Debian Bug report logs -
#698916
wordpress: CVE-2013-0235: pingback port scanning issue fixed in 3.5.1
Reported by: Henri Salo <henri@nerv.fi>
Date: Fri, 25 Jan 2013 09:30:02 UTC
Severity: critical
Tags: security
Merged with 698926,
698928
Found in versions wordpress/3.5+dfsg-1, wordpress/3.3.2+dfsg-1~squeeze1, wordpress/3.4.2+dfsg-1
Fixed in version wordpress/3.5.1+dfsg-1
Done: Raphaël Hertzog <hertzog@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#698916; Package wordpress.
(Fri, 25 Jan 2013 09:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Giuseppe Iuculano <iuculano@debian.org>.
(Fri, 25 Jan 2013 09:30:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: wordpress
Version: 3.5+dfsg-1
Severity: important
http://wordpress.org/news/2013/01/wordpress-3-5-1/
- A server-side request forgery vulnerability and remote port scanning using pingbacks. This vulnerability, which could potentially be used to expose information and compromise a site, affects all previous WordPress versions. This was fixed by the WordPress security team. We’d like to thank security researchers Gennady Kovshenin and Ryan Dewhurst for reviewing our work.
- Two instances of cross-site scripting via shortcodes and post content. These issues were discovered by Jon Cave of the WordPress security team.
- A cross-site scripting vulnerability in the external library Plupload. Thanks to the Moxiecode team for working with us on this, and for releasing Plupload 1.5.5 to address this issue.
--
Henri Salo
Changed Bug title to 'wordpress: pingback port scanning issue fixed in 3.5.1' from 'wordpress: multiple vulnerabilities fixed in 3.5.1'
Request was from Henri Salo <henri@nerv.fi>
to control@bugs.debian.org.
(Fri, 25 Jan 2013 11:39:03 GMT) (full text, mbox, link).
Marked as found in versions wordpress/3.3.2+dfsg-1~squeeze1.
Request was from Henri Salo <henri@nerv.fi>
to control@bugs.debian.org.
(Fri, 25 Jan 2013 11:39:04 GMT) (full text, mbox, link).
Severity set to 'critical' from 'important'
Request was from Henri Salo <henri@nerv.fi>
to control@bugs.debian.org.
(Fri, 25 Jan 2013 11:39:04 GMT) (full text, mbox, link).
Added tag(s) security.
Request was from Henri Salo <henri@nerv.fi>
to control@bugs.debian.org.
(Fri, 25 Jan 2013 11:39:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#698916; Package wordpress.
(Fri, 25 Jan 2013 12:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>.
(Fri, 25 Jan 2013 12:15:03 GMT) (full text, mbox, link).
Message #26 received at 698916@bugs.debian.org (full text, mbox, reply):
I have manually verified this issue with https://github.com/FireFart/WordpressPingbackPortScanner
--
Henri Salo
Added tag(s) pending.
Request was from Raphaël Hertzog <hertzog@debian.org>
to control@bugs.debian.org.
(Mon, 28 Jan 2013 16:39:05 GMT) (full text, mbox, link).
Message sent on
to Henri Salo <henri@nerv.fi>:
Bug#698916.
(Mon, 28 Jan 2013 16:39:08 GMT) (full text, mbox, link).
Message #31 received at 698916-submitter@bugs.debian.org (full text, mbox, reply):
tag 698916 pending
thanks
Hello,
Bug #698916 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
http://git.debian.org/?p=collab-maint/wordpress.git;a=commitdiff;h=b632282
---
commit b6322823227e51fc2dbdbe509ba1777db565cbd4
Author: Raphaël Hertzog <hertzog@debian.org>
Date: Mon Jan 28 17:35:57 2013 +0100
Changelog for new upstream release
diff --git a/debian/changelog b/debian/changelog
index 1326331..837e51b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+wordpress (3.5.1+dfsg-1) unstable; urgency=low
+
+ * New upstream maintenance and security release. Closes: #698916
+
+ -- Raphaël Hertzog <hertzog@debian.org> Mon, 28 Jan 2013 17:15:27 +0100
+
wordpress (3.5+dfsg-1) unstable; urgency=low
* New upstream release.
Reply sent
to Raphaël Hertzog <hertzog@debian.org>:
You have taken responsibility.
(Mon, 28 Jan 2013 17:06:08 GMT) (full text, mbox, link).
Notification sent
to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer.
(Mon, 28 Jan 2013 17:06:08 GMT) (full text, mbox, link).
Message #36 received at 698916-close@bugs.debian.org (full text, mbox, reply):
Source: wordpress
Source-Version: 3.5.1+dfsg-1
We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 698916@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Raphaël Hertzog <hertzog@debian.org> (supplier of updated wordpress package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 28 Jan 2013 17:15:27 +0100
Source: wordpress
Binary: wordpress wordpress-l10n
Architecture: source all
Version: 3.5.1+dfsg-1
Distribution: unstable
Urgency: low
Maintainer: Giuseppe Iuculano <iuculano@debian.org>
Changed-By: Raphaël Hertzog <hertzog@debian.org>
Description:
wordpress - weblog manager
wordpress-l10n - weblog manager - language files
Closes: 698916
Changes:
wordpress (3.5.1+dfsg-1) unstable; urgency=low
.
* New upstream maintenance and security release. Closes: #698916
Checksums-Sha1:
5f0996176d0cc7af9b26efc7fdc8df02d138d6f6 2332 wordpress_3.5.1+dfsg-1.dsc
9459f34d9d67d2f519419f5c488dd124da5f56f3 4284028 wordpress_3.5.1+dfsg.orig.tar.xz
eaac3330740fddd8071171c2211623dc3ed78b3d 3652744 wordpress_3.5.1+dfsg-1.debian.tar.xz
e04b2b1bea241f12fc2ecb3c109927c079d20e48 4759492 wordpress_3.5.1+dfsg-1_all.deb
4a129892b16eee675fbcb2b2cf969be7f376e3d5 5539524 wordpress-l10n_3.5.1+dfsg-1_all.deb
Checksums-Sha256:
69f3b54fd08343cf6e3bb75bb7dc5f637c7c9ead2174a19300b928cd2ee8e86b 2332 wordpress_3.5.1+dfsg-1.dsc
6a898ff66e915847c65c65b3421834b77284f80c47b410fc268db910025dc404 4284028 wordpress_3.5.1+dfsg.orig.tar.xz
ba7c3112172470a1b47d5fc3f8c3793c7daf6d105030913fc05da1787df82d16 3652744 wordpress_3.5.1+dfsg-1.debian.tar.xz
e7dfd7ff24c9c92f5a70b6cb90ce8638592460f68088b70d0b9df07bd8372203 4759492 wordpress_3.5.1+dfsg-1_all.deb
5d8fac3d64dda64715d95f32f2fd4619cd7d9139b9d890eea7537eb68007e52e 5539524 wordpress-l10n_3.5.1+dfsg-1_all.deb
Files:
53a2f5f1d3811b889c30b2ee494b365f 2332 web optional wordpress_3.5.1+dfsg-1.dsc
c8e8f13bd9a8961541433818e36ea482 4284028 web optional wordpress_3.5.1+dfsg.orig.tar.xz
ce872b65eb5dec380775c06e7c600219 3652744 web optional wordpress_3.5.1+dfsg-1.debian.tar.xz
f23d91e480546011f69aa8255fd77f4e 4759492 web optional wordpress_3.5.1+dfsg-1_all.deb
e0ceab8b16b7d2f1aa7e8cd393fe3081 5539524 localization optional wordpress-l10n_3.5.1+dfsg-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Signed by Raphael Hertzog
iQIcBAEBCAAGBQJRBquzAAoJEOYZBF3yrHKakFsP/3lkciqdXA3n4tyBcHWnwhsg
HekplQfx/ofa/E8HlCdZJKHUyETQiNUP7kW4jwvefaVs8U4EW4Pp7Gy/AAxuxB2M
DKIjuEVcEBM2X+t+wRA6LYJdqmCd2ii2MwCGXx2WfP4ultEJnPdTa35cjbWDCvd4
H7/vphoQb/d/cH2Lv5EVeqW+VwX9modODHn8ots032FjCQ5Q6u06vwWlfBYHg+fh
DJu8/I3c/4S/b/L8CVUuSnvek1kyoDRGb+hVgT96u14J1knAID4FpLMQebYqgLJN
Wb2Wc9fn0tUMhMGn8oMJAuVSBDGMoExlXE/+xYNn5RmYBIrXUeL7VG4mo1fxxL1e
+xk7aGKfcwUK9xYcp76AVa4dp5GRmklm872HZjh9ZVCs+qzYEOjs0UHrxlYRg5by
X7QMlLjbydWsPOM27BdrRRaIILFv/Kn30Mx7Thyw2JHMQC8seMf0zflPXmTxwp0q
gkC5MONdzNdM7yMkCLlVa05DXj6qSj5+axO9dpWIFFez+PPULLBkDG+YmkkH9Fso
yT88/F5S4gg+RLiaTU+/i1KtiYlgj7fB8sKh+KFRYSIORD8pYslIX+o30veX8Fvt
DkeVVdoHYk3cZSHuu66a9eDO0SbZSSZY2PXzcXx0klUqPOogbFlR0vowddzrvhf3
iQ5SoBi1DvgvFzmEaWYQ
=15FK
-----END PGP SIGNATURE-----
Reply sent
to Raphaël Hertzog <hertzog@debian.org>:
You have taken responsibility.
(Mon, 28 Jan 2013 17:06:09 GMT) (full text, mbox, link).
Notification sent
to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer.
(Mon, 28 Jan 2013 17:06:09 GMT) (full text, mbox, link).
Reply sent
to Raphaël Hertzog <hertzog@debian.org>:
You have taken responsibility.
(Mon, 28 Jan 2013 17:06:10 GMT) (full text, mbox, link).
Notification sent
to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer.
(Mon, 28 Jan 2013 17:06:10 GMT) (full text, mbox, link).
Changed Bug title to 'wordpress: CVE-2013-0235: pingback port scanning issue fixed in 3.5.1' from 'wordpress: pingback port scanning issue fixed in 3.5.1'
Request was from Henri Salo <henri@nerv.fi>
to control@bugs.debian.org.
(Tue, 29 Jan 2013 09:21:05 GMT) (full text, mbox, link).
Marked as found in versions wordpress/3.4.2+dfsg-1.
Request was from Raphaël Hertzog <hertzog@debian.org>
to control@bugs.debian.org.
(Fri, 01 Mar 2013 09:21:05 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 02 Jun 2013 07:38:16 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:04:54 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon