Bug#857026: marked as done (wordpress: 4.7.3 security release)

Tue, 07 Mar 2017 03:45:20 -0800 

Your message dated Tue, 07 Mar 2017 11:41:01 +0000
with message-id <e1cldud-00084b...@fasolo.debian.org>
and subject line Bug#857026: fixed in wordpress 4.7.3+dfsg-1
has caused the Debian Bug report #857026,
regarding wordpress: 4.7.3 security release
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
857026: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857026
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Source: wordpress
Version: 4.7.2
Severity: grave
Tags: upstream security
Justification: user security hole

There are six security issues with wordpress 4.7.2 that wordpress 4.7.3
fixes.

* Cross-site scripting (XSS) via media file metadata.  Reported by Chris Andrè 
Dale, Yorick Koster, and Simon P. Briggs.
3.6.0 - 4.7.2
https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7

* Control characters can trick redirect URL validation.  Reported by Daniel 
Chatfield.
2.8.1 - 4.7.2
https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e

* Unintended files can be deleted by administrators using the plugin deletion 
functionality.  Reported by xuliang.
4.7.0 - 4.7.2
https://github.com/WordPress/WordPress/commit/4d80f8b3e1b00a3edcee0774dc9c2f4c78f9e663

* Cross-site scripting (XSS) via video URL in YouTube embeds.  Reported by Marc 
Montpas.
4.0 - 4.7.2
https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8

* Cross-site scripting (XSS) via taxonomy term names.  Reported by Delta.
4.7 - 4.7.2
no patch supplied

* Cross-site request forgery (CSRF) in Press This leading to excessive use of 
server resources.  Reported by Sipke Mellema.
4,2 - 4.7.2
https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829


-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/6 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---
--- Begin Message --- 
Source: wordpress
Source-Version: 4.7.3+dfsg-1

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 857...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Craig Small <csm...@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 07 Mar 2017 21:59:02 +1100
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentysixteen 
wordpress-theme-twentyfifteen wordpress-theme-twentyseventeen
Architecture: source all
Version: 4.7.3+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Craig Small <csm...@debian.org>
Changed-By: Craig Small <csm...@debian.org>
Description:
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
 wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files
 wordpress-theme-twentyseventeen - weblog manager - twentyseventeen theme files
 wordpress-theme-twentysixteen - weblog manager - twentysixteen theme files
Closes: 857026
Changes:
 wordpress (4.7.3+dfsg-1) unstable; urgency=high
 .
   * New upstream release fixes 6 security issues Closes: #857026
   * Will update CVE IDs when available
     - CVE-2016-XXX
       Cross-site scripting (XSS) via media file metadata.
     - CVE-2016-XXX
       Control characters can trick redirect URL validation.
     - CVE-2016-XXX
       Unintended files can be deleted by administrators using the plugin
       deletion functionality.
     - CVE-2016-XXX
       Cross-site scripting (XSS) via video URL in YouTube embeds.
     - CVE-2016-XXX
       Cross-site scripting (XSS) via taxonomy term names.
     - CVE-2016-XXX
       Cross-site request forgery (CSRF) in Press This leading to excessive
       use of server resources.
Checksums-Sha1:
 2f15dae41f74c6ad7c69b657e836ba2b0fc822b7 2539 wordpress_4.7.3+dfsg-1.dsc
 408204edc81639e31b3a0ae16c6231aafadf3ea7 6215144 
wordpress_4.7.3+dfsg.orig.tar.xz
 e60ab47060f30fe6b5ea4d9485d0f14f67bbb3bd 6777004 
wordpress_4.7.3+dfsg-1.debian.tar.xz
 6c420b7497c44a8e4bbee75096a1a89afe4153ee 4380930 
wordpress-l10n_4.7.3+dfsg-1_all.deb
 f399a00ad9b47ccfa8de544b7c65773e4d6ac075 699742 
wordpress-theme-twentyfifteen_4.7.3+dfsg-1_all.deb
 5ca9c2b1473da6626da7c0ba0f2e25db572830bb 939514 
wordpress-theme-twentyseventeen_4.7.3+dfsg-1_all.deb
 8ca412c304d67da95145c212aa441d7d13409b1a 588552 
wordpress-theme-twentysixteen_4.7.3+dfsg-1_all.deb
 9a096816b99068cb835bb5bd87fbf9151b763416 3975210 wordpress_4.7.3+dfsg-1_all.deb
 fe5c4c1391012fd494c35d6c2775d54d71dbeb35 6533 
wordpress_4.7.3+dfsg-1_amd64.buildinfo
Checksums-Sha256:
 4574dbfe039c7a36bc956dee40d67058700c71960cddda3a8649876da9b98877 2539 
wordpress_4.7.3+dfsg-1.dsc
 fb7c15caed064c9170041c887c4264f3bcab76a5b045e865e50db38ec8c2048d 6215144 
wordpress_4.7.3+dfsg.orig.tar.xz
 5504ba9edae3bf7b8f3cf3cdff81977bea26a2051b9ba0ea132df8a9d31cade1 6777004 
wordpress_4.7.3+dfsg-1.debian.tar.xz
 13ecd65e46a5666949b0b805da043c1abe832f2af05ebd59858fc7ddec0d41ae 4380930 
wordpress-l10n_4.7.3+dfsg-1_all.deb
 0ce717d348f4f329ef794d499c8bbceebb55a6bffcd8cc51a07f0c3cbbd03335 699742 
wordpress-theme-twentyfifteen_4.7.3+dfsg-1_all.deb
 ff8ed176063887cba64762770cbdf567cb0a391fd102a944ed4671e30e96c126 939514 
wordpress-theme-twentyseventeen_4.7.3+dfsg-1_all.deb
 dbf3d45438b71e4d4cf38530c80fcd9c626994f44e07d92fb3e597cea042ec12 588552 
wordpress-theme-twentysixteen_4.7.3+dfsg-1_all.deb
 aaf2f497cfd8d9742528160a6138763a3a1f6e08cf78c61b7d409c64f5832aa6 3975210 
wordpress_4.7.3+dfsg-1_all.deb
 ffd6e64f5e2e62f0926f7d46e0f7b4bd20db4d1a69537269346bee5b882545e7 6533 
wordpress_4.7.3+dfsg-1_amd64.buildinfo
Files:
 ebc8ee3be973f0617318a6bb38eabf6c 2539 web optional wordpress_4.7.3+dfsg-1.dsc
 949dae2501e4e9990e720dee50ee4510 6215144 web optional 
wordpress_4.7.3+dfsg.orig.tar.xz
 80b5a4401e3ccd5ba6e1e8c341681f60 6777004 web optional 
wordpress_4.7.3+dfsg-1.debian.tar.xz
 eca4a8a7cfafc9201759b94ed81c6e73 4380930 localization optional 
wordpress-l10n_4.7.3+dfsg-1_all.deb
 e3334077ac3ee46385c3325ccea9bbd2 699742 web optional 
wordpress-theme-twentyfifteen_4.7.3+dfsg-1_all.deb
 59f2398eb6242e066922058c81c4bb77 939514 web optional 
wordpress-theme-twentyseventeen_4.7.3+dfsg-1_all.deb
 ee9dd33c1a83ef07d6a15d1c412fd2fd 588552 web optional 
wordpress-theme-twentysixteen_4.7.3+dfsg-1_all.deb
 2096291aa04aaf0bded9992ef3c6b4db 3975210 web optional 
wordpress_4.7.3+dfsg-1_all.deb
 cd4e006f647b13a8796bbd6870270070 6533 web optional 
wordpress_4.7.3+dfsg-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAli+k2cACgkQAiFmwP88
hON9Dw//XlaodIW3fJJJwibl7lijp0jzSjlEtMUg6Hd01OyJnPl9NaJQGKUt8Ha2
41MOW0kujLuIhH6pCyudFK+I1vOyFhxL7tZT4O8ggDU65oo36OeWAIVoI+Olwx1S
d28p7qId8c+bWBLNJQWWJOGXz32FT9kDTKTtX5g3VN4LxGJuI/WtPYyfbTdhDmjg
Tzu0kgSIp5e6k+s8LLlfP03V/AFn3T1xNxLAwTOw3hymQittAK0XXzLoQAI+CGKj
g6P5LSX3ndwFGSHxoiq2T+q1x0Y6Wq1QMrxzHGjRYC4yySKVWBKDq0apLoqjq0XI
q1zVlLue1KNOFMO8+45+zDysHGCAcPCy14aXF2BFZyjJCU2Ax+s3AoFZ4nwCm1Ke
F78cOfbghxJnlZ7GNuqYs2k4NlNgWjw0AQkzTnsodOx3ZnECf0Ggh/eCkdfLm7x+
Ky67xnWhgzWygQ8aJsMe/ctpw6QZHFkOeEIACRYTtMkoBQQRFAmxc2otZkWZEce7
ppnXIJ6de2Jz25nIiOWGmcirC4ALLO8DaWKpc49LB8z2Rtxnr5lDnO85Ed85nwQj
XmIRbsuQRnJapv7as+/UW9MwWfxRBNMcB/S5ilqPf3+aYDWiM2hnX6uOpA/00L01
RIXg4TkGV6h5xKHsqQAtb9aTTffW1OSwYYPuusJhCLgeIhohaAk=
=JJZk
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to