Debian Bug report logs -
#1007145
wordpress: WordPress 5.9.2 security and maintenance release
Reported by: Craig Small <csmall@debian.org>
Date: Sat, 12 Mar 2022 02:09:02 UTC
Severity: grave
Tags: security
Found in version wordpress/5.8.3+dfsg1-1
Fixed in version wordpress/5.9.2+dfsg1-1
Done: Craig Small <csmall@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org:
Bug#1007145; Package wordpress.
(Sat, 12 Mar 2022 02:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Craig Small <csmall@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org.
(Sat, 12 Mar 2022 02:09:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: wordpress
Version: 5.8.3+dfsg1-1
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
WordPress has released version 5.9.2 that has one bug fix and three
security fixes[1]. They state the security fixes are required back
to 3.7 so all releases are vulnerable.
It is difficult to see what has actually changed between 5.9.1 and
5.9.2[2] WordPress gives no details except:
Prototype Pollution Vulnerability in a jQuery dependency
Stored Cross Site Scripting Vulnerability
Besides version string changes, the two actual changes I can see
are:
* Adding another conditional to the theme installer
* Updating jquery from 2.1.7 to 2.2.3
The theme installer change[3] references upstream bug 54578[4]
which is also linked in [1] as the bug fix (separate to the
3 security fixes).
My conclusion is the three security issues must live in
jquery and upgrading from 2.1.7 to 2.2.3 fixes this.
Prototype pollution mentioned in the wordpress announcement
sounds a lot like CVE-2022-23395[5] or CVE-2019-11358[6]
Looking at the patches, it looks like the latter.
I'm not sure about the other two, they could be
CVE-2020-11022 and CVE-2020-11023 but cannot confirm this.
- Craig
1: https://wordpress.org/news/2022/03/wordpress-5-9-2-security-maintenance-release/
2: https://core.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=52874%40branches%2F5.9&old=52786%40branches%2F5.9&sfp_email=&sfph_mail=
3: https://core.trac.wordpress.org/changeset/52803/branches/5.9
4: https://core.trac.wordpress.org/ticket/54578
5: https://nvd.nist.gov/vuln/detail/CVE-2022-23395
6: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
-- System Information:
Debian Release: bookworm/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.15.0-2-amd64 (SMP w/6 CPU threads)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages wordpress depends on:
pn apache2 | httpd <none>
ii ca-certificates 20211016
pn default-mysql-client | virtual-mysql-client <none>
pn libapache2-mod-php | php <none>
pn libjs-cropper <none>
ii libjs-underscore 1.13.2~dfsg-2
pn php-gd <none>
pn php-getid3 <none>
pn php-mysql | php-mysqlnd <none>
Versions of packages wordpress recommends:
pn wordpress-l10n <none>
pn wordpress-theme-twentytwentyone <none>
Versions of packages wordpress suggests:
pn default-mysql-server | virtual-mysql-server <none>
pn php-ssh4 <none>
Reply sent
to Craig Small <csmall@debian.org>:
You have taken responsibility.
(Sat, 12 Mar 2022 10:03:17 GMT) (full text, mbox, link).
Notification sent
to Craig Small <csmall@debian.org>:
Bug acknowledged by developer.
(Sat, 12 Mar 2022 10:03:17 GMT) (full text, mbox, link).
Message #10 received at 1007145-close@bugs.debian.org (full text, mbox, reply):
Source: wordpress
Source-Version: 5.9.2+dfsg1-1
Done: Craig Small <csmall@debian.org>
We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1007145@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated wordpress package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 12 Mar 2022 14:31:34 +1100
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentytwenty wordpress-theme-twentytwentyone wordpress-theme-twentytwentytwo
Architecture: source all
Version: 5.9.2+dfsg1-1
Distribution: unstable
Urgency: medium
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Description:
wordpress - weblog manager
wordpress-l10n - weblog manager - language files
wordpress-theme-twentytwenty - weblog manager - twentytwenty theme files
wordpress-theme-twentytwentyone - weblog manager - twentytwentyone theme files
wordpress-theme-twentytwentytwo - weblog manager - twentytwentytwo theme files
Closes: 1007005 1007145
Changes:
wordpress (5.9.2+dfsg1-1) unstable; urgency=medium
.
* New security release Closes: #1007005, #1007145
* Themes: 2019 removed, 2022 added
Checksums-Sha1:
a1461d679d80c7b6515a3e8892f33894bcbf89ff 2394 wordpress_5.9.2+dfsg1-1.dsc
65d8bb135830e4440dc04ae94376e1fb977136ca 14515848 wordpress_5.9.2+dfsg1.orig.tar.xz
0991b99cf125b301e6eb45dd9e241a43d4bae047 6824940 wordpress_5.9.2+dfsg1-1.debian.tar.xz
42005a7816f8f62ecf859aaecc5fd0f1a15f09d8 4384312 wordpress-l10n_5.9.2+dfsg1-1_all.deb
1fe177e1945963d05ac3fc77e03fd0e7cc298c47 776844 wordpress-theme-twentytwenty_5.9.2+dfsg1-1_all.deb
70581da16d5d8d35054a42a4654438da05209657 2593064 wordpress-theme-twentytwentyone_5.9.2+dfsg1-1_all.deb
1eb5c9670b24d1d67b2428675c02e48f44f37219 3500232 wordpress-theme-twentytwentytwo_5.9.2+dfsg1-1_all.deb
98c98eebbdccee0a4d1f380c957491b418001200 7601496 wordpress_5.9.2+dfsg1-1_all.deb
a4be3518a343cb8f84eda8085992123b9342fff1 7461 wordpress_5.9.2+dfsg1-1_amd64.buildinfo
Checksums-Sha256:
da172d3d394d2a441cdf448cc7e252d37376409396dd8c2b3c15153b3d3411e1 2394 wordpress_5.9.2+dfsg1-1.dsc
15161266ccd0b5746de83b7e487f6213c20687101960b5667e34fd01381dca5f 14515848 wordpress_5.9.2+dfsg1.orig.tar.xz
46935e4344d2deed184f2f856a560d2c20109f418033e3e3590df038d90e30fd 6824940 wordpress_5.9.2+dfsg1-1.debian.tar.xz
baf821b89977b694c028a95d42ba3bb2838b231e460f3a61b7d3cba3715d565b 4384312 wordpress-l10n_5.9.2+dfsg1-1_all.deb
9982d9148d70dc1aedf2a450cc25a7ed58cd74629e1e8448463df11efbdbed66 776844 wordpress-theme-twentytwenty_5.9.2+dfsg1-1_all.deb
7b870d0be8d01fd029472ff50f1d4633ab0697372eada653d681be9a30077fab 2593064 wordpress-theme-twentytwentyone_5.9.2+dfsg1-1_all.deb
c80f80dda595a0484db7ea7a98d553a7d048e4c9f419267e14a59d482a45d840 3500232 wordpress-theme-twentytwentytwo_5.9.2+dfsg1-1_all.deb
906a82b78e69083e3b9021a2add858d8f0b4ddbd21166b8874c134ae0ad695f7 7601496 wordpress_5.9.2+dfsg1-1_all.deb
50b4ade01ed6046f4057b719a0a1baa26a717e7d393c5b5138d1da6fa444b900 7461 wordpress_5.9.2+dfsg1-1_amd64.buildinfo
Files:
54c27074a5dfbc74e1859ab0e6ea5a0e 2394 web optional wordpress_5.9.2+dfsg1-1.dsc
a8e74865c65d749555ca7916d356d1cc 14515848 web optional wordpress_5.9.2+dfsg1.orig.tar.xz
e997628454fcf9c5819916c168f02bd7 6824940 web optional wordpress_5.9.2+dfsg1-1.debian.tar.xz
4b7ad3857b54f2865056b98257f4d355 4384312 localization optional wordpress-l10n_5.9.2+dfsg1-1_all.deb
cc68703080bfbbdfe0b919b7460a6145 776844 web optional wordpress-theme-twentytwenty_5.9.2+dfsg1-1_all.deb
f3e73d4170062aaeab32c7cf5f508876 2593064 web optional wordpress-theme-twentytwentyone_5.9.2+dfsg1-1_all.deb
23bf403700cf583ecbc7067a23c83771 3500232 web optional wordpress-theme-twentytwentytwo_5.9.2+dfsg1-1_all.deb
acfb91caf039f67abda4e1d0beaa6a0f 7601496 web optional wordpress_5.9.2+dfsg1-1_all.deb
1c88bc6fd17335ed757b9ee209b51b54 7461 web optional wordpress_5.9.2+dfsg1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAmIsITkACgkQAiFmwP88
hONR7w/+O/nQU44YGfbok8Shgx4ZgAbcUkhJguLscBEmhz/7uPc/l1GnFfUlPJaA
2oMRZ7DNf7rIbOnzL6cVfFdGv0Y1fB2aEI+YQTrWZDloTCUMAFmB5yZudCcHlaN9
dC/+MlKTLjWvi377WUlxpiaatmpyPE5ZA69GinMlAhLwaMZYaiLzy9kwcMRN1J7O
d0gHqr4U4WjMeX3HNZVIFKYOAA2ysZCfSlOQPoL8Cu5PhYuvXZJy0Cy1BtWfEgGz
JwPtMWA7IYjlquleAwr7rB4YcsqRASUhx7NffHbqE2E1KvwAv5/3oNMdX560LTeV
Aun1PHQ3ztYJoh4GtyI+81nXs78cnpLnFZNOfGkURZkHc1ACybr/gqoImjxv6kKX
OYDmXDzNjDNkS1XjRtOe+Z6xgozYZxdalF9vgSMfAEEahz2UxYXFLqediIWXJ1ju
uF/SdHJxIWQ3F41zIvnxXWWVpQprjyz/3J5bu5crajHTqpPyggjOofVjGpBmGTQ5
ylU8mh9SevjEm7AchA6/x4N7LEvAgxulISrALoCfp8hOfI81pUsIPQFuM5fzcTnO
eWfNXUBEUYQ3kdLXqbG/xtXwkqFQNTUnDDSS8ueldbZzVTzrXnseKUMPlMtpxR6I
oeyZGStGafm6t+h4Fg+aFSDQtjRb9dhlfvMtsHwn0XcQ4f29j3o=
=Fy5a
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Mar 15 13:10:10 2022;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon