Debian Bug report logs -
#994060
wordpress: CVE-2021-39200
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 10 Sep 2021 19:27:04 UTC
Severity: important
Tags: security, upstream
Found in version wordpress/5.7.1+dfsg1-2
Fixed in version wordpress/5.8.1+dfsg1-1
Done: Craig Small <csmall@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Craig Small <csmall@debian.org>:
Bug#994060; Package src:wordpress.
(Fri, 10 Sep 2021 19:27:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Craig Small <csmall@debian.org>.
(Fri, 10 Sep 2021 19:27:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: wordpress
Version: 5.7.1+dfsg1-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for wordpress.
CVE-2021-39200[0]:
| WordPress is a free and open-source content management system written
| in PHP and paired with a MySQL or MariaDB database. In affected
| versions output data of the function wp_die() can be leaked under
| certain conditions, which can include data like nonces. It can then be
| used to perform actions on your behalf. This has been patched in
| WordPress 5.8.1, along with any older affected versions via minor
| releases. It's strongly recommended that you keep auto-updates enabled
| to receive the fix.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-39200
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39200
[1] https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-m9hc-7v5q-x8q5
Regards,
Salvatore
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#994060.
(Sat, 11 Sep 2021 00:36:08 GMT) (full text, mbox, link).
Message #8 received at 994060-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #994060 in wordpress reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/debian/wordpress/-/commit/64d5308a644d0f97c5006c3cc78840b270718094
------------------------------------------------------------------------
5.8.1 Security release
* Security release
- CVE-2021-39200 - Disclosure in wp_die() Closes: #994060
- CVE-2021-39201 - XSS in editor Closes: #994059
* Add direct FS_METHOD in mysql setup Closes: #988991
References:
https://bugs.debian.org/994059
https://bugs.debian.org/994060
https://wordpress.org/news/2021/09/wordpress-5-8-1-security-and-maintenance-release/
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/994060
Added tag(s) pending.
Request was from Craig Small <noreply@salsa.debian.org>
to 994060-submitter@bugs.debian.org.
(Sat, 11 Sep 2021 00:36:08 GMT) (full text, mbox, link).
Reply sent
to Craig Small <csmall@debian.org>:
You have taken responsibility.
(Sat, 11 Sep 2021 00:51:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 11 Sep 2021 00:51:09 GMT) (full text, mbox, link).
Message #15 received at 994060-close@bugs.debian.org (full text, mbox, reply):
Source: wordpress
Source-Version: 5.8.1+dfsg1-1
Done: Craig Small <csmall@debian.org>
We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 994060@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated wordpress package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 11 Sep 2021 10:29:52 +1000
Source: wordpress
Architecture: source
Version: 5.8.1+dfsg1-1
Distribution: unstable
Urgency: medium
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Closes: 988991 992302 994059 994060
Changes:
wordpress (5.8.1+dfsg1-1) unstable; urgency=medium
.
* Security release
- CVE-2021-39200 - Disclosure in wp_die() Closes: #994060
- CVE-2021-39201 - XSS in editor Closes: #994059
* New upstream release Closes: #992302
* Add direct FS_METHOD in mysql setup Closes: #988991
* Add AppArmor profile
Checksums-Sha1:
1d8b1e5d1735ade84b78001dcccfef144184410e 2392 wordpress_5.8.1+dfsg1-1.dsc
9fc5a4ef76ef6a13255fd5541fb7474c82a230bc 10976172 wordpress_5.8.1+dfsg1.orig.tar.xz
03166ebc66d33226702f125997532220ac8ef2b4 6824764 wordpress_5.8.1+dfsg1-1.debian.tar.xz
d87d28c4eb40ba28e8bb38d62dd8f92f34ae1c52 7527 wordpress_5.8.1+dfsg1-1_amd64.buildinfo
Checksums-Sha256:
e352bb619cb44c7f19ece08c5259f02cf172a280413a1093bc49845c52713bca 2392 wordpress_5.8.1+dfsg1-1.dsc
61dfe7114fad609209fb24cc3e73914a2d8d760ee976ee495bf006d520b43e86 10976172 wordpress_5.8.1+dfsg1.orig.tar.xz
44ed34c1ccfdefe648d6b141a6ca2e8a07d69f4e64f845a04784cffb7e58ef5c 6824764 wordpress_5.8.1+dfsg1-1.debian.tar.xz
70f45e973ce7a79f42cc322bdf85681aa6028731bdc1c0afc22e2a8b37876ca9 7527 wordpress_5.8.1+dfsg1-1_amd64.buildinfo
Files:
da3b4b8bf1979e2085d2506184b17990 2392 web optional wordpress_5.8.1+dfsg1-1.dsc
3a9b177d6c0090e71b38875d520d71a1 10976172 web optional wordpress_5.8.1+dfsg1.orig.tar.xz
54c35058d9ef9b015b4d5ee72cb949a2 6824764 web optional wordpress_5.8.1+dfsg1-1.debian.tar.xz
9ff2823b0baeeec776bbb53d8e9eb5a9 7527 web optional wordpress_5.8.1+dfsg1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAmE7+O8ACgkQAiFmwP88
hOMV3Q//aDGonVYKe4GpL0BqY8cfb2CISPSRbkqvM4HonbZf5A8V0Scg5RSP6Nsd
RGo2JpfSoiaGW/4+Bdknms2jj9VAH5/XOTYhesqShX0825ZrzFKS6foi/iLmiPXg
0H/Pe5WM6ZlMVjPnRPJ6VqwQaJItu943qsnevMPvecvzUoFfBjYrDgeWjFZ0HfKC
58z//vdn/hzpmLq8NeOzjm+wQXoJSy55EFWZC7FT+f17y7sNEu4XShWg1FEolbmZ
bGhUQa9z6hBJskVYH5vBjYFdJMNclDofNDxp4YMnDzbLQc2DrTUHXvdJFEvEfeFY
RvVudEugkbAmmH+UgxnOw8OWvr4Y1YvLCjLw73LiKyZrShnkRobK4+MjlhgiRVaC
rLPNI4/b5hKKAV7v99nk0LqWfaKSBrr7jVpUDZ480fmdoE7qq9RhBEAU8Qepr+/w
f/WCRZjnloY6z7yvoevVmGVZgent6PLHoomkrlMFfqHtCTEEcdBnYlBax/jm7SQ+
MjN/MhtFP6OnmfBHP62pWQ4x66K1eoSu9EdlWcehylMmy6JDKOAaZgmdOBv4D5P4
KqDVzOpRgSkFHBzrnzZkeqo8r2hzcJAE0cBrwEIpOa1cOvvqxCOZzNJaxYZNikT1
pujDBevHq139BBDlnhyjFoqMQRm4gi2xMzwqhGcjq7VO8ArXseo=
=HjWH
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Sep 11 16:21:03 2021;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon