Your message dated Sat, 02 May 2020 04:48:44 +0000 with message-id <e1juk4y-000ahe...@fasolo.debian.org> and subject line Bug#959391: fixed in wordpress 5.4.1+dfsg1-1 has caused the Debian Bug report #959391, regarding wordpress: CVE-2020-11025 CVE-2020-11026 CVE-2020-11027 CVE-2020-11028 CVE-2020-11029 CVE-2020-11030 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 959391: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959391 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: wordpress Version: 5.4+dfsg1-1 Severity: grave Tags: security upstream Justification: user security hole Hi, The following vulnerabilities were published for wordpress. Fortunately this time additionally to [6], there are GHSA advisories associated with each of this CVEs (advantage of hosting a project on github I would say :)). Now they list some ranges of affected versions, and I'm interested to track which are actually not affecting buster and stretch. Could you check if those are actually acurate? For example CVE-2020-11030 lists via the GHSA as affected versions 5.2 to 5.4, and patched in 5.4.1, 5.3.3 and 5.2.6. Is this correct so which would mean buster and stretch are not affected? CVE-2020-11025[0]: | In affected versions of WordPress, a cross-site scripting (XSS) | vulnerability in the navigation section of Customizer allows | JavaScript code to be executed. Exploitation requires an authenticated | user. This has been patched in version 5.4.1, along with all the | previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, | 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, | 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). CVE-2020-11026[1]: | In affected versions of WordPress, files with a specially crafted name | when uploaded to the Media section can lead to script execution upon | accessing the file. This requires an authenticated user with | privileges to upload files. This has been patched in version 5.4.1, | along with all the previously affected versions via a minor release | (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, | 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). CVE-2020-11027[2]: | In affected versions of WordPress, a password reset link emailed to a | user does not expire upon changing the user password. Access would be | needed to the email account of the user by a malicious party for | successful execution. This has been patched in version 5.4.1, along | with all the previously affected versions via a minor release (5.3.3, | 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, | 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). CVE-2020-11028[3]: | In affected versions of WordPress, some private posts, which were | previously public, can result in unauthenticated disclosure under a | specific set of conditions. This has been patched in version 5.4.1, | along with all the previously affected versions via a minor release | (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, | 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). CVE-2020-11029[4]: | In affected versions of WordPress, a vulnerability in the stats() | method of class-wp-object-cache.php can be exploited to execute cross- | site scripting (XSS) attacks. This has been patched in version 5.4.1, | along with all the previously affected versions via a minor release | (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, | 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). CVE-2020-11030[5]: | In affected versions of WordPress, a special payload can be crafted | that can lead to scripts getting executed within the search block of | the block editor. This requires an authenticated user with the ability | to add content. This has been patched in version 5.4.1, along with all | the previously affected versions via a minor release (5.3.3, 5.2.6, | 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, | 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-11025 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11025 [1] https://security-tracker.debian.org/tracker/CVE-2020-11026 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11026 [2] https://security-tracker.debian.org/tracker/CVE-2020-11027 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11027 [3] https://security-tracker.debian.org/tracker/CVE-2020-11028 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11028 [4] https://security-tracker.debian.org/tracker/CVE-2020-11029 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11029 [5] https://security-tracker.debian.org/tracker/CVE-2020-11030 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11030 [6] https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: wordpress Source-Version: 5.4.1+dfsg1-1 Done: Craig Small <csm...@debian.org> We believe that the bug you reported is fixed in the latest version of wordpress, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 959...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Craig Small <csm...@debian.org> (supplier of updated wordpress package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 02 May 2020 14:21:58 +1000 Source: wordpress Architecture: source Version: 5.4.1+dfsg1-1 Distribution: unstable Urgency: medium Maintainer: Craig Small <csm...@debian.org> Changed-By: Craig Small <csm...@debian.org> Closes: 959391 Changes: wordpress (5.4.1+dfsg1-1) unstable; urgency=medium . * Security release, fixes 6 security bugs Closes: #959391 - CVE-2020-11025 XSS vulnerability in the navigation section of Customizer allows JavaScript code to be executed. - CVE-2020-11026 uploaded files to Media section to lead to script execution - CVE-2020-11027 Password reset link does not expire - CVE-2020-11028 Private posts can be found through searching by date - CVE-2020-11029 XSS in stats() method in class-wp-object-cache - CVE-2020-11030 Special payload can execute scripts in block editor * Add multi-arch tags * Update to standards 4.5.0 Checksums-Sha1: 4d40aaed64b9ca4f990f922a26dce2da621d078a 2440 wordpress_5.4.1+dfsg1-1.dsc 74aaa655fde9723b1791c7172f3e0c56c2c96cf9 8532896 wordpress_5.4.1+dfsg1.orig.tar.xz 4a20daab81332581de1258ee99222be36e3e6356 6823368 wordpress_5.4.1+dfsg1-1.debian.tar.xz 3a8edc0afccc61752b33527c7fc24c62bd62e158 7305 wordpress_5.4.1+dfsg1-1_amd64.buildinfo Checksums-Sha256: 8863466e188147853c3bc1744e85eb295fe5106fa01704a0c995d4307d1a7a2f 2440 wordpress_5.4.1+dfsg1-1.dsc 1586ab9e4594154d58af2604bafc3cc92e176fadec67616eb8b15edf457debb2 8532896 wordpress_5.4.1+dfsg1.orig.tar.xz 4489939e92ffa56f5110886c56bf2b049e60755113f626a0c1c7274ec4ae3955 6823368 wordpress_5.4.1+dfsg1-1.debian.tar.xz d10d99b9ce00dc7129ec284278939bcbb639beb69531149128f446d6bf7ff095 7305 wordpress_5.4.1+dfsg1-1_amd64.buildinfo Files: 15a1f72efe08de3f0a4f2011f2e372c0 2440 web optional wordpress_5.4.1+dfsg1-1.dsc 4e7044bfdf7536371667a749e22a48c4 8532896 web optional wordpress_5.4.1+dfsg1.orig.tar.xz 47bdc2a8c648b064260f4efdcc006e14 6823368 web optional wordpress_5.4.1+dfsg1-1.debian.tar.xz c6fcde25b70a65419c95f65f66cc6112 7305 web optional wordpress_5.4.1+dfsg1-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAl6s9ncACgkQAiFmwP88 hOMYoQ//SlOj9mQmIx9RyRjSM2gCk5C7YjFPhXWZJlyxqwP/MjajwWT3TB4BX6nl z2XV/X42SKF1MtJKugz+7H8s2R5sADUESZ3lNbWkKK/gGJnaF+SXSmcM/WrwH5CU 9igHm+PMUjwczAEIpOl4bT8KIh/7jW24JvAWGx2RdqB4xELXw+4B1xjEu2Wj0JkR ZKg2/n26ZKV+Ew9wmpQYIHA9McD80hmuQG+653L1vIWWyKhf5kMuH6B+4Su8htZ7 ZERPzwtyxS9UFMJVgLJWWzGH02BiAawBFp3NcLGK6wKY8wHWni1Txotqyuv7AD8i 36XmM5Z5rmWnObvMEUZkQHavKEZpXrTZmK6L8aiPIsvmiIegSW/DEX0fN1MWvuTg MWb50uGDVHek4vwjuoRqMiaq1tSb6+dyWznmf5Qmbkec5U8l6h4z2YXeWgU8vza+ DawB3tp3y4r6SDwtHQCtmcOdMpWrZWVdH6lho/4+izHEhP1vW2TsrFpmXhXjBofA AVx3fVkIPmqzJornT88DmHcInfAFC3n9mB8btA5x5ZSNFFziJRewOa05XBnQVkqR gDp6eMN0OCe0nvX5IK9epR8J2Zfn/Bra5Xf42l3s+QSngAkYbwI1nGcOLOX/hmYq gu+HxTYJ2y+1fx9STSBKhJqQ0QU/4uFBnSbMJgKDZBqdZSA/ruc= =dWEf -----END PGP SIGNATURE-----
--- End Message ---
