_4.7.5+dfsg-2+deb9u1_all.deb
 1a1fe93a389e4ae808187c824014fc2f01d57eca 4000422 wordpress_4.7.5+dfsg-2+deb9u1_all.deb
 f86f46fb5375b65b7438360b44583563fab1ec26 7445 wordpress_4.7.5+dfsg-2+deb9u1_amd64.buildinfo
Checksums-Sha256:
 37ba9d3c65c8f242019ab92e1c896c8bbb7f6ef376f4805eff8f233ab82d869b 2567 wordpress_4.7.5+dfsg-2+deb9u1.dsc
 a21bc1f4042bbd77eb1ddef2cdcd3fb60f121835cf5d219a6e12a2d06a839b7f 6240440 wordpress_4.7.5+dfsg.orig.tar.xz
 b610d6c3784f29ce1344c107d0b39029bef293c08adbad357263d2d6bf7f4f6d 6785340 wordpress_4.7.5+dfsg-2+deb9u1.debian.tar.xz
 441b2b00c7cb3f223a6881f0054f94f91f02c93ac0dc209bf8b1d5c653ec9be8 4382638 wordpress-l10n_4.7.5+dfsg-2+deb9u1_all.deb
 b06298da79ea789b0765b248359100fb0807a3a24249e7c126726ab21bb537a8 700472 wordpress-theme-twentyfifteen_4.7.5+dfsg-2+deb9u1_all.deb
 572dffe8d5adc67d54bc69dde3b1dfa4c917d7549d2c1594ef802bd124d8735f 940094 wordpress-theme-twentyseventeen_4.7.5+dfsg-2+deb9u1_all.deb
 ff42d848ff38035275ab9dbe524fe8f819cf0477ac63b88d8c95e9c0b5f8e501 589188 wordpress-theme-twentysixteen_4.7.5+dfsg-2+deb9u1_all.deb
 2a0097fcf5d66f912e70f36ed27f0ad9d2888b3e08ac638f3d0a6ac66e420b53 4000422 wordpress_4.7.5+dfsg-2+deb9u1_all.deb
 5da5441b9c3aa36ecbe618a003d703eb2a610d55648f6710feff4fe52182cf0e 7445 wordpress_4.7.5+dfsg-2+deb9u1_amd64.buildinfo
Files:
 21a555aa4c57f04d5bc92477481b9063 2567 web optional wordpress_4.7.5+dfsg-2+deb9u1.dsc
 acb0c5ca4df36e2eef3274d6adc4f8b8 6240440 web optional wordpress_4.7.5+dfsg.orig.tar.xz
 2ac4750281b13334542a7db72cacd80d 6785340 web optional wordpress_4.7.5+dfsg-2+deb9u1.debian.tar.xz
 da8441d62a0fc891beaf9e36137b032d 4382638 localization optional wordpress-l10n_4.7.5+dfsg-2+deb9u1_all.deb
 3d21c554d514bcaa1cf9e30f2ce89294 700472 web optional wordpress-theme-twentyfifteen_4.7.5+dfsg-2+deb9u1_all.deb
 51cdc6b546ec088cb991cb9d0d8d49b7 940094 web optional wordpress-theme-twentyseventeen_4.7.5+dfsg-2+deb9u1_all.deb
 fea91b00203c8603998a988bbb55bcff 589188 web optional wordpress-theme-twentysixteen_4.7.5+dfsg-2+deb9u1_all.deb
 f05853250ca3347238d7acd3d908d766 4000422 web optional wordpress_4.7.5+dfsg-2+deb9u1_all.deb
 e27b814900766441f5aebbccefedafb6 7445 web optional wordpress_4.7.5+dfsg-2+deb9u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAlnagMQACgkQAiFmwP88
hOM/Kg//dgoidYMOvRzgc8qubXLtoCNufKwlDsXeVsn/7K0dQ/4lcOLIC3p3Li+o
GO3Bce8g1IRSN9R9PFWmkysEARpEhoLAmL7gbvIHyLbElwcraXhcbxwVj5CKlnu/
KXiH3HL+shvlpmA99vLlxv4RDN4OMBMVK/MPUtfHKxYOhfdWA2TOYVzKBaySj7AZ
YyItOFb3xQsHN86jDie3Fn420DJqvrtyBdZXuFT1VoOrmmnTdczM/kl0EqONy12g
vUIHNiZU++jo2gWl0ts08ncguKAvkjZ/LOJIz9L27bZQno0+s76xWpElnD8OV4QH
pKtOadUA9I7toxEoLcRwiRIisK12tz2U9Hc/vStR+MPTO9OYadsK9mzybzH34nmf
vrBxhLT7hdkt5OVSS4JamtSrTWCgI8yjQXRhYENMz85Asuz3dyLrdQlU12SfXt1r
NyLMWGL36tMiaOMklfSwr7q7CYI1xVuyX0UIhiqg016wIzQJgb+CVGViCEfHcYMi
s0+XHyCxej4d6m6cb3Rh/h6XImTMcXVGllCOHfED5U/oRdHE/LnN+B5S/Oo6X647
bgawRzSNJv+VnQasIK+9RQBBh8fRjnz4Ww9FFH3d8LyUYr09Ei1N7hitcOJR9yBC
b6vJSDKMBTJhPkUaWLJFNAg5sqwZHuttbu1DkV+APCTTCRJh9+E=
=G7IE
-----END PGP SIGNATURE-----

Message #60 received at 877629-close@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: 877629-close@bugs.debian.org

Subject: Bug#877629: fixed in wordpress 4.1+dfsg-1+deb8u15

Date: Thu, 19 Oct 2017 19:47:36 +0000

Source: wordpress
Source-Version: 4.1+dfsg-1+deb8u15

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 877629@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 11 Oct 2017 21:27:47 +1100
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentyfifteen wordpress-theme-twentyfourteen wordpress-theme-twentythirteen
Architecture: source all
Version: 4.1+dfsg-1+deb8u15
Distribution: jessie-security
Urgency: medium
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Description:
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
 wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files
 wordpress-theme-twentyfourteen - weblog manager - twentyfourteen theme files
 wordpress-theme-twentythirteen - weblog manager - twentythirteen theme files
Closes: 877629
Changes:
 wordpress (4.1+dfsg-1+deb8u15) jessie-security; urgency=medium
 .
   * Backport security patches from 4.8.2
      - CVE-2017-14723
        $wpdb->prepare() can create unexpected and unsafe queries leading to
        potential SQL injection (SQLi)
        Changeset 41472, 41498
      - CVE-2017-14726
        Cross-site scripting (XSS) vulnerability in the visual editor
        Changeset 41436
      - CVE-2017-14719
        Path traversal vulnerability in the file unzipping code
        Changeset 41459
      - CVE-2017-14721
        Cross-site scripting (XSS) vulnerability in the plugin editor
        Changeset 41413
      - CVE-2017-14725
        Open redirect in the user edit screens
        The term/tag edit screen does not have this issue.
        Changeset 41424
      - CVE-2017-14722
        Path traversal vulnerability in the customizer
        Changeset 41430
      - CVE-2017-14720
        Cross-site scripting (XSS) vulnerability in template names
        Changeset 41413 (same as plugin editor)
      - CVE-2017-14718
        Cross-site scripting (XSS) vulnerability in the link modal
   * Not vulnerable:
      - CVE-2017-14724
        Cross-site scripting (XSS) vulnerability in the oEmbed discovery
        oEmbed feature not present in this version
   * Hash user activation key Closes: #877629
     Fixes CVE-2017-14990
Checksums-Sha1:
 db2320ddadc5c9a4f30cecd0e14948c7b26562a1 2551 wordpress_4.1+dfsg-1+deb8u15.dsc
 aa5bc8c96a94d92174ecd8d559647bc179d27c74 6168064 wordpress_4.1+dfsg-1+deb8u15.debian.tar.xz
 835bd96002b29ce47a861c04b449531a81256dce 3174878 wordpress_4.1+dfsg-1+deb8u15_all.deb
 bdd9505dfd9074f963dd2ffa08d741415e0f733b 4240582 wordpress-l10n_4.1+dfsg-1+deb8u15_all.deb
 80530f567769c5df70bac3bd26762f7d8ec3ab8f 504074 wordpress-theme-twentyfifteen_4.1+dfsg-1+deb8u15_all.deb
 e81b460ffe9a7757a5622e8bfa84a94aef699924 804688 wordpress-theme-twentyfourteen_4.1+dfsg-1+deb8u15_all.deb
 e98890b55cda92eb2493b2adfa471911b221d265 322296 wordpress-theme-twentythirteen_4.1+dfsg-1+deb8u15_all.deb
Checksums-Sha256:
 7aa386fcde3fd7a463fc077ad02aaa6baf31d7f09f014033b9a8fb2dbbf8393a 2551 wordpress_4.1+dfsg-1+deb8u15.dsc
 7edf0bd3dae8b915cd5856dd6bad484fb468460d67ee68e199dc53f57de4b19f 6168064 wordpress_4.1+dfsg-1+deb8u15.debian.tar.xz
 cb592e42e9315d8f8bda9e04b0c349c30dba6472956c1804753fa0ddb80054c8 3174878 wordpress_4.1+dfsg-1+deb8u15_all.deb
 f93ecdbcbfcd87c54f46852715fd0ac719047a0c21512f6a74875c0561ba3a54 4240582 wordpress-l10n_4.1+dfsg-1+deb8u15_all.deb
 f711f36f78a61866e087885934f2945dad7fa53d04986f87cfa53a67310e85cc 504074 wordpress-theme-twentyfifteen_4.1+dfsg-1+deb8u15_all.deb
 f6b268d99dcfdc01e6159dc7caa3763aed2016de78888bc3c0d5a198c9509153 804688 wordpress-theme-twentyfourteen_4.1+dfsg-1+deb8u15_all.deb
 36042cfe380ff53ee0ce3404dd8a3e9401c3550ddfb3b9031c46ec1d74a749c8 322296 wordpress-theme-twentythirteen_4.1+dfsg-1+deb8u15_all.deb
Files:
 7ea61893f9e2d1bc3765f637b91a28e8 2551 web optional wordpress_4.1+dfsg-1+deb8u15.dsc
 f73c90aca3732b650c1fc2ddbda4e2d6 6168064 web optional wordpress_4.1+dfsg-1+deb8u15.debian.tar.xz
 03aee73fff713d59a75121d45c655233 3174878 web optional wordpress_4.1+dfsg-1+deb8u15_all.deb
 5c55e5a0af05bace40d7f7cf5ffe1086 4240582 localization optional wordpress-l10n_4.1+dfsg-1+deb8u15_all.deb
 5bb33915d7560845b125c7137dc17c77 504074 web optional wordpress-theme-twentyfifteen_4.1+dfsg-1+deb8u15_all.deb
 5a9e058b8c151e5b8f3ae1f8d5ed6b50 804688 web optional wordpress-theme-twentyfourteen_4.1+dfsg-1+deb8u15_all.deb
 79dc297d588df7a283cc1a411f04f1e3 322296 web optional wordpress-theme-twentythirteen_4.1+dfsg-1+deb8u15_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAlnd90wACgkQAiFmwP88
hON9HBAAoH3v6So2izPUITUPpMKot79GrgzpobQeFD5n0y2epfO6PS4cyBp2PC7h
5VDvZ2tz62RdtGymW0OcfluQJw7uO2xJFPKV8MNqEucmfJ05nUYqHnBfRNLE5ww9
ZAGOE/4NYZoyE1jA+ZPtfdYoSoTrzc3bbOtUhn4F5YUywC0rIaNPLolzlvq45vJA
FEuxxvlmG0SdrBw291L8xso0yCnwKc98VgRVheR/Qs1L3+Rc6EnwNFkFTdCtEjI7
IAfxvRYWEZopig6E8cK1LbaI8+1oIq8Feg/UIn3G+kC/eSo+Npc0gsf3OaCYVTsF
YUBvcPWE67NtVE4AHrt+QlPiNn9efaj/lo2QqyVQxZryYrpqrIcCRKIqCPLSKtFa
KCFzDdQcA5fmW0cIhVijI0ZD6WhvKQ2B9UepZAOBX2ZSYD/26N67Jj97hqeFm04f
HqgOevoLTXK269gdRaX79a2SN3rmmwvzEdTffGDyZILG2rxlpJc4Sg74BoBvQq/z
+ptOyrSmCijr8watSCKYVIrMWaWZRgUFNoBDPUDTPNwGwePKGumK8qEBRJltuD9J
2ZBuzeDZ8PDL2QNq6jYEjL61rCW3olNlnoB0Bs9RppAcgsvQBQfc0KSsa04ZcI69
wTTdANSqsurAwmE+HtFIwWluJbqtLCbdm/wLu8gWjtnsD7QUnw0=
=xij4
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.