Bug#959391: marked as done (wordpress: CVE-2020-11025 CVE-2020-11026 CVE-2020-11027 CVE-2020-11028 CVE-2020-11029 CVE-2020-11030)

Sat, 09 May 2020 08:37:17 -0700 

Your message dated Sat, 09 May 2020 15:33:17 +0000
with message-id <e1jxrtz-0006az...@fasolo.debian.org>
and subject line Bug#959391: fixed in wordpress 5.0.4+dfsg1-1+deb10u2
has caused the Debian Bug report #959391,
regarding wordpress: CVE-2020-11025 CVE-2020-11026 CVE-2020-11027 
CVE-2020-11028 CVE-2020-11029 CVE-2020-11030
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
959391: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959391
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Source: wordpress
Version: 5.4+dfsg1-1
Severity: grave
Tags: security upstream
Justification: user security hole

Hi,

The following vulnerabilities were published for wordpress.

Fortunately this time additionally to [6], there are GHSA advisories
associated with each of this CVEs (advantage of hosting a project on
github I would say :)). Now they list some ranges of affected
versions, and I'm interested to track which are actually not affecting
buster and stretch. Could you check if those are actually acurate? For
example CVE-2020-11030 lists via the GHSA as affected versions 5.2 to
5.4, and patched in 5.4.1, 5.3.3 and 5.2.6. Is this correct so which
would mean buster and stretch are not affected?

CVE-2020-11025[0]:
| In affected versions of WordPress, a cross-site scripting (XSS)
| vulnerability in the navigation section of Customizer allows
| JavaScript code to be executed. Exploitation requires an authenticated
| user. This has been patched in version 5.4.1, along with all the
| previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5,
| 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27,
| 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).


CVE-2020-11026[1]:
| In affected versions of WordPress, files with a specially crafted name
| when uploaded to the Media section can lead to script execution upon
| accessing the file. This requires an authenticated user with
| privileges to upload files. This has been patched in version 5.4.1,
| along with all the previously affected versions via a minor release
| (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21,
| 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).


CVE-2020-11027[2]:
| In affected versions of WordPress, a password reset link emailed to a
| user does not expire upon changing the user password. Access would be
| needed to the email account of the user by a malicious party for
| successful execution. This has been patched in version 5.4.1, along
| with all the previously affected versions via a minor release (5.3.3,
| 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22,
| 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).


CVE-2020-11028[3]:
| In affected versions of WordPress, some private posts, which were
| previously public, can result in unauthenticated disclosure under a
| specific set of conditions. This has been patched in version 5.4.1,
| along with all the previously affected versions via a minor release
| (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21,
| 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).


CVE-2020-11029[4]:
| In affected versions of WordPress, a vulnerability in the stats()
| method of class-wp-object-cache.php can be exploited to execute cross-
| site scripting (XSS) attacks. This has been patched in version 5.4.1,
| along with all the previously affected versions via a minor release
| (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21,
| 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).


CVE-2020-11030[5]:
| In affected versions of WordPress, a special payload can be crafted
| that can lead to scripts getting executed within the search block of
| the block editor. This requires an authenticated user with the ability
| to add content. This has been patched in version 5.4.1, along with all
| the previously affected versions via a minor release (5.3.3, 5.2.6,
| 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23,
| 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-11025
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11025
[1] https://security-tracker.debian.org/tracker/CVE-2020-11026
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11026
[2] https://security-tracker.debian.org/tracker/CVE-2020-11027
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11027
[3] https://security-tracker.debian.org/tracker/CVE-2020-11028
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11028
[4] https://security-tracker.debian.org/tracker/CVE-2020-11029
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11029
[5] https://security-tracker.debian.org/tracker/CVE-2020-11030
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11030
[6] 
https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: wordpress
Source-Version: 5.0.4+dfsg1-1+deb10u2
Done: Craig Small <csm...@debian.org>

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 959...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Craig Small <csm...@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 02 May 2020 14:29:22 +1000
Source: wordpress
Architecture: source
Version: 5.0.4+dfsg1-1+deb10u2
Distribution: buster-security
Urgency: medium
Maintainer: Craig Small <csm...@debian.org>
Changed-By: Craig Small <csm...@debian.org>
Closes: 959391
Changes:
 wordpress (5.0.4+dfsg1-1+deb10u2) buster-security; urgency=medium
 .
   * Import of 5.4.1/5.0.9 security release Closes: #959391
    - CVE-2020-11025
      XSS vulnerability in the navigation section of Customizer allows
      JavaScript code to be executed.
    - CVE-2020-11026
      uploaded files to Media section to lead to script execution
    - CVE-2020-11027
      Password reset link does not expire
    - CVE-2020-11028
      Private posts can be found through searching by date
    - CVE-2020-11029
      XSS in stats() method in class-wp-object-cache
    - CVE-2020-11030
      Special payload can execute scripts in block editor
Checksums-Sha1:
 e4ef6d74ac410d3027b17572d4c19531ed05c6fc 2474 
wordpress_5.0.4+dfsg1-1+deb10u2.dsc
 bd25181ce9c431e2c766889647333819d3fb404a 6857584 
wordpress_5.0.4+dfsg1-1+deb10u2.debian.tar.xz
 ac6d357ad439dace5ba0e9e17c6ac16f220f91da 7315 
wordpress_5.0.4+dfsg1-1+deb10u2_amd64.buildinfo
Checksums-Sha256:
 b5fc29bf23b095efb9f9928c657009600871b5052d6ff2fa345bc551c82b9a96 2474 
wordpress_5.0.4+dfsg1-1+deb10u2.dsc
 d64b5539595519f9b8b7e17de16424db4c0cc40f56b79fb3e4904189645064c6 6857584 
wordpress_5.0.4+dfsg1-1+deb10u2.debian.tar.xz
 c155adff0b95bc48a681dff1fa8e7bba659f09992f65b69d23ae8715b4856f6f 7315 
wordpress_5.0.4+dfsg1-1+deb10u2_amd64.buildinfo
Files:
 2a42745663ec1537592ec22c6a065f2a 2474 web optional 
wordpress_5.0.4+dfsg1-1+deb10u2.dsc
 92e5f79bfdf214ac44165419cb9ddbc5 6857584 web optional 
wordpress_5.0.4+dfsg1-1+deb10u2.debian.tar.xz
 d6cdd9946482be14dd47131f15e8d7a1 7315 web optional 
wordpress_5.0.4+dfsg1-1+deb10u2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAl6wnLUACgkQAiFmwP88
hOPuDA/+N07Pff9iNRvpez+PfyCdFyJI2MBl+ZvVqbLlsDUOjmYHFQ8jXlHVH2a+
KhI0FI+dHvBmmrEUDFpfjevaAVY2dXZfd3J3OaL2CF+5v0KaNq5RMi6+mxph/Bf3
llv5TpYVBqIQIGsGZTt0H1r1BA6uQZnbStJGRjtWfpnKjunnmso2qlCuXt86bm/X
6gaMSAYNoo1yiFEl1cKu+LebfyxQ+ri4F+uqTyCnMPt5dX6BEA+vKfMeUonNfuDn
8FIyBAswSjTjQ11Ye2fZiroNWsIz75AfFVEdmAoTcd1UvNZ6ZmX1NuwWkGr7MSFK
gnJwS8PZO8ithOXRrKxtFY42wLyb/dwHcHbGdeHMnIXiYf8LD4TXkh78Usa1TdCh
whvq5toTCqEk3hW2H7XUWNOJ5t4Py1nb6QlcmGlfdNoxJ5hxPB+u2hS8mVNr+iGZ
GzQFBpz/CO8YsFHziKwUx8F8JWCRYuWnqgWgz4thjiQVxhGwIcQRkrJ+0kKTNh/c
d1LW+5svoq+/GjS75sMVkmJqc7svbBVOEg90bIAQC31haH02UbtmmO+Mraa0fhIP
+DH9LFWyeiFkN4KyLVNE5zN/7MNVyjbtNkgg3jZ7beUsvnq0+pOtI4pm9dF9Tp3k
GuA9Fx0h1DXpszFfFNPdBT2BbEiiu9bJ7NryE0tPPsSJTzGDIsc=
=oNwT
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to