Change log for wordpress package in Debian
| 1 → 75 of 177 results | First • Previous • Next • Last |
| Published in sid-release |
wordpress (6.5.3+dfsg1-1) unstable; urgency=medium * New upstream release -- Craig Small <email address hidden> Sun, 19 May 2024 20:26:03 +1000
| Superseded in sid-release |
wordpress (6.5.2+dfsg1-1) unstable; urgency=medium
* New upstream security release
- Fixes stored XSS in Avatar blocks Closes: #1069091
-- Craig Small <email address hidden> Tue, 16 Apr 2024 19:24:58 +1000
| Superseded in sid-release |
wordpress (6.5+dfsg1-1) unstable; urgency=medium * New upstream release -- Craig Small <email address hidden> Thu, 04 Apr 2024 21:04:22 +1100
| Superseded in sid-release |
wordpress (6.4.3+dfsg1-1) unstable; urgency=medium
* New upstream release:
- PHP File Upload bypass via Plugin Installer (requiring admin privileges)
- An RCE POP Chains vulnerability
-- Craig Small <email address hidden> Thu, 08 Feb 2024 19:54:35 +1100
| Superseded in sid-release |
wordpress (6.4.2+dfsg1-1) unstable; urgency=medium
* New upstream release
- Fixes a RCE that could be potentially exploited with some plugins,
especially multisite installations.
-- Craig Small <email address hidden> Tue, 02 Jan 2024 08:30:41 +1100
| Superseded in sid-release |
wordpress (6.4.1+dfsg1-1.1) unstable; urgency=medium * Non-maintainer upload. * source only upload to enable migration (Closes: #1058810) -- Paul Gevers <email address hidden> Sat, 16 Dec 2023 20:53:01 +0100
| Superseded in sid-release |
wordpress (6.4.1+dfsg1-1) unstable; urgency=medium * New upstream release * Update to standards 4.6.2, no change * Themes: twentytwentyone removed, new twentytwentyfour * Update apparmor profile for jetpack-waf directory, more comments -- Craig Small <email address hidden> Tue, 14 Nov 2023 18:04:24 +1100
| Superseded in sid-release |
wordpress (6.3.2+dfsg1-1) unstable; urgency=medium * New upstream release -- Craig Small <email address hidden> Sun, 29 Oct 2023 21:50:25 +1100
| Superseded in sid-release |
wordpress (6.3.1+dfsg1-1) unstable; urgency=medium * New upstream release -- Craig Small <email address hidden> Tue, 12 Sep 2023 19:36:08 +1000
| Superseded in sid-release |
wordpress (6.3+dfsg1-1) unstable; urgency=medium * New upstream release -- Craig Small <email address hidden> Thu, 10 Aug 2023 20:53:28 +1000
| Superseded in sid-release |
wordpress (6.2.2+dfsg1-1) unstable; urgency=medium
* New upstream security release Closes: #1036689
- Block themes parsing shortcodes in user-generated data
-- Craig Small <email address hidden> Thu, 25 May 2023 20:41:51 +1000
| Superseded in sid-release |
wordpress (6.2.1+dfsg1-1) unstable; urgency=high
* New upstream security release Closes: #1036296
- CVE-2023-2745 - Directory traversal in wp_lang
-- Craig Small <email address hidden> Fri, 19 May 2023 07:40:55 +1000
| Superseded in sid-release |
wordpress (6.2+dfsg1-1) unstable; urgency=medium * New upstream release * Removed ancient (10+ years_ news entries -- Craig Small <email address hidden> Tue, 11 Apr 2023 22:40:41 +1000
| Published in bullseye-release |
wordpress (5.7.8+dfsg1-0+deb11u2) bullseye-security; urgency=high * Rebuild with bullseye dependencies Closes: #1024249 -- Craig Small <email address hidden> Thu, 17 Nov 2022 08:11:54 +1100
wordpress (6.1.1+dfsg1-1) unstable; urgency=medium * New upstream maintenance release -- Craig Small <email address hidden> Fri, 09 Dec 2022 21:49:35 +1100
| Superseded in sid-release |
wordpress (6.1+dfsg1-1) unstable; urgency=medium * New upstream release * Removed TwentyTwenty theme * Added TwentyTwentyThree theme and made it recommended -- Craig Small <email address hidden> Sat, 12 Nov 2022 18:01:07 +1100
| Superseded in sid-release |
wordpress (6.0.3+dfsg1-1) unstable; urgency=high
* New security release Closes: #1022575
- Stored XSS via wp-mail.php (post by email)
- Open redirect in `wp_nonce_ays`
- Sender’s email address is exposed in wp-mail.php
- Media Library – Reflected XSS via SQLi
- CSRF in wp-trackback.php
- Stored XSS via the Customizer
- Revert shared user instances introduced in 50790
- Stored XSS in WordPress Core via Comment Editing
- Data exposure via the REST Terms/Tags Endpoint
- Content from multipart emails leaked
- SQL Injection due to improper sanitization in `WP_Date_Query`
- RSS Widget: Stored XSS issue
- Stored XSS in the search block
- Feature Image Block: XSS issue
- RSS Block: Stored XSS issue
- Fix widget block XSS
-- Craig Small <email address hidden> Mon, 24 Oct 2022 21:10:11 +1100
| Superseded in sid-release |
wordpress (6.0.2+dfsg1-1) unstable; urgency=medium
* New security release Closes: #1018863
- Possible link SQL injection within the Link API
- XSS in Plugins screen
- Output escaping issue within the_meta()
-- Craig Small <email address hidden> Thu, 01 Sep 2022 18:41:07 +1000
| Superseded in sid-release |
wordpress (6.0+dfsg1-1) unstable; urgency=medium * New upstream release * Added more suggestions for php modules * Update standards version to 4.6.1, no changes needed. * Allow WordPress config file to be defined Closes: #834842 -- Craig Small <email address hidden> Thu, 02 Jun 2022 16:37:59 +1000
| Superseded in sid-release |
wordpress (5.9.2+dfsg1-2) unstable; urgency=high * Fix emoji patch Closes: #1008976 -- Craig Small <email address hidden> Wed, 06 Apr 2022 17:20:47 +1000
| Published in buster-release |
wordpress (5.0.15+dfsg1-0+deb10u1) buster-security; urgency=high
* Upstream security release Closes: #1003243
- CVE-2022-21662 - Stored XSS through authenticated users
- CVE-2022-21663 - Authenticated Object Injection in Multisites
- CVE-2022-21661 - WordPress: SQL Injection through WP_Query
- CVE-2022-21664 - SQL injection due to improper sanitization
in WP_Meta_Query
-- Craig Small <email address hidden> Sat, 08 Jan 2022 08:06:09 +1100
| Superseded in bullseye-release |
wordpress (5.7.5+dfsg1-0+deb11u1) bullseye-security; urgency=high
* Upstream security release Closes: #1003243
- CVE-2022-21662 - Stored XSS through authenticated users
- CVE-2022-21663 - Authenticated Object Injection in Multisites
- CVE-2022-21661 - WordPress: SQL Injection through WP_Query
- CVE-2022-21664 - SQL injection due to improper sanitization
in WP_Meta_Query
* WordPress 5.7.4 just had a removal of an old CA certificate
which isn't used in Debian installations
-- Craig Small <email address hidden> Fri, 07 Jan 2022 17:51:21 +1100
| Superseded in sid-release |
wordpress (5.9.2+dfsg1-1) unstable; urgency=medium * New security release Closes: #1007005, #1007145 * Themes: 2019 removed, 2022 added -- Craig Small <email address hidden> Sat, 12 Mar 2022 14:31:34 +1100
| Superseded in sid-release |
wordpress (5.8.3+dfsg1-1) unstable; urgency=high
* Upstream security release Closes: #1003243
- CVE-2022-21662 - Stored XSS through authenticated users
- CVE-2022-21663 - Authenticated Object Injection in Multisites
- CVE-2022-21661 - WordPress: SQL Injection through WP_Query
- CVE-2022-21664 - SQL injection due to improper sanitization
in WP_Meta_Query
-- Craig Small <email address hidden> Fri, 07 Jan 2022 15:57:14 +1100
| Superseded in sid-release |
wordpress (5.8.2+dfsg1-1) unstable; urgency=medium [ Debian Janitor ] * Trim trailing whitespace. * Remove 1 obsolete maintscript entry. * Fix day-of-week for changelog entry 2.6.2-1. * Update standards version to 4.6.0, no changes needed. [ Craig Small ] * New upstream release Closes: #1001462 * Don't install ca-certificates.crt but link it Closes: #999568 * Fix updater to complain less * Stop auto-updates Closes: #1001623 * Added local/apache-wordpress for AppArmor local configs -- Craig Small <email address hidden> Mon, 20 Dec 2021 21:48:50 +1100
| Superseded in bullseye-release |
wordpress (5.7.3+dfsg1-0+deb11u1) bullseye-security; urgency=medium
* Security release, fixes 2 bugs:
- CVE-2021-39200 - Disclosure in wp_die() Closes: #994060
- CVE-2021-39201 - XSS in editor Closes: #994059
-- Craig Small <email address hidden> Sat, 11 Sep 2021 10:55:23 +1000
| Superseded in sid-release |
wordpress (5.8.1+dfsg1-2) unstable; urgency=high * Install AppArmor file in correct location -- Craig Small <email address hidden> Mon, 20 Sep 2021 18:51:00 +1000
| Superseded in sid-release |
wordpress (5.8.1+dfsg1-1) unstable; urgency=medium
* Security release
- CVE-2021-39200 - Disclosure in wp_die() Closes: #994060
- CVE-2021-39201 - XSS in editor Closes: #994059
* New upstream release Closes: #992302
* Add direct FS_METHOD in mysql setup Closes: #988991
* Add AppArmor profile
-- Craig Small <email address hidden> Sat, 11 Sep 2021 10:29:52 +1000
| Superseded in buster-release |
wordpress (5.0.12+dfsg1-0+deb10u1) buster-security; urgency=high
* Security release, fixes 2 bugs Closes: #987065
- CVE-2021-29450 - Authenticated disclosure of password-protected
posts and pages.
- CVE-2021-29447 - Authenticated XXE attack when installation is
running PHP 8
-- Craig Small <email address hidden> Sat, 17 Apr 2021 21:02:47 +1000
wordpress (5.7.1+dfsg1-2) unstable; urgency=medium * Fix symlink for 2021 theme Closes: #986085 -- Craig Small <email address hidden> Tue, 20 Apr 2021 22:28:40 +1000
| Superseded in sid-release |
wordpress (5.7.1+dfsg1-1) unstable; urgency=high
* Security release, fixes 2 bugs Closes: #987065
- CVE-2021-29450 - Authenticated disclosure of password-protected
posts and pages.
- CVE-2021-29447 - Authenticated XXE attack when installation is
running PHP 8
-- Craig Small <email address hidden> Sat, 17 Apr 2021 08:46:05 +1000
| Superseded in sid-release |
wordpress (5.7+dfsg1-1) unstable; urgency=medium * New upstream release Closes: #984985 -- Craig Small <email address hidden> Mon, 15 Mar 2021 08:11:27 +1100
| Superseded in sid-release |
wordpress (5.6.1+dfsg1-1) unstable; urgency=medium * New upstream release * Added core language directory -- Craig Small <email address hidden> Fri, 05 Feb 2021 18:53:39 +1100
| Superseded in sid-release |
wordpress (5.6+dfsg1-2) unstable; urgency=medium
* Removed php5 alternative dependencies as these are only in
oldoldstable
* source-only upload for Bullseye Closes: #977517
-- Craig Small <email address hidden> Mon, 21 Dec 2020 14:39:34 +1100
| Superseded in sid-release |
wordpress (5.6+dfsg1-1) unstable; urgency=medium * New upstream release * Removed theme twentyseventeen * Added theme twentytwentyone * Update to standards version 4.5.1 -- Craig Small <email address hidden> Thu, 17 Dec 2020 22:22:49 +1100
| Superseded in buster-release |
wordpress (5.0.11+dfsg1-0+deb10u1) buster-security; urgency=high
* Security release, fixes 8 bugs Closes: #973562
- CVE-2020-28039: Protected meta that could lead to arbitrary
file deletion.
- CVE-2020-28035: XML-RPC privilege escalation.
- CVE-2020-28036: XML-RPC privilege escalation.
- CVE-2020-28032: Hardening deserialization requests.
- CVE-2020-28037: DoS attack could lead to RCE.
- CVE-2020-28038: Stored XSS in post slugs.
- CVE-2020-28033: Disable spam embeds from disabled sites
on a multisite network.
- CVE-2020-28034: Cross-Site Scripting (XSS) via global variables.
- CVE-2020-28040: CSRF attacks that change a theme's background image.
* Remove duplicated changeset 45974 Closes: #971914
-- Craig Small <email address hidden> Tue, 03 Nov 2020 18:02:39 +1100
| Superseded in sid-release |
wordpress (5.5.3+dfsg1-1) unstable; urgency=high
* Security release, fixes 8 bugs Closes: #973562
- CVE-2020-28039: Protected meta that could lead to arbitrary
file deletion.
- CVE-2020-28035: XML-RPC privilege escalation.
- CVE-2020-28036: XML-RPC privilege escalation.
- CVE-2020-28032: Hardening deserialization requests.
- CVE-2020-28037: DoS attack could lead to RCE.
- CVE-2020-28038: Stored XSS in post slugs.
- CVE-2020-28033: Disable spam embeds from disabled sites
on a multisite network.
- CVE-2020-28034: Cross-Site Scripting (XSS) via global variables.
- CVE-2020-28040: CSRF attacks that change a theme's background image.
* Removed TinyMCE build dependency as its very old
* d/dirs: Add two more language directories
-- Craig Small <email address hidden> Tue, 03 Nov 2020 17:23:49 +1100
| Superseded in sid-release |
wordpress (5.5.1+dfsg1-1) unstable; urgency=medium * New upstream release * Remove patch CVE-2017-8295 as it is in upstream -- Craig Small <email address hidden> Wed, 02 Sep 2020 16:25:35 +1000
| Superseded in buster-release |
wordpress (5.0.10+dfsg1-0+deb10u1) buster-security; urgency=medium
* Security release, fixes 6 security bugs Closes: #962685
- CVE-2020-4046
Authenticated XSS through embed block
- CVE-2020-4047
Authenticated XSS via media attachment page
- CVE-2020-4048
Open redirect in wp_validate_redirect()
- CVE-2020-4049
Authenticated self-XSS via theme uploads
- CVE-2020-4050
'set-screen-option' filter misuse by plugins leading to privilege
escalation
* Prevent unmoderated comments from search engine indexation
-- Craig Small <email address hidden> Fri, 19 Jun 2020 15:46:30 +1000
| Published in stretch-release |
wordpress (4.7.5+dfsg-2+deb9u6) stretch-security; urgency=high
* Importing Wordpress 4.7.17/5.4.1 updates Closes: #959391
- CVE-2020-11025
XSS vulnerability in the navigation section of Customizer allows
JavaScript code to be executed.
- CVE-2020-11026
uploaded files to Media section to lead to script execution
- CVE-2020-11027
Password reset link does not expire
- CVE-2020-11028
Private posts can be found through searching by date
- CVE-2020-11029
XSS in stats() method in class-wp-object-cache
Not vulnerable:
- CVE-2020-11030 (feature introduced 5.0)
Special payload can execute scripts in block editor
* Importing Wordpress 4.7.16/5.3.1 updates Closes: #946905
- CVE-2019-20043
an unprivileged user could make a post sticky via the REST API.
- CVE-2019-20041
hardening wp_kses_bad_protocol() to ensure that it is aware
of the named colon attribute.
Not vulnerable:
- CVE-2019-20042 (function introduced 5.1.0)
cross-site scripting (XSS) could be stored in well-crafted links
- CVE-2019-16780 and CVE-2019-16781 (feature introduced 5.0)
stored XSS vulnerability using block editor content.
* Importing Wordpress 4.7.15/5.2.4 updates Closes: #942459
- CVE-2019-17674
Stored XSS in the Customizer
- CVE-2019-17671
Viewing unauthenticated posts
- CVE-2019-17672
Stored XSS to inject javascript into style tags
- CVE-2019-17673
Poisoning JSON GET requests
- CVE-2019-17669
SSRF in URL vaidation
- CVE-2019-17675
Referer validation in admin screens
* Importing Wordpress 4.7.14/5.2.3 updates Closes: #939543
- CVE-2019-16223
XSS in post previews
- CVE-2019-16218
XSS in stored comments
- CVE-2019-16220
Open redirect due to validation and sanitization
- CVE-2019-16217
XSS in media uploads
- CVE-2019-16219
XSS in shortcode previews
- CVE-2019-16221
XSS in dashboard
- CVE-2019-16222
XSS in URL sanitization
* Security patches from 5.1.1/4.7.13
* Fixes XSS security hole in comments CVE-2019-9787 Closes: #924546
-- Craig Small <email address hidden> Sat, 02 May 2020 15:23:57 +1000
| Superseded in sid-release |
wordpress (5.4.2+dfsg1-1) unstable; urgency=medium
* Security release, fixes 6 security bugs Closes: #962685
- CVE-2020-4046
Authenticated XSS through embed block
- CVE-2020-4047
Authenticated XSS via media attachment page
- CVE-2020-4048
Open redirect in wp_validate_redirect()
- CVE-2020-4049
Authenticated self-XSS via theme uploads
- CVE-2020-4050
'set-screen-option' filter misuse by plugins leading to privilege
escalation
* Prevent unmoderated comments from search engine indexation
-- Craig Small <email address hidden> Mon, 15 Jun 2020 07:53:44 +1000
| Superseded in sid-release |
wordpress (5.4.1+dfsg1-1) unstable; urgency=medium
* Security release, fixes 6 security bugs Closes: #959391
- CVE-2020-11025
XSS vulnerability in the navigation section of Customizer allows
JavaScript code to be executed.
- CVE-2020-11026
uploaded files to Media section to lead to script execution
- CVE-2020-11027
Password reset link does not expire
- CVE-2020-11028
Private posts can be found through searching by date
- CVE-2020-11029
XSS in stats() method in class-wp-object-cache
- CVE-2020-11030
Special payload can execute scripts in block editor
* Add multi-arch tags
* Update to standards 4.5.0
-- Craig Small <email address hidden> Sat, 02 May 2020 14:21:58 +1000
| Superseded in sid-release |
wordpress (5.4+dfsg1-1) unstable; urgency=medium * New upstream source * Remove debian.cnf call for create database Closes: #884877 * Add note for iputils-ping required for setup-mysql. Closes: #944465 * Themes: twentysixteen removed, twentytwenty added * Themes: remove conflict with ancient wordpress -- Craig Small <email address hidden> Sun, 05 Apr 2020 12:00:08 +1000
| Superseded in buster-release |
wordpress (5.0.4+dfsg1-1+deb10u1) buster-security; urgency=medium
* Backport of the 5.3.1 security release Closes: #946905
- CVE-2019-20043
an unprivileged user could make a post sticky via the REST API.
- CVE-2019-20042
cross-site scripting (XSS) could be stored in well-crafted links
- CVE-2019-20041
hardening wp_kses_bad_protocol() to ensure that it is aware
of the named colon attribute.
- CVE-2019-16780 and CVE-2019-16781
stored XSS vulnerability using block editor content.
* Backport of the 5.2.4 security release Closes: #942459
- CVE-2019-17674
Stored XSS in the Customizer
- CVE-2019-17671
Viewing unauthenticated posts
- CVE-2019-17672
Stored XSS to inject javascript into style tags
- CVE-2019-17673
Poisoning JSON GET requests
- CVE-2019-17669
SSRF in URL vaidation
- CVE-2019-17675
Referer validation in admin screens
* Backport of 5.2.3 security release, Closes: #939543
- CVE-2019-16223
XSS in post previews
- CVE-2019-16218
XSS in stored comments
- CVE-2019-16220
Open redirect due to validation and sanitization
- CVE-2019-16217
XSS in media uploads
- CVE-2019-16219
XSS in shortcode previews
- CVE-2019-16221
XSS in dashboard
- CVE-2019-16222
XSS in URL sanitization
-- Craig Small <email address hidden> Fri, 27 Dec 2019 15:26:33 +1100
| Superseded in sid-release |
wordpress (5.3.2+dfsg1-1) unstable; urgency=high
* Fixes some important but non-security bugs.
* Thanks to Nils Radtke <email address hidden> for
their assistance.
* Version 5.3.1 is a security release, fixes several
issues Closes: #946905
- an unprivileged user could make a post sticky via the REST API.
- cross-site scripting (XSS) could be stored in well-crafted links
- hardening wp_kses_bad_protocol() to ensure that it is aware
of the named colon attribute.
- stored XSS vulnerability using block editor content.
* Fix error in CVE-2017-14990 patch where sub-sites cannot
authenticate users. Thanks Connor for your help!
-- Craig Small <email address hidden> Fri, 27 Dec 2019 15:18:07 +1100
Available diffs
- diff from 5.2.4+dfsg1-1 to 5.3.2+dfsg1-1 (6.3 MiB)
| Superseded in sid-release |
wordpress (5.2.4+dfsg1-1) unstable; urgency=high
* Security release, fixes several issues Closes: #942459
- Stored XSS in the Customizer
- Viewing unauthenticated posts
- Stored XSS to inject ajavascript into style tags
- Poisoning JSON GET requests
- SSRF in URL vaidation
- Referer validation in admin screens
-- Craig Small <email address hidden> Thu, 17 Oct 2019 21:32:54 +1100
Available diffs
- diff from 5.2.2+dfsg1-1 to 5.2.4+dfsg1-1 (206.7 KiB)
| Superseded in sid-release |
wordpress (5.2.3+dfsg1-1) unstable; urgency=medium
* Security release, fixes several issues Closes: #939543
- XSS in post previews
- XSS in stored comments
- Open redirect due to validation and sanitization
- XSS in media uploads
- XSS in shortcode previews
- XSS in dashboard
- XSS in URL sanitization
* Use replace for dh-linktrees for underscore-js
-- Craig Small <email address hidden> Fri, 06 Sep 2019 18:39:10 +1000
| Superseded in sid-release |
wordpress (5.2.2+dfsg1-1) unstable; urgency=medium * New upstream release -- Craig Small <email address hidden> Tue, 25 Jun 2019 21:03:42 +1000
Available diffs
- diff from 5.2.1+dfsg1-1 to 5.2.2+dfsg1-1 (260.4 KiB)
| Superseded in sid-release |
wordpress (5.2.1+dfsg1-1) unstable; urgency=medium * New upstream release -- Craig Small <email address hidden> Sun, 26 May 2019 16:42:33 +1000
Available diffs
- diff from 5.1.1+dfsg1-1 to 5.2.1+dfsg1-1 (4.2 MiB)
| Superseded in buster-release |
wordpress (5.0.4+dfsg1-1) buster; urgency=medium * Backport of 5.1.1 patches * Fix XSS security hole in comments Closes: #924546 CVE-2019-9787 -- Craig Small <email address hidden> Sun, 24 Mar 2019 09:20:02 +1100
| Superseded in stretch-release |
wordpress (4.7.5+dfsg-2+deb9u5) stretch-security; urgency=medium
* Backport security patches from wordpress 5.0.1 Closes: #916403
- CVE-2018-20147
Delete files through altered meta data
- CVE-2018-20152
Create posts of unauthorized post types
- CVE-2018-20148
PHP object injection through crafted meta data
- CVE-2018-20153
Edit other users comments, leading to XSS
- CVE-2018-20150
XSS in plugins through crafted URL inputs
- CVE-2018-20151
User activation screen visible to search engines
- CVE-2018-20149
Bypass MIME verification causing XSS
- CVE-2019-8942
Remote Code Execution (RCE) in uploaded image files
-- Craig Small <email address hidden> Thu, 28 Feb 2019 20:25:00 +1100
| Superseded in sid-release |
wordpress (5.1.1+dfsg1-1) unstable; urgency=medium * New upstream release * Fixes XSS security hole in comments Closes: #924546 * Added new/better config example -- Craig Small <email address hidden> Thu, 14 Mar 2019 22:10:00 +1100
Available diffs
- diff from 5.0.3+dfsg1-1 to 5.1.1+dfsg1-1 (4.5 MiB)
wordpress (5.0.3+dfsg1-1) unstable; urgency=medium * New upstream release * Update to Debian standards 4.3.0 -- Craig Small <email address hidden> Tue, 05 Feb 2019 22:23:39 +1100
Available diffs
- diff from 5.0.2+dfsg1-1 to 5.0.3+dfsg1-1 (895.3 KiB)
wordpress (5.0.2+dfsg1-1) unstable; urgency=medium * New upstream release -- Craig Small <email address hidden> Fri, 28 Dec 2018 16:00:13 +1100
Available diffs
- diff from 5.0.1+dfsg1-1 to 5.0.2+dfsg1-1 (1.1 MiB)
wordpress (5.0.1+dfsg1-1) unstable; urgency=high
* New upstream source. fixes 7 Security issues Closes: #916403
- CVE-2018-20147
Delete files through altered meta data
- CVE-2018-20152
Create posts of unauthorized post types
- CVE-2018-20148
PHP object injection through crafted meta data
- CVE-2018-20153
Edit other users comments, leading to XSS
- CVE-2018-20150
XSS in plugins through crafted URL inputs
- CVE-2018-20151
User activation screen visible to search engines
- CVE-2018-20149
Bypass MIME verification causing XSS
* Themes: Remove twentyfifteen, add twentynineteen and make default
* Remove remote emojis
-- Craig Small <email address hidden> Sun, 16 Dec 2018 10:45:32 +1100
Available diffs
- diff from 4.9.8+dfsg1-1 to 5.0.1+dfsg1-1 (2.7 MiB)
| Superseded in stretch-release |
wordpress (4.7.5+dfsg-2+deb9u4) stretch-security; urgency=high
* Backport security patch from 4.9.7 Closes: #902876
- CVE-2018-12895 Fix directory traversal in thumb parameter
-- Craig Small <email address hidden> Sun, 08 Jul 2018 22:06:46 +1000
wordpress (4.9.8+dfsg1-1) unstable; urgency=medium
* New upstream source
Verify plugin uploads CVE-2018-14028 Closes: #906565
-- Craig Small <email address hidden> Tue, 21 Aug 2018 20:47:44 +1000
Available diffs
- diff from 4.9.7+dfsg1-1 to 4.9.8+dfsg1-1 (673.8 KiB)
| Superseded in stretch-release |
wordpress (4.7.5+dfsg-2+deb9u3) stretch-security; urgency=high
* Backport security patches from 4.9.5 Closes: #895034
- CVE-2018-10101
Don't treat localhost as same host by default.
- CVE-2018-10100
Use safe redirects when redirecting login page if SSL is forced
- CVE-2018-10102
Make sure version string is correctly escaped for use in
generator tags
-- Craig Small <email address hidden> Mon, 16 Apr 2018 21:05:38 +1000
wordpress (4.9.7+dfsg1-1) unstable; urgency=high
* New upstream source
* Fix directory traversal in thumb parameter
CVE-2018-12895 Closes: #902876
-- Craig Small <email address hidden> Sat, 07 Jul 2018 22:29:18 +1000
Available diffs
- diff from 4.9.5+dfsg1-1 to 4.9.7+dfsg1-1 (877.0 KiB)
| Published in jessie-release |
wordpress (4.1+dfsg-1+deb8u17) jessie-security; urgency=high
* Non-maintainer upload.
* Fix CVE-2018-10100: the redirection URL for the login page was not
validated or sanitized if forced to use HTTPS.
* Fix CVE-2018-10102: the version string was not escaped in the
get_the_generator function, and could lead to XSS in a generator tag.
(Closes: #895034)
-- Markus Koschany <email address hidden> Sat, 28 Apr 2018 22:49:06 +0200
wordpress (4.9.5+dfsg1-1) unstable; urgency=medium
* New upstream source, fixes 3 Security issues Closes: #895034
- CVE-2018-TBA
Don't treat localhost as same host by default.
- CVE-2018-TBA
Use safe redirects when redirecting login page if SSL is forced
- CVE-2018-TBA
Make sure version string is correctly escaped for use in
generator tags
* Update to standards version 4.1.4
* Remove get-orig-source in rules and use uscan
-- Craig Small <email address hidden> Sun, 08 Apr 2018 08:11:40 +1000
Available diffs
- diff from 4.9.4+dfsg-1 to 4.9.5+dfsg1-1 (134.0 KiB)
| Superseded in stretch-release |
wordpress (4.7.5+dfsg-2+deb9u2) stretch-security; urgency=high
* Backport security patches from 4.9.1 Closes: #883314
- CVE-2017-17091
Use a properly generated hash for the newbloguser key instead
of a determinate substring.
Changeset 42272
- CVE-2017-17092
Remove the ability to upload JavaScript files for users who
do not have the unfiltered_html capability
Changeset 42275
- CVE-2017-17093
Add escaping to the language attributes used on html elements
Changeset 42273
- CVE-2017-17094
Ensure the attributes of enclosures are correctly escaped in
RSS and Atom feeds
Changeset 42274
* Also backport patch for $wpdb->prepare CVE-2017-16510
Closes: 880528
-- Craig Small <email address hidden> Thu, 04 Jan 2018 18:19:44 +1100
wordpress (4.9.4+dfsg-1) unstable; urgency=medium * New upstream release * Removed remove_jshint patch as upstream has found a different hinter -- Craig Small <email address hidden> Fri, 09 Feb 2018 21:35:34 +1100
Available diffs
- diff from 4.9.2+dfsg-1 to 4.9.4+dfsg-1 (517.2 KiB)
wordpress (4.9.2+dfsg-1) unstable; urgency=high
* New upstream security release Closes: #887596
and resolves CVE-2018-5776
* Update standards version to 4.1.3 - no change
-- Craig Small <email address hidden> Sat, 20 Jan 2018 18:02:18 +1100
Available diffs
- diff from 4.9.1+dfsg-1 to 4.9.2+dfsg-1 (97.5 KiB)
| Superseded in jessie-release |
wordpress (4.1+dfsg-1+deb8u15) jessie-security; urgency=medium
* Backport security patches from 4.8.2
- CVE-2017-14723
$wpdb->prepare() can create unexpected and unsafe queries leading to
potential SQL injection (SQLi)
Changeset 41472, 41498
- CVE-2017-14726
Cross-site scripting (XSS) vulnerability in the visual editor
Changeset 41436
- CVE-2017-14719
Path traversal vulnerability in the file unzipping code
Changeset 41459
- CVE-2017-14721
Cross-site scripting (XSS) vulnerability in the plugin editor
Changeset 41413
- CVE-2017-14725
Open redirect in the user edit screens
The term/tag edit screen does not have this issue.
Changeset 41424
- CVE-2017-14722
Path traversal vulnerability in the customizer
Changeset 41430
- CVE-2017-14720
Cross-site scripting (XSS) vulnerability in template names
Changeset 41413 (same as plugin editor)
- CVE-2017-14718
Cross-site scripting (XSS) vulnerability in the link modal
* Not vulnerable:
- CVE-2017-14724
Cross-site scripting (XSS) vulnerability in the oEmbed discovery
oEmbed feature not present in this version
* Hash user activation key Closes: #877629
Fixes CVE-2017-14990
-- Craig Small <email address hidden> Wed, 11 Oct 2017 21:27:47 +1100
| Superseded in stretch-release |
wordpress (4.7.5+dfsg-2+deb9u1) stretch-security; urgency=medium
* Backport patches from 4.8.2 Closes: #876274
- CVE-2017-14723
$wpdb->prepare() can create unexpected and unsafe queries leading to
potential SQL injection (SQLi)
Changeset 41472, 41498
- CVE-2017-14724
Cross-site scripting (XSS) vulnerability in the oEmbed discovery
Changeset 41451
- CVE-2017-14726
Cross-site scripting (XSS) vulnerability in the visual editor
Changeset 41436
- CVE-2017-14719
Path traversal vulnerability in the file unzipping code
Changeset 41459
- CVE-2017-14721
Cross-site scripting (XSS) vulnerability in the plugin editor
Changeset 41413
- CVE-2017-14725
Open redirect in the user and term edit screens
Changeset 41418
- CVE-2017-14722
Path traversal vulnerability in the customizer
Changeset 41430
- CVE-2017-14720
Cross-site scripting (XSS) vulnerability in template names
Changeset 41413 (same as plugin editor)
- CVE-2017-14718
Cross-site scripting (XSS) vulnerability in the link modal
* Hash user activation key Closes: #877629
Fixes CVE-2017-14990
-- Craig Small <email address hidden> Sat, 07 Oct 2017 07:11:32 +1100
wordpress (4.9.1+dfsg-1) unstable; urgency=high
* New upstream release
* Release 4.9 was never packaged due to licensing problems
* This release fixes 6 security issues Closes: #883314
- CVE-2017-17091
Use a properly generated hash for the newbloguser key instead
of a determinate substring.
- CVE-2017-17092
Remove the ability to upload JavaScript files for users who
do not have the unfiltered_html capability
- CVE-2017-17093
Add escaping to the language attributes used on html elements
- CVE-2017-17094
Ensure the attributes of enclosures are correctly escaped in
RSS and Atom feeds
* Updated to standards 4.1.1
* New linting for Javascript is disabled due to jshint.js licensing
issues
-- Craig Small <email address hidden> Sat, 09 Dec 2017 16:57:09 +1100
Available diffs
- diff from 4.8.3+dfsg-1 to 4.9.1+dfsg-1 (2.3 MiB)
wordpress (4.8.3+dfsg-1) unstable; urgency=high * New upstream security release Closes: #880528 -- Craig Small <email address hidden> Thu, 02 Nov 2017 22:16:15 +1100
Available diffs
- diff from 4.8.2+dfsg-2 to 4.8.3+dfsg-1 (11.0 KiB)
wordpress (4.8.2+dfsg-2) unstable; urgency=high
* Hash user activation key Closes: #877629
Fixes CVE-2017-14990
-- Craig Small <email address hidden> Wed, 04 Oct 2017 21:59:11 +1100
Available diffs
- diff from 4.8.2+dfsg-1 to 4.8.2+dfsg-2 (3.3 KiB)
wordpress (4.8.2+dfsg-1) unstable; urgency=high
* New upstream security release fixes 9 security issues closes: #876274
CVE IDs will be updated when issued
- CVE-2017-XXX
$wpdb->prepare() can create unexpected and unsafe queries leading to
potential SQL injection (SQLi)
- CVE-2017-TBA
Cross-site scripting (XSS) vulnerability in the oEmbed discovery
- CVE-2017-TBA
Cross-site scripting (XSS) vulnerability in the visual editor
- CVE-2017-TBA
Path traversal vulnerability in the file unzipping code
- CVE-2017-TBA
Cross-site scripting (XSS) vulnerability in the plugin editor
- CVE-2017-TBA
Open redirect in the user and term edit screens
- CVE-2017-TBA
Path traversal vulnerability in the customizer
- CVE-2017-TBA
Cross-site scripting (XSS) vulnerability in template names
- CVE-2017-TBA
Cross-site scripting (XSS) vulnerability in the link modal
-- Craig Small <email address hidden> Fri, 22 Sep 2017 21:57:06 +1000
Available diffs
- diff from 4.8.1+dfsg-1 to 4.8.2+dfsg-1 (31.2 KiB)
wordpress (4.8.1+dfsg-1) unstable; urgency=medium * New upstream release -- Craig Small <email address hidden> Thu, 03 Aug 2017 21:35:33 +1000
Available diffs
- diff from 4.8+dfsg-1 to 4.8.1+dfsg-1 (113.2 KiB)
| Superseded in jessie-release |
wordpress (4.1+dfsg-1+deb8u14) jessie-security; urgency=medium
* Backport patches from 4.7.5 Closes: #862816
- CVE-2017-9062
Improper handling of post meta data values in the XML-RPC API.
Changeset 40699
- CVE-2017-9065
Lack of capability checks for post meta data in the XML-RPC API.
Changeset 40684
- CVE-2017-9064
A Cross Site Request Forgery (CRSF) vulnerability was discovered
in the filesystem credentials dialog.
Changeset 40730
- CVE-2017-9061
A cross-site scripting (XSS) vulnerability was discovered when
attempting to upload very large files.
Changeset 40743
- CVE-2017-9063
A cross-site scripting (XSS) vulnerability was discovered related
to the Customizer.
Changeset 40711
* CVE-2017-9066 not fixed as the relevant code has changed dramatically
and there is no upstream patch for it.
Insufficient redirect validation in the HTTP class.
* CVE-2017-8295 Don't use client-provided data to form password reset
from email address, from WordPress ticket #23239 Closes: #862053
-- Craig Small <email address hidden> Wed, 24 May 2017 22:24:48 +1000
wordpress (4.8+dfsg-1) unstable; urgency=medium * New upstream release -- Craig Small <email address hidden> Fri, 09 Jun 2017 22:43:40 +1000
Available diffs
- diff from 4.7.5+dfsg-2 to 4.8+dfsg-1 (1.7 MiB)
wordpress (4.7.5+dfsg-2) unstable; urgency=medium
* Don't trust SERVER_NAME variable for emails
CVE-2017-8295 Closes: #862053
-- Craig Small <email address hidden> Mon, 05 Jun 2017 21:45:59 +1000
Available diffs
- diff from 4.7.5+dfsg-1 to 4.7.5+dfsg-2 (1.4 KiB)
wordpress (4.7.5+dfsg-1) unstable; urgency=high
* New upstream release fixes 6 security issues Closes: #862816
CVEs to be added once issued
- CVE-2017-XXX
Insufficient redirect validation in the HTTP class.
- CVE-2017-XXX
Improper handling of post meta data values in the XML-RPC API.
- CVE-2017-XXX
Lack of capability checks for post meta data in the XML-RPC API.
- CVE-2017-XXX
A Cross Site Request Forgery (CRSF) vulnerability was discovered
in the filesystem credentials dialog.
- CVE-2017-XXX
A cross-site scripting (XSS) vulnerability was discovered when
attempting to upload very large files.
- CVE-2017-XXX
A cross-site scripting (XSS) vulnerability was discovered related
to the Customizer.
-- Craig Small <email address hidden> Wed, 17 May 2017 22:28:18 +1000
Available diffs
- diff from 4.7.4+dfsg-1 to 4.7.5+dfsg-1 (53.3 KiB)
| 1 → 75 of 177 results | First • Previous • Next • Last |
