Your message dated Sun, 14 Jun 2020 22:19:42 +0000 with message-id <e1jkayc-000hbl...@fasolo.debian.org> and subject line Bug#962685: fixed in wordpress 5.4.2+dfsg1-1 has caused the Debian Bug report #962685, regarding wordpress 5.4.2 security release to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 962685: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962685 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: wordpress Version: 5.4.1+dfsg1-1 Severity: grave Tags: security upstream Justification: user security hole -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 WordPress 5.4.2 is out and fixes the following vulnerabilities: Props to Sam Thomas (jazzy2fives) for finding an XSS issue where authenticated users with low privileges are able to add JavaScript to posts in the block editor. https://core.trac.wordpress.org/changeset/47948 All releases Props to Luigi – (gubello.me) for discovering an XSS issue where authenticated users with upload permissions are able to add JavaScript to media files. https://core.trac.wordpress.org/changeset/47947 (I think) All releases Props to Ben Bidner of the WordPress Security Team for finding an open redirect issue in wp_validate_redirect(). https://core.trac.wordpress.org/changeset/47949 All releases Props to Nrimo Ing Pandum for finding an authenticated XSS issue via theme uploads. https://core.trac.wordpress.org/changeset/47950 All releases Props to Simon Scannell of RIPS Technologies for finding an issue where set-screen-option can be misused by plugins leading to privilege escalation. https://core.trac.wordpress.org/changeset/47951 All releases Props to Carolina Nymark for discovering an issue where comments from password-protected posts and pages could be displayed under certain conditions. https://core.trac.wordpress.org/changeset/47984 All releases There is also a fix for unmoderated comments visible to indexers which will be backported. WordPress say its not a security issue, but seems like you are getting the site to do something that it shouldn't. https://make.wordpress.org/core/2020/06/09/wordpress-5-4-2-prevent-unmoderated-comments-from-search-engine-indexation/ https://core.trac.wordpress.org/ticket/49956 https://core.trac.wordpress.org/changeset/47887 https://core.trac.wordpress.org/changeset/47889 Present: 5.4 only (5.1 onwards, see the ticket) - -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.4.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled -----BEGIN PGP SIGNATURE----- iQJGBAEBCgAwFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAl7iwOsSHGNzbWFsbEBk ZWJpYW4ub3JnAAoJEAIhZsD/PITjYIAP/R+4+bSwUXz0IPSijvsH4PkIICe3k1wj dBSgFWWjFcVyYZwbpQ5SqgyspGG5aFhQPNWiSAvv0BILWY///jbPmsSoqz0s58xC QcjBkUiif1GDZq60IaA8igy2eotD90FQxr8Y16iDFSbkC0U3x4sV1UW3WlDEyxnW ILRusFo8m0L9J+rTQUxu0SGHK4WM2nvCGNp1U3l5/JreKZxlLIeoy+y44GsCPktn 8wDIqZ91bUpfhUcyL7BZu7g94cUnC8RhZxX//TiVYlH54pXneascPuedZAGV/qi6 0TMTuSvdPd9/pKtKhCo2jUb70CRWiP4r3QDgRM7oqcx8jLaLvBcvWmaAQjpc6eZB jgRX6HAEkm2CVFor4VtwRH/726RLLm34IokYnXU74Wp+LVjtXIYMLoP/fkbEvJW4 ClrMMEUe/+bkWLmWu6iGdbNM325eFsTvkDOngCNV/g/lsEp5gzHZwCwzL+0J21ds /KglCuE+BRn4XSCCxOEU+HS7EM8A+NWrO95elryeVE2SRQb/11F8s6TkIMMMqFPD B4m8+J5Ooj7LzS3dErVuXlOOVX0YXFVOL6AThfitW9SHOn37NmRsvOuSJCySKdI6 60A7WJvuH460JcpASDSR4XoJpBy+NnAkA4uTJ9ihlLKbZBkhy+vS/E/6M73yL9Aw QCZSPwT6j/lX =E8qn -----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---Source: wordpress Source-Version: 5.4.2+dfsg1-1 Done: Craig Small <csm...@debian.org> We believe that the bug you reported is fixed in the latest version of wordpress, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 962...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Craig Small <csm...@debian.org> (supplier of updated wordpress package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 15 Jun 2020 07:53:44 +1000 Source: wordpress Architecture: source Version: 5.4.2+dfsg1-1 Distribution: unstable Urgency: medium Maintainer: Craig Small <csm...@debian.org> Changed-By: Craig Small <csm...@debian.org> Closes: 962685 Changes: wordpress (5.4.2+dfsg1-1) unstable; urgency=medium . * Security release, fixes 6 security bugs Closes: #962685 - CVE-2020-4046 Authenticated XSS through embed block - CVE-2020-4047 Authenticated XSS via media attachment page - CVE-2020-4048 Open redirect in wp_validate_redirect() - CVE-2020-4049 Authenticated self-XSS via theme uploads - CVE-2020-4050 'set-screen-option' filter misuse by plugins leading to privilege escalation * Prevent unmoderated comments from search engine indexation Checksums-Sha1: 6e6f39a26afe6b88625d8deb80a9700ab99d323f 2440 wordpress_5.4.2+dfsg1-1.dsc 194094e4727e7de64076b4cf1076eeb04659afff 8596708 wordpress_5.4.2+dfsg1.orig.tar.xz 630880a0991fd59d2926010b6d605c963b037f28 6823380 wordpress_5.4.2+dfsg1-1.debian.tar.xz 967f3bae46ff3f4a3c74c29980de52c59607707f 7175 wordpress_5.4.2+dfsg1-1_amd64.buildinfo Checksums-Sha256: b6d98ae167c60cf88fbb2eb4569ed3a5c457acff19d4ca4cf3df8efe3ef6a046 2440 wordpress_5.4.2+dfsg1-1.dsc a302deea5306e395fb31d6396a38989fb031349e62a3677fe9aa28cbb0e110d5 8596708 wordpress_5.4.2+dfsg1.orig.tar.xz 3782a548c6493dc59af0618da27ae8c4333de50191adf08a8853d2ecb6751066 6823380 wordpress_5.4.2+dfsg1-1.debian.tar.xz f1990d7b146e793dfb9e508e554423353b9ca5cdbe91ec31e733ce979eb27059 7175 wordpress_5.4.2+dfsg1-1_amd64.buildinfo Files: e5cd6325f2789f763e4393bf1bfba913 2440 web optional wordpress_5.4.2+dfsg1-1.dsc 27ac4f32caf8db9f536344e68a151d85 8596708 web optional wordpress_5.4.2+dfsg1.orig.tar.xz 26f1a92ee679ec79f3e6116a4ef4f940 6823380 web optional wordpress_5.4.2+dfsg1-1.debian.tar.xz 641bf66e2121c05d82e5f55f777a7257 7175 web optional wordpress_5.4.2+dfsg1-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAl7mnSQACgkQAiFmwP88 hOP7wQ/9E7/lUiGU0yxDjjIxfkl+9kqY//JyQLBtWV68qJSTGPQ4/nmUpmFx+T+a UtjaHsscHuwln57xLQD2WWi+WnzyJNhpRbv2Y0GL/7UuSCGN9uD3DkLnBLLnuSVJ A/H+UYGVolPKr4m9V12sPooqeNdg6+mdiwZWQpeWxAT9mVrqry/dWwoDOtrPPJBb SV0LY5lwuv/6d7mBWZg+kJ/oCWkcis5FJ+DuDxnSSlv6VW3mFGojrDFnqWak32AC rWCyU3cWa8ZvCJApPSOOAs1yLaAYjZn9QTBKFySbfG0iCY9/Q49ANKj+f43ZOIab OeI2frkZQKTRov4lOQGf+EFSWjI9/Q2ujQomvuGM79f+qfdkPTZ1P8R5ODoUkftR gtbj8SfbjFci01PFzA/P/xM3/vbAJ6ierMOFPVNErsV4rXDB5SYqnLMpSmQFJ1E2 NsYMQRcqRj0GpUv3LvQ24X6xhQZpqoGUtMdVpAr/zBcXXCYOt4kJLtNNkiHNrapz Wpb/nwAPaWhXi3rbS1qtNcf5hOejOprfmkNQi+/14CTPkTIH4GG0ej+jWna4O816 5f/eRk1rsvFD92wF0CExokwD7MgYE1x0uCwe3jMGucDZwabFf9+q4DEPiW+aEVim WBPq7wjiKuwPom4fLRPdRC3bhEbrvv5QuCN3xlK/TuT6havBdPg= =YVnw -----END PGP SIGNATURE-----
--- End Message ---
