Your message dated Mon, 29 Sep 2008 17:47:04 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#500115: fixed in wordpress 2.5.1-8
has caused the Debian Bug report #500115,
regarding CVE-2008-4106: WordPress allows remote attackers to change an
arbitrary user's password to a random value
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
500115: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=500115
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: wordpress
Version: 2.0.10-1
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for wordpress.
CVE-2008-4106[0]:
| WordPress before 2.6.2 does not properly handle MySQL warnings about
| insertion of username strings that exceed the maximum column width
| of the user_login column, and does not properly handle space
| characters when comparing usernames, which allows remote attackers
| to change an arbitrary user's password to a random value by
| registering a similar username and then requesting a password reset,
| related to a "SQL column truncation vulnerability." NOTE: the
| attacker can discover the random password by also exploiting
| CVE-2008-4107.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4106
http://security-tracker.debian.net/tracker/CVE-2008-4106
--- End Message ---
--- Begin Message ---
Source: wordpress
Source-Version: 2.5.1-8
We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive:
wordpress_2.5.1-8.diff.gz
to pool/main/w/wordpress/wordpress_2.5.1-8.diff.gz
wordpress_2.5.1-8.dsc
to pool/main/w/wordpress/wordpress_2.5.1-8.dsc
wordpress_2.5.1-8_all.deb
to pool/main/w/wordpress/wordpress_2.5.1-8_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andrea De Iacovo <[EMAIL PROTECTED]> (supplier of updated wordpress package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 25 Sep 2008 17:02:47 +0200
Source: wordpress
Binary: wordpress
Architecture: source all
Version: 2.5.1-8
Distribution: unstable
Urgency: high
Maintainer: Andrea De Iacovo <[EMAIL PROTECTED]>
Changed-By: Andrea De Iacovo <[EMAIL PROTECTED]>
Description:
wordpress - weblog manager
Closes: 500115
Changes:
wordpress (2.5.1-8) unstable; urgency=high
.
* Added 009CVE2008-4106 patch. (Closes: #500115)
Whitespaces in user name are now checked during login.
It's not possible to register an "admin(n-whitespaces)" user anymore
to gain unauthorized access to the admin panel.
Checksums-Sha1:
ddcd32a0c62f44ddcd8aeddb9ea3589e35bfcc9a 1311 wordpress_2.5.1-8.dsc
d46ab90741cd29130132501de46c4184b78947f6 696271 wordpress_2.5.1-8.diff.gz
e9c1893007224f096207b4a665dede19236f275e 1040448 wordpress_2.5.1-8_all.deb
Checksums-Sha256:
2ea559a1c1fe59970cf6b651821efd63691429b0ea4506c0ca554a377fd9f27a 1311
wordpress_2.5.1-8.dsc
d620a239cd29c0d50e81b62275266758d27adbe9b74cfff6d7da0feea37a1e18 696271
wordpress_2.5.1-8.diff.gz
4582c2b54dab7684d9e494d5a85a6c666ff82bd0751517daa77fdc7e12711904 1040448
wordpress_2.5.1-8_all.deb
Files:
ea1d8008d61d87a6162c52865a711728 1311 web optional wordpress_2.5.1-8.dsc
15993dd241ed5cb18bb81a07ffc53b97 696271 web optional wordpress_2.5.1-8.diff.gz
747a09ad403374f7876c7edc38f90546 1040448 web optional wordpress_2.5.1-8_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEcBAEBAgAGBQJI4RIYAAoJEGz0hbPcukPfZmQH/3I2aVoWjpQTYsrtrpLsgqkn
ViEO32aVazRJc5C0SKubb4JFnVdwDSpJU7dzypUesc3lEfNoQg0tx9WBLDKI72cp
ueCVWybAtS3dboYNIENcGJ9VttMN7DE44Rumcz5n0BXujGy97oXKjgwMXQO3ZGpW
s9X4OlUR+soEkF/wGFsXlt1GRaEeYLsBQ5np+kg/gUleoNeex+7hXmRi+0VQdern
ul5abAhVfXACsFdLxDE1aE3DLKh8qOnvAXupWZddp/IclVtC/W+b1AIsz5v7LC/S
0bdSVQZwh++c8zQzs/7IEWB3sy7/W+dqTDE3938aiTWYOJp3XlNst4AFGO5Ipk8=
=rvSn
-----END PGP SIGNATURE-----
--- End Message ---
