Your message dated Sun, 23 Aug 2009 14:03:08 +0000
with message-id <e1mfdf2-00081s...@ries.debian.org>
and subject line Bug#504243: fixed in wordpress 2.0.10-1etch4
has caused the Debian Bug report #504243,
regarding CVE-2008-1502: _bad_protocol_once function in KSES allows remote
attackers to conduct XSS attacks
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
504243: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504243
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: wordpress
Severity: grave
Version: 2.0.10-1etch3
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was published for
KSES, which affects the embedded copy shipped in wordpress[0].
CVE-2008-1502[1]:
> The _bad_protocol_once function in phpgwapi/inc/class.kses.inc.php in KSES,
> as used in eGroupWare before 1.4.003, Moodle before 1.8.5, and other
> products, allows remote attackers to bypass HTML filtering and conduct
> cross-site scripting (XSS) attacks via a string containing crafted URL
> protocols.
It should be possible to either backport the patch from wordpress in lenny/sid
or from moodle in sid.
If you fix the vulnerability please also make sure to include the CVE id in
the changelog entry.
[0] usr/share/wordpress/wp-includes/kses.php
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1502
http://security-tracker.debian.net/tracker/CVE-2008-1502
Cheers,
--
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---
Source: wordpress
Source-Version: 2.0.10-1etch4
We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive:
wordpress_2.0.10-1etch4.diff.gz
to pool/main/w/wordpress/wordpress_2.0.10-1etch4.diff.gz
wordpress_2.0.10-1etch4.dsc
to pool/main/w/wordpress/wordpress_2.0.10-1etch4.dsc
wordpress_2.0.10-1etch4_all.deb
to pool/main/w/wordpress/wordpress_2.0.10-1etch4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 504...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Giuseppe Iuculano <giuse...@iuculano.it> (supplier of updated wordpress package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 15 Aug 2009 11:58:32 +0200
Source: wordpress
Binary: wordpress
Architecture: source all
Version: 2.0.10-1etch4
Distribution: oldstable-security
Urgency: high
Maintainer: Andrea De Iacovo <andrea.de.iac...@gmail.com>
Changed-By: Giuseppe Iuculano <giuse...@iuculano.it>
Description:
wordpress - an award winning weblog manager
Closes: 491846 500115 504234 504243 504771 531736 531736 536724
Changes:
wordpress (2.0.10-1etch4) oldstable-security; urgency=high
.
* [2ef79dd] Removed 010CVE2008-0664.patch, it caused a regression and
wordpress 2.0.10 isn't affected by CVE-2008-0664. (Closes: #491846)
* [abbabe9] Fixed CVE-2008-1502 _bad_protocol_once function in KSES
allows remote attackers to conduct XSS attacks (Closes: #504243)
* [e8a73eb] Fixed CVE-2008-4106: Whitespaces in user name are now
checked during login. (Closes: #500115)
* [8a2e4f9] Fixed CVE-2008-4769: Sanitize "cat" query var and cast to
int before looking for a category template
* [711274f] Fixed CVE-2008-4796: missing input sanitising in embedded
copy of Snoopy.class.php (Closes: #504234)
* [17c72c0] Fixed CVE-2008-6762: Force redirect after an upgrade
(Closes: #531736)
* [88d8244] Fixed CVE-2008-6767: Only admin can upgrade wordpress.
(Closes: #531736)
* [d5c02a9] Fixed CVE-2009-2334 and CVE-2009-2854: Added some CYA cap checks
(Closes: #536724)
* [80e9dbd] Fixed CVE-2008-5113: Force REQUEST to be GET + POST. If
SERVER, COOKIE, or ENV are needed, use those superglobals directly.
(Closes: #504771)
* [7f577ca] Fixed CVE-2009-2851: Sanitize HTML URLs in author comments
* [f23d55f] Fixed CVE-2009-2853: Stop direct loading of files in wp-admin
that should only be included
Files:
d9389cbc71eee6f08b15762a97c9d537 607 web optional wordpress_2.0.10-1etch4.dsc
45349b0822fc376b8cfef51b5cec3510 50984 web optional
wordpress_2.0.10-1etch4.diff.gz
71a6aea482d0e7afb9c82701bef336e9 521060 web optional
wordpress_2.0.10-1etch4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkqN5KUACgkQ62zWxYk/rQf2XgCdFV8GR2K1YxsS+LI4qrIQVc+z
FXQAoKs1Tt+JiOHxEEM61EeSOwUpUPhw
=kQoV
-----END PGP SIGNATURE-----
--- End Message ---
