Bug#713947: marked as done (wordpress: Multiple security issues)

Tue, 25 Jun 2013 08:52:46 -0700 

Your message dated Tue, 25 Jun 2013 15:50:33 +0000
with message-id <e1urvvp-00020l...@franck.debian.org>
and subject line Bug#713947: fixed in wordpress 3.5.2+dfsg-1
has caused the Debian Bug report #713947,
regarding wordpress: Multiple security issues
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
713947: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=713947
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: wordpress
Severity: grave
Tags: security
Justification: user security hole

Wordpress 3.5.2 fixes multiple security issues. Quoting from 
http://codex.wordpress.org/Version_3.5.2:

Additionally: Version 3.5.2 fixes seven security issues:

* Server-Side Request Forgery (SSRF) via the HTTP API. CVE-2013-2199.
* Privilege Escalation: Contributors can publish posts, and users can reassign 
authorship. CVE-2013-2200.
* Cross-Site Scripting (XSS) in SWFUpload. CVE-2013-2205.
* Denial of Service (DoS) via Post Password Cookies. CVE-2013-2173.
* Content Spoofing via Flash Applet in TinyMCE Media Plugin. CVE-2013-2204.
* Cross-Site Scripting (XSS) when Uploading Media. CVE-2013-2201.
* Full Path Disclosure (FPD) during File Upload. CVE-2013-2203.

Additional security hardening includes:

* Cross-Site Scripting (XSS) (Low Severity) when Editing Media. CVE-2013-2201.
* Cross-Site Scripting (XSS) (Low Severity) when Installing/Updating 
Plugins/Themes. CVE-2013-2201.
* XML External Entity Injection (XXE) via oEmbed. CVE-2013-2202.

Cheers,
        Moritz

--- End Message ---
--- Begin Message --- 
Source: wordpress
Source-Version: 3.5.2+dfsg-1

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 713...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Raphaël Hertzog <hert...@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 25 Jun 2013 15:52:07 +0200
Source: wordpress
Binary: wordpress wordpress-l10n
Architecture: source all
Version: 3.5.2+dfsg-1
Distribution: unstable
Urgency: low
Maintainer: Giuseppe Iuculano <iucul...@debian.org>
Changed-By: Raphaël Hertzog <hert...@debian.org>
Description: 
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
Closes: 713947
Changes: 
 wordpress (3.5.2+dfsg-1) unstable; urgency=low
 .
   * New upstream release with many security fixes. Closes: #713947
     * Server-Side Request Forgery (SSRF) via the HTTP API. CVE-2013-2199.
     * Privilege Escalation: Contributors can publish posts, and users can
       reassign authorship. CVE-2013-2200.
     * Cross-Site Scripting (XSS) in SWFUpload. CVE-2013-2205.
     * Denial of Service (DoS) via Post Password Cookies. CVE-2013-2173.
     * Content Spoofing via Flash Applet in TinyMCE Media Plugin.
       CVE-2013-2204.
     * Cross-Site Scripting (XSS) when Uploading Media. CVE-2013-2201.
     * Full Path Disclosure (FPD) during File Upload. CVE-2013-2203.
   * Additional security hardening includes:
     * Cross-Site Scripting (XSS) (Low Severity) when Editing Media.
       CVE-2013-2201.
     * Cross-Site Scripting (XSS) (Low Severity) when Installing/Updating
       Plugins/Themes. CVE-2013-2201.
     * XML External Entity Injection (XXE) via oEmbed. CVE-2013-2202.
   * Update the Vcs-Git and Vcs-Browser URLs.
   * Update Standards-Version to 3.9.4.
Checksums-Sha1: 
 abe1dd7ea2c1d0a5961b2648eacd9ada77770b8f 2343 wordpress_3.5.2+dfsg-1.dsc
 0b0ed001dfaf4d9ea10d1cd6bf32c8755b1b098e 4261024 
wordpress_3.5.2+dfsg.orig.tar.xz
 8f80c1fc8c0524ac0a6d15e7cd54cd1b6849c3cc 5258120 
wordpress_3.5.2+dfsg-1.debian.tar.xz
 661e4b724139dcc44b2b31ef25ab7f62659d5331 4932866 wordpress_3.5.2+dfsg-1_all.deb
 9bf6af1c2b9e47ee80a0f35250c708cc110b7ea9 8818988 
wordpress-l10n_3.5.2+dfsg-1_all.deb
Checksums-Sha256: 
 04bc9447d57be1dd7ddd5585120dd254ab631663b5f18a570a35cc8262282106 2343 
wordpress_3.5.2+dfsg-1.dsc
 c4403b912ec5154aa2ff67e2b7afa5a4b67dca055e3421cc000212b73e6f1eb4 4261024 
wordpress_3.5.2+dfsg.orig.tar.xz
 9e21d3dc6c5dee8bd8e7fe08cba440e34d80d06e1b66c6586ab68d8d680bd4af 5258120 
wordpress_3.5.2+dfsg-1.debian.tar.xz
 48807ba99cc996dc3fe550ab99e594231d5b99e64cc140627e9186ea633b4f8d 4932866 
wordpress_3.5.2+dfsg-1_all.deb
 8140a6f72b1f99e504db0c42c76141c6b0f89109a41c113836fa06fec36922b9 8818988 
wordpress-l10n_3.5.2+dfsg-1_all.deb
Files: 
 404c215f8b82e5e528ec458d957afd28 2343 web optional wordpress_3.5.2+dfsg-1.dsc
 9dcb3e16668d19373ffdf9b0fe2657dd 4261024 web optional 
wordpress_3.5.2+dfsg.orig.tar.xz
 9639064ce0054cda67e0bec232bd6648 5258120 web optional 
wordpress_3.5.2+dfsg-1.debian.tar.xz
 44db80b3a87460fbcc8989799376a3e1 4932866 web optional 
wordpress_3.5.2+dfsg-1_all.deb
 ddd9746396ba0a65fac7a08cba3aa97f 8818988 localization optional 
wordpress-l10n_3.5.2+dfsg-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Signed by Raphael Hertzog

iQIcBAEBCAAGBQJRybRCAAoJEOYZBF3yrHKaUNUP/jSmImj06ock7ljScmfUN2su
EmSHEwdRVr1kRgdlKwXKShRoJV5LnerIcwe3jCK1X+UoOXZy+dinwQC8u8hog8RP
8pJAXdlaIZHG3pUu5dDj3NdwAEv4y3IoTo8v9sbQ9DhrmJ9FDloZX80U/iiatTdY
qEKEc6L8T0vuz0cdGKQLch+RoYB0jVQLXCqy3ZABsHX6IxQNVjuqZds5NixyZqrx
ONmmctAEpOeUJCW2SSVU8tqn7GmPgHXtMTi0YLwE2i9m0dCMWhJRQAv/FKyiApVK
EnuA6ASVOqAoQh9Ikm2h0Bc4pKpfggciWp8VgrmifDsTqAD/ZSPtWskH2pddOuq4
NZJTNImcBAJXOo6q7ha5cIhk10O89mUcFCkontSUD+MbRcidlXTvsJy7Re4ECvHL
nm7NFoLvUraa1cbbiBfIRFdqAt247bnvV3L4RDQWUx8/tgfFKQSKlroxWiRcXXzZ
Zknoz5UXL9bOAaz2xQu61CR9z4XU3lY9XYIdNeYGSac0RscJKxt+93l06gBTKOG2
xRKQQIAHRXgazUAO/gtxPqVy3fkOJxsxJN26r1Ihn1wk/68pYc6aD+rZATuz+Jmr
HifFPbZzgItw36NcXs49QsqYUAnifdH5g3LDFTx8vZH9KDd6aJ7kseXpLZWqegq2
rhkGrjYxeocyE61Zh7Pq
=dhFx
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to