Your message dated Sun, 28 Jun 2020 15:17:18 +0000 with message-id <e1jpz3w-0008n2...@fasolo.debian.org> and subject line Bug#962685: fixed in wordpress 5.0.10+dfsg1-0+deb10u1 has caused the Debian Bug report #962685, regarding wordpress 5.4.2 security release to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 962685: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962685 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: wordpress Version: 5.4.1+dfsg1-1 Severity: grave Tags: security upstream Justification: user security hole -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 WordPress 5.4.2 is out and fixes the following vulnerabilities: Props to Sam Thomas (jazzy2fives) for finding an XSS issue where authenticated users with low privileges are able to add JavaScript to posts in the block editor. https://core.trac.wordpress.org/changeset/47948 All releases Props to Luigi – (gubello.me) for discovering an XSS issue where authenticated users with upload permissions are able to add JavaScript to media files. https://core.trac.wordpress.org/changeset/47947 (I think) All releases Props to Ben Bidner of the WordPress Security Team for finding an open redirect issue in wp_validate_redirect(). https://core.trac.wordpress.org/changeset/47949 All releases Props to Nrimo Ing Pandum for finding an authenticated XSS issue via theme uploads. https://core.trac.wordpress.org/changeset/47950 All releases Props to Simon Scannell of RIPS Technologies for finding an issue where set-screen-option can be misused by plugins leading to privilege escalation. https://core.trac.wordpress.org/changeset/47951 All releases Props to Carolina Nymark for discovering an issue where comments from password-protected posts and pages could be displayed under certain conditions. https://core.trac.wordpress.org/changeset/47984 All releases There is also a fix for unmoderated comments visible to indexers which will be backported. WordPress say its not a security issue, but seems like you are getting the site to do something that it shouldn't. https://make.wordpress.org/core/2020/06/09/wordpress-5-4-2-prevent-unmoderated-comments-from-search-engine-indexation/ https://core.trac.wordpress.org/ticket/49956 https://core.trac.wordpress.org/changeset/47887 https://core.trac.wordpress.org/changeset/47889 Present: 5.4 only (5.1 onwards, see the ticket) - -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.4.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled -----BEGIN PGP SIGNATURE----- iQJGBAEBCgAwFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAl7iwOsSHGNzbWFsbEBk ZWJpYW4ub3JnAAoJEAIhZsD/PITjYIAP/R+4+bSwUXz0IPSijvsH4PkIICe3k1wj dBSgFWWjFcVyYZwbpQ5SqgyspGG5aFhQPNWiSAvv0BILWY///jbPmsSoqz0s58xC QcjBkUiif1GDZq60IaA8igy2eotD90FQxr8Y16iDFSbkC0U3x4sV1UW3WlDEyxnW ILRusFo8m0L9J+rTQUxu0SGHK4WM2nvCGNp1U3l5/JreKZxlLIeoy+y44GsCPktn 8wDIqZ91bUpfhUcyL7BZu7g94cUnC8RhZxX//TiVYlH54pXneascPuedZAGV/qi6 0TMTuSvdPd9/pKtKhCo2jUb70CRWiP4r3QDgRM7oqcx8jLaLvBcvWmaAQjpc6eZB jgRX6HAEkm2CVFor4VtwRH/726RLLm34IokYnXU74Wp+LVjtXIYMLoP/fkbEvJW4 ClrMMEUe/+bkWLmWu6iGdbNM325eFsTvkDOngCNV/g/lsEp5gzHZwCwzL+0J21ds /KglCuE+BRn4XSCCxOEU+HS7EM8A+NWrO95elryeVE2SRQb/11F8s6TkIMMMqFPD B4m8+J5Ooj7LzS3dErVuXlOOVX0YXFVOL6AThfitW9SHOn37NmRsvOuSJCySKdI6 60A7WJvuH460JcpASDSR4XoJpBy+NnAkA4uTJ9ihlLKbZBkhy+vS/E/6M73yL9Aw QCZSPwT6j/lX =E8qn -----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---Source: wordpress Source-Version: 5.0.10+dfsg1-0+deb10u1 Done: Craig Small <csm...@debian.org> We believe that the bug you reported is fixed in the latest version of wordpress, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 962...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Craig Small <csm...@debian.org> (supplier of updated wordpress package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 19 Jun 2020 15:46:30 +1000 Source: wordpress Binary: wordpress wordpress-l10n wordpress-theme-twentynineteen wordpress-theme-twentyseventeen wordpress-theme-twentysixteen Architecture: source all Version: 5.0.10+dfsg1-0+deb10u1 Distribution: buster-security Urgency: medium Maintainer: Craig Small <csm...@debian.org> Changed-By: Craig Small <csm...@debian.org> Description: wordpress - weblog manager wordpress-l10n - weblog manager - language files wordpress-theme-twentynineteen - weblog manager - twentynineteen theme files wordpress-theme-twentyseventeen - weblog manager - twentyseventeen theme files wordpress-theme-twentysixteen - weblog manager - twentysixteen theme files Closes: 962685 Changes: wordpress (5.0.10+dfsg1-0+deb10u1) buster-security; urgency=medium . * Security release, fixes 6 security bugs Closes: #962685 - CVE-2020-4046 Authenticated XSS through embed block - CVE-2020-4047 Authenticated XSS via media attachment page - CVE-2020-4048 Open redirect in wp_validate_redirect() - CVE-2020-4049 Authenticated self-XSS via theme uploads - CVE-2020-4050 'set-screen-option' filter misuse by plugins leading to privilege escalation * Prevent unmoderated comments from search engine indexation Checksums-Sha1: 4544a1705c34347777e3381981cc7f33a4a73008 2481 wordpress_5.0.10+dfsg1-0+deb10u1.dsc a8f00363d70eeb267a9b395daa13a1125cfaae9c 7843376 wordpress_5.0.10+dfsg1.orig.tar.xz ab699b912b3cfefd6eafc6d1f0f048a1389dde0f 6819040 wordpress_5.0.10+dfsg1-0+deb10u1.debian.tar.xz 4420866037a8044dca2b782da73126356a718cf6 4383772 wordpress-l10n_5.0.10+dfsg1-0+deb10u1_all.deb 2705034ee982a3f724669e2eaba6de1b45bfcdae 306812 wordpress-theme-twentynineteen_5.0.10+dfsg1-0+deb10u1_all.deb ad4a9889b5819d5de453f5617983d437af731393 946380 wordpress-theme-twentyseventeen_5.0.10+dfsg1-0+deb10u1_all.deb b861f34810c12144dc95a0d7eae4447e70332df4 594040 wordpress-theme-twentysixteen_5.0.10+dfsg1-0+deb10u1_all.deb 08d97882f30a468d1c39e882f5fee02b23e9b6a1 6001096 wordpress_5.0.10+dfsg1-0+deb10u1_all.deb eff28c6897dcc78735025a81ade9ecc8cc0deee0 7335 wordpress_5.0.10+dfsg1-0+deb10u1_amd64.buildinfo Checksums-Sha256: 785a47cf9555975aca339ecaa703e7249146eb79e303462d36fc4e6ed7c4765c 2481 wordpress_5.0.10+dfsg1-0+deb10u1.dsc fccc2c7bba0c8f4da5304a9813cd604146bb80a75a4997f60ff7377a83649b41 7843376 wordpress_5.0.10+dfsg1.orig.tar.xz 532dc1f767927e1f9741cb274bd815199d13c8e51ffe708e1c6780168f050f1e 6819040 wordpress_5.0.10+dfsg1-0+deb10u1.debian.tar.xz 6f10bbb6f2810c959096bbe5e719c3685043ec084b50bd8579922a12e8967a6b 4383772 wordpress-l10n_5.0.10+dfsg1-0+deb10u1_all.deb a584b205be8eea6cd80c6d1c7439d0c6ccb4acae34da43d04118c014d2039002 306812 wordpress-theme-twentynineteen_5.0.10+dfsg1-0+deb10u1_all.deb 593ff7e8c49d6930de7292fd26e2618a54b4bf1883f5eb0648ef16b6f30889a7 946380 wordpress-theme-twentyseventeen_5.0.10+dfsg1-0+deb10u1_all.deb 6a8540c852512c9180bb480dea54a2abaa09aa720d3ee523e4fb095672189615 594040 wordpress-theme-twentysixteen_5.0.10+dfsg1-0+deb10u1_all.deb ff4f682ad0c68b0db54dab06dd1221668f041b1bacf1ca08b060eb18f4111afa 6001096 wordpress_5.0.10+dfsg1-0+deb10u1_all.deb 317dc5ed6ba24eff15d97d356b06e28e3fa8512b76c9d20860270c80c646c0dc 7335 wordpress_5.0.10+dfsg1-0+deb10u1_amd64.buildinfo Files: f8c4d7dec13ef480ec14b91b94e23b39 2481 web optional wordpress_5.0.10+dfsg1-0+deb10u1.dsc 2aa33db3bbdc321a08e9d2e66544097b 7843376 web optional wordpress_5.0.10+dfsg1.orig.tar.xz eaf9a87588f28fd12f9e004911edeabf 6819040 web optional wordpress_5.0.10+dfsg1-0+deb10u1.debian.tar.xz bece2117cb5f6c9f79683d63b15a8292 4383772 localization optional wordpress-l10n_5.0.10+dfsg1-0+deb10u1_all.deb 344fd3035493b5435c2df9246fa0e432 306812 web optional wordpress-theme-twentynineteen_5.0.10+dfsg1-0+deb10u1_all.deb c04fc64c6206d0a6f583e44c56bcff3f 946380 web optional wordpress-theme-twentyseventeen_5.0.10+dfsg1-0+deb10u1_all.deb a188a785dba59c7013d87e2649aa1324 594040 web optional wordpress-theme-twentysixteen_5.0.10+dfsg1-0+deb10u1_all.deb 33a2ac8e3376176b085a3c723d2dcb51 6001096 web optional wordpress_5.0.10+dfsg1-0+deb10u1_all.deb 9193d3c295a0f8b778aa639c397fe957 7335 web optional wordpress_5.0.10+dfsg1-0+deb10u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAl7xxJgACgkQAiFmwP88 hONj6w//YTO8iMom8u9gXqT1/Rv8be22i27S44zxeJ7MMwGLw2WTU6zxZlvYqRuj tvaTrXzWxFgajLYbjbb4MEjGPVzX6FRrdyhXolhC8eRbYpoDmQ+vAea01Xyy7gs3 08hEDzh/CzcoRDfaZw2zGZvWtH023OZiAQ0Psa9hCyC9qIUFqM9+QGKlk9qnJoXp RluQjWLq89b2CoARKS5S7plcX8q5kcrgNiPyqFnDF6PXz9xp3302kvvbXynoCAP7 /FeZf8f1v6Y+Tsxcgmxi/AQhFRwfk/kmHZDTbXRVEoJy8l8Y+3qpJyNg1L+BSBQO +C8CHDvX8xM3uweN8Zc37p5Ub2u3uOryxEIIsQihywzjHfNwtdrOQK/M13EtuIqH 4XhTyAFUsubE6B2NxMIBpMi3ZzammjYU8UKmb538YleoDoEJpco6LODLnjxLHVJJ 7qifM83tXSB/wMJUBivbBNSZVdR3YWKN5DeTd6IS94ymaxRs46pII1f4XvA3BC0M R+yBWjk/YQS2TiKfm0DXMF0znkqCfWdGJY0zBLl7FVLhOTH/kTyvpJCfyalj3c6I mycNVNvdlpaXaprUJm+y39NLYpYPTfDDCy2d2k3f26B7cABdptfGJN+xpipYK+s8 ogZPxL6c0nHHJxuBHLhNNXr0xeXhXaWvlo3Y+x+58qxnI8ybWEc= =joYl -----END PGP SIGNATURE-----
--- End Message ---
