Bug#852767: marked as pending

Fri, 27 Jan 2017 04:24:16 -0800 

tag 852767 pending
thanks

Hello,

Bug #852767 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://git.debian.org/?p=collab-maint/wordpress.git;a=commitdiff;h=956bd02

---
commit 956bd029374b7fa6e046c055e65a0fcae52a9a18
Author: Craig Small <csm...@debian.org>
Date:   Fri Jan 27 20:32:25 2017 +1100

    Stop CSRF with Flash upload
    
    CVE-2017-5489 Cross-Site Request Forgery (CSRF) via Flash Upload
    changet 39838 and 39857

diff --git a/debian/changelog b/debian/changelog
index 27c9c07..fce21ef 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,22 +1,32 @@
-wordpress (4.1+dfsg-1+deb8u12) jessie-security; urgency=high
+wordpress (4.1+dfsg-1+deb8u12) UNRELEASED; urgency=high
 
   *  Backport patches from 4.7.1 Closes: #851310
-     - CVE-2016-10066, CVE-2016-10045 Potential Remote Command
-       Execution (RCE) in PHPMailer
-     - CVE-2017-5488 Authenticated Cross-Site scripting (XSS) in
-       update-core.php
-     - CVE-2017-5490 Stored Cross-Site Scripting (XSS) via Theme
-       Name fallback
-     - CVE-2017-5491 Post via Email Checks mail.example.com by
-       Default
-     - CVE-2017-5492 Accessibility Mode Cross-Site Request
-       Forgery (CSRF)
-     - CVE-2017-5493 Cryptographically Weak Pseudo-Random
-       Number Generator
+     - CVE-2016-10066
+       Potential Remote Command Execution (RCE) in PHPMailer
+     - CVE-2017-5488
+       Authenticated Cross-Site scripting (XSS) in update-core.php
+     - CVE-2017-5490
+       Stored Cross-Site Scripting (XSS) via Theme Name fallback
+     - CVE-2017-5491
+       Post via Email Checks mail.example.com by Default
+     - CVE-2017-5492
+       Accessibility Mode Cross-Site Request Forgery (CSRF)
+     - CVE-2017-5493
+       Cryptographically Weak Pseudo-Random Number Generator
+     - CVE-2017-5489
+       Cross-Site Request Forgery (CSRF) via Flash Upload
+       Changesets 39838 and 39857, thanks Seb <s...@debian.org>
   * Not vulnerable
-     * CVE-2017-5487 User Information Disclosure via REST API - API doesn't 
exist
-  * Documented not vulnerable but unsure (no changeset or proof of concept)
-     * CVE-2017-5489 Cross-Site Request Forgery (CSRF) via Flash Upload
+     - CVE-2017-5487
+       User Information Disclosure via REST API - API doesn't exist
+  * Backport patches from 4.7.2 Closes: #852767
+     - CVE-2017-XXXX
+       The user interface for assigning taxonomy terms in Press This is
+       shown to users who do not have permissions to use it.
+     - CVE-2017-XXXX
+       WP_Query is vulnerable to a SQL injection (SQLi)
+     - CVE-2017-XXXX
+       XSS in the posts list table
 
  -- Craig Small <csm...@debian.org>  Sun, 15 Jan 2017 22:57:30 +1100

Reply via email to