Change log for wordpress package in Debian
1 → 75 of 177 results | First • Previous • Next • Last |
Published in sid-release |
wordpress (6.5.3+dfsg1-1) unstable; urgency=medium * New upstream release -- Craig Small <email address hidden> Sun, 19 May 2024 20:26:03 +1000
Superseded in sid-release |
wordpress (6.5.2+dfsg1-1) unstable; urgency=medium * New upstream security release - Fixes stored XSS in Avatar blocks Closes: #1069091 -- Craig Small <email address hidden> Tue, 16 Apr 2024 19:24:58 +1000
Superseded in sid-release |
wordpress (6.5+dfsg1-1) unstable; urgency=medium * New upstream release -- Craig Small <email address hidden> Thu, 04 Apr 2024 21:04:22 +1100
Superseded in sid-release |
wordpress (6.4.3+dfsg1-1) unstable; urgency=medium * New upstream release: - PHP File Upload bypass via Plugin Installer (requiring admin privileges) - An RCE POP Chains vulnerability -- Craig Small <email address hidden> Thu, 08 Feb 2024 19:54:35 +1100
Superseded in sid-release |
wordpress (6.4.2+dfsg1-1) unstable; urgency=medium * New upstream release - Fixes a RCE that could be potentially exploited with some plugins, especially multisite installations. -- Craig Small <email address hidden> Tue, 02 Jan 2024 08:30:41 +1100
Superseded in sid-release |
wordpress (6.4.1+dfsg1-1.1) unstable; urgency=medium * Non-maintainer upload. * source only upload to enable migration (Closes: #1058810) -- Paul Gevers <email address hidden> Sat, 16 Dec 2023 20:53:01 +0100
Superseded in sid-release |
wordpress (6.4.1+dfsg1-1) unstable; urgency=medium * New upstream release * Update to standards 4.6.2, no change * Themes: twentytwentyone removed, new twentytwentyfour * Update apparmor profile for jetpack-waf directory, more comments -- Craig Small <email address hidden> Tue, 14 Nov 2023 18:04:24 +1100
Superseded in sid-release |
wordpress (6.3.2+dfsg1-1) unstable; urgency=medium * New upstream release -- Craig Small <email address hidden> Sun, 29 Oct 2023 21:50:25 +1100
Superseded in sid-release |
wordpress (6.3.1+dfsg1-1) unstable; urgency=medium * New upstream release -- Craig Small <email address hidden> Tue, 12 Sep 2023 19:36:08 +1000
Superseded in sid-release |
wordpress (6.3+dfsg1-1) unstable; urgency=medium * New upstream release -- Craig Small <email address hidden> Thu, 10 Aug 2023 20:53:28 +1000
Superseded in sid-release |
wordpress (6.2.2+dfsg1-1) unstable; urgency=medium * New upstream security release Closes: #1036689 - Block themes parsing shortcodes in user-generated data -- Craig Small <email address hidden> Thu, 25 May 2023 20:41:51 +1000
Superseded in sid-release |
wordpress (6.2.1+dfsg1-1) unstable; urgency=high * New upstream security release Closes: #1036296 - CVE-2023-2745 - Directory traversal in wp_lang -- Craig Small <email address hidden> Fri, 19 May 2023 07:40:55 +1000
Superseded in sid-release |
wordpress (6.2+dfsg1-1) unstable; urgency=medium * New upstream release * Removed ancient (10+ years_ news entries -- Craig Small <email address hidden> Tue, 11 Apr 2023 22:40:41 +1000
Published in bullseye-release |
wordpress (5.7.8+dfsg1-0+deb11u2) bullseye-security; urgency=high * Rebuild with bullseye dependencies Closes: #1024249 -- Craig Small <email address hidden> Thu, 17 Nov 2022 08:11:54 +1100
wordpress (6.1.1+dfsg1-1) unstable; urgency=medium * New upstream maintenance release -- Craig Small <email address hidden> Fri, 09 Dec 2022 21:49:35 +1100
Superseded in sid-release |
wordpress (6.1+dfsg1-1) unstable; urgency=medium * New upstream release * Removed TwentyTwenty theme * Added TwentyTwentyThree theme and made it recommended -- Craig Small <email address hidden> Sat, 12 Nov 2022 18:01:07 +1100
Superseded in sid-release |
wordpress (6.0.3+dfsg1-1) unstable; urgency=high * New security release Closes: #1022575 - Stored XSS via wp-mail.php (post by email) - Open redirect in `wp_nonce_ays` - Sender’s email address is exposed in wp-mail.php - Media Library – Reflected XSS via SQLi - CSRF in wp-trackback.php - Stored XSS via the Customizer - Revert shared user instances introduced in 50790 - Stored XSS in WordPress Core via Comment Editing - Data exposure via the REST Terms/Tags Endpoint - Content from multipart emails leaked - SQL Injection due to improper sanitization in `WP_Date_Query` - RSS Widget: Stored XSS issue - Stored XSS in the search block - Feature Image Block: XSS issue - RSS Block: Stored XSS issue - Fix widget block XSS -- Craig Small <email address hidden> Mon, 24 Oct 2022 21:10:11 +1100
Superseded in sid-release |
wordpress (6.0.2+dfsg1-1) unstable; urgency=medium * New security release Closes: #1018863 - Possible link SQL injection within the Link API - XSS in Plugins screen - Output escaping issue within the_meta() -- Craig Small <email address hidden> Thu, 01 Sep 2022 18:41:07 +1000
Superseded in sid-release |
wordpress (6.0+dfsg1-1) unstable; urgency=medium * New upstream release * Added more suggestions for php modules * Update standards version to 4.6.1, no changes needed. * Allow WordPress config file to be defined Closes: #834842 -- Craig Small <email address hidden> Thu, 02 Jun 2022 16:37:59 +1000
Superseded in sid-release |
wordpress (5.9.2+dfsg1-2) unstable; urgency=high * Fix emoji patch Closes: #1008976 -- Craig Small <email address hidden> Wed, 06 Apr 2022 17:20:47 +1000
Published in buster-release |
wordpress (5.0.15+dfsg1-0+deb10u1) buster-security; urgency=high * Upstream security release Closes: #1003243 - CVE-2022-21662 - Stored XSS through authenticated users - CVE-2022-21663 - Authenticated Object Injection in Multisites - CVE-2022-21661 - WordPress: SQL Injection through WP_Query - CVE-2022-21664 - SQL injection due to improper sanitization in WP_Meta_Query -- Craig Small <email address hidden> Sat, 08 Jan 2022 08:06:09 +1100
Superseded in bullseye-release |
wordpress (5.7.5+dfsg1-0+deb11u1) bullseye-security; urgency=high * Upstream security release Closes: #1003243 - CVE-2022-21662 - Stored XSS through authenticated users - CVE-2022-21663 - Authenticated Object Injection in Multisites - CVE-2022-21661 - WordPress: SQL Injection through WP_Query - CVE-2022-21664 - SQL injection due to improper sanitization in WP_Meta_Query * WordPress 5.7.4 just had a removal of an old CA certificate which isn't used in Debian installations -- Craig Small <email address hidden> Fri, 07 Jan 2022 17:51:21 +1100
Superseded in sid-release |
wordpress (5.9.2+dfsg1-1) unstable; urgency=medium * New security release Closes: #1007005, #1007145 * Themes: 2019 removed, 2022 added -- Craig Small <email address hidden> Sat, 12 Mar 2022 14:31:34 +1100
Superseded in sid-release |
wordpress (5.8.3+dfsg1-1) unstable; urgency=high * Upstream security release Closes: #1003243 - CVE-2022-21662 - Stored XSS through authenticated users - CVE-2022-21663 - Authenticated Object Injection in Multisites - CVE-2022-21661 - WordPress: SQL Injection through WP_Query - CVE-2022-21664 - SQL injection due to improper sanitization in WP_Meta_Query -- Craig Small <email address hidden> Fri, 07 Jan 2022 15:57:14 +1100
Superseded in sid-release |
wordpress (5.8.2+dfsg1-1) unstable; urgency=medium [ Debian Janitor ] * Trim trailing whitespace. * Remove 1 obsolete maintscript entry. * Fix day-of-week for changelog entry 2.6.2-1. * Update standards version to 4.6.0, no changes needed. [ Craig Small ] * New upstream release Closes: #1001462 * Don't install ca-certificates.crt but link it Closes: #999568 * Fix updater to complain less * Stop auto-updates Closes: #1001623 * Added local/apache-wordpress for AppArmor local configs -- Craig Small <email address hidden> Mon, 20 Dec 2021 21:48:50 +1100
Superseded in bullseye-release |
wordpress (5.7.3+dfsg1-0+deb11u1) bullseye-security; urgency=medium * Security release, fixes 2 bugs: - CVE-2021-39200 - Disclosure in wp_die() Closes: #994060 - CVE-2021-39201 - XSS in editor Closes: #994059 -- Craig Small <email address hidden> Sat, 11 Sep 2021 10:55:23 +1000
Superseded in sid-release |
wordpress (5.8.1+dfsg1-2) unstable; urgency=high * Install AppArmor file in correct location -- Craig Small <email address hidden> Mon, 20 Sep 2021 18:51:00 +1000
Superseded in sid-release |
wordpress (5.8.1+dfsg1-1) unstable; urgency=medium * Security release - CVE-2021-39200 - Disclosure in wp_die() Closes: #994060 - CVE-2021-39201 - XSS in editor Closes: #994059 * New upstream release Closes: #992302 * Add direct FS_METHOD in mysql setup Closes: #988991 * Add AppArmor profile -- Craig Small <email address hidden> Sat, 11 Sep 2021 10:29:52 +1000
Superseded in buster-release |
wordpress (5.0.12+dfsg1-0+deb10u1) buster-security; urgency=high * Security release, fixes 2 bugs Closes: #987065 - CVE-2021-29450 - Authenticated disclosure of password-protected posts and pages. - CVE-2021-29447 - Authenticated XXE attack when installation is running PHP 8 -- Craig Small <email address hidden> Sat, 17 Apr 2021 21:02:47 +1000
wordpress (5.7.1+dfsg1-2) unstable; urgency=medium * Fix symlink for 2021 theme Closes: #986085 -- Craig Small <email address hidden> Tue, 20 Apr 2021 22:28:40 +1000
Superseded in sid-release |
wordpress (5.7.1+dfsg1-1) unstable; urgency=high * Security release, fixes 2 bugs Closes: #987065 - CVE-2021-29450 - Authenticated disclosure of password-protected posts and pages. - CVE-2021-29447 - Authenticated XXE attack when installation is running PHP 8 -- Craig Small <email address hidden> Sat, 17 Apr 2021 08:46:05 +1000
Superseded in sid-release |
wordpress (5.7+dfsg1-1) unstable; urgency=medium * New upstream release Closes: #984985 -- Craig Small <email address hidden> Mon, 15 Mar 2021 08:11:27 +1100
Superseded in sid-release |
wordpress (5.6.1+dfsg1-1) unstable; urgency=medium * New upstream release * Added core language directory -- Craig Small <email address hidden> Fri, 05 Feb 2021 18:53:39 +1100
Superseded in sid-release |
wordpress (5.6+dfsg1-2) unstable; urgency=medium * Removed php5 alternative dependencies as these are only in oldoldstable * source-only upload for Bullseye Closes: #977517 -- Craig Small <email address hidden> Mon, 21 Dec 2020 14:39:34 +1100
Superseded in sid-release |
wordpress (5.6+dfsg1-1) unstable; urgency=medium * New upstream release * Removed theme twentyseventeen * Added theme twentytwentyone * Update to standards version 4.5.1 -- Craig Small <email address hidden> Thu, 17 Dec 2020 22:22:49 +1100
Superseded in buster-release |
wordpress (5.0.11+dfsg1-0+deb10u1) buster-security; urgency=high * Security release, fixes 8 bugs Closes: #973562 - CVE-2020-28039: Protected meta that could lead to arbitrary file deletion. - CVE-2020-28035: XML-RPC privilege escalation. - CVE-2020-28036: XML-RPC privilege escalation. - CVE-2020-28032: Hardening deserialization requests. - CVE-2020-28037: DoS attack could lead to RCE. - CVE-2020-28038: Stored XSS in post slugs. - CVE-2020-28033: Disable spam embeds from disabled sites on a multisite network. - CVE-2020-28034: Cross-Site Scripting (XSS) via global variables. - CVE-2020-28040: CSRF attacks that change a theme's background image. * Remove duplicated changeset 45974 Closes: #971914 -- Craig Small <email address hidden> Tue, 03 Nov 2020 18:02:39 +1100
Superseded in sid-release |
wordpress (5.5.3+dfsg1-1) unstable; urgency=high * Security release, fixes 8 bugs Closes: #973562 - CVE-2020-28039: Protected meta that could lead to arbitrary file deletion. - CVE-2020-28035: XML-RPC privilege escalation. - CVE-2020-28036: XML-RPC privilege escalation. - CVE-2020-28032: Hardening deserialization requests. - CVE-2020-28037: DoS attack could lead to RCE. - CVE-2020-28038: Stored XSS in post slugs. - CVE-2020-28033: Disable spam embeds from disabled sites on a multisite network. - CVE-2020-28034: Cross-Site Scripting (XSS) via global variables. - CVE-2020-28040: CSRF attacks that change a theme's background image. * Removed TinyMCE build dependency as its very old * d/dirs: Add two more language directories -- Craig Small <email address hidden> Tue, 03 Nov 2020 17:23:49 +1100
Superseded in sid-release |
wordpress (5.5.1+dfsg1-1) unstable; urgency=medium * New upstream release * Remove patch CVE-2017-8295 as it is in upstream -- Craig Small <email address hidden> Wed, 02 Sep 2020 16:25:35 +1000
Superseded in buster-release |
wordpress (5.0.10+dfsg1-0+deb10u1) buster-security; urgency=medium * Security release, fixes 6 security bugs Closes: #962685 - CVE-2020-4046 Authenticated XSS through embed block - CVE-2020-4047 Authenticated XSS via media attachment page - CVE-2020-4048 Open redirect in wp_validate_redirect() - CVE-2020-4049 Authenticated self-XSS via theme uploads - CVE-2020-4050 'set-screen-option' filter misuse by plugins leading to privilege escalation * Prevent unmoderated comments from search engine indexation -- Craig Small <email address hidden> Fri, 19 Jun 2020 15:46:30 +1000
Published in stretch-release |
wordpress (4.7.5+dfsg-2+deb9u6) stretch-security; urgency=high * Importing Wordpress 4.7.17/5.4.1 updates Closes: #959391 - CVE-2020-11025 XSS vulnerability in the navigation section of Customizer allows JavaScript code to be executed. - CVE-2020-11026 uploaded files to Media section to lead to script execution - CVE-2020-11027 Password reset link does not expire - CVE-2020-11028 Private posts can be found through searching by date - CVE-2020-11029 XSS in stats() method in class-wp-object-cache Not vulnerable: - CVE-2020-11030 (feature introduced 5.0) Special payload can execute scripts in block editor * Importing Wordpress 4.7.16/5.3.1 updates Closes: #946905 - CVE-2019-20043 an unprivileged user could make a post sticky via the REST API. - CVE-2019-20041 hardening wp_kses_bad_protocol() to ensure that it is aware of the named colon attribute. Not vulnerable: - CVE-2019-20042 (function introduced 5.1.0) cross-site scripting (XSS) could be stored in well-crafted links - CVE-2019-16780 and CVE-2019-16781 (feature introduced 5.0) stored XSS vulnerability using block editor content. * Importing Wordpress 4.7.15/5.2.4 updates Closes: #942459 - CVE-2019-17674 Stored XSS in the Customizer - CVE-2019-17671 Viewing unauthenticated posts - CVE-2019-17672 Stored XSS to inject javascript into style tags - CVE-2019-17673 Poisoning JSON GET requests - CVE-2019-17669 SSRF in URL vaidation - CVE-2019-17675 Referer validation in admin screens * Importing Wordpress 4.7.14/5.2.3 updates Closes: #939543 - CVE-2019-16223 XSS in post previews - CVE-2019-16218 XSS in stored comments - CVE-2019-16220 Open redirect due to validation and sanitization - CVE-2019-16217 XSS in media uploads - CVE-2019-16219 XSS in shortcode previews - CVE-2019-16221 XSS in dashboard - CVE-2019-16222 XSS in URL sanitization * Security patches from 5.1.1/4.7.13 * Fixes XSS security hole in comments CVE-2019-9787 Closes: #924546 -- Craig Small <email address hidden> Sat, 02 May 2020 15:23:57 +1000
Superseded in sid-release |
wordpress (5.4.2+dfsg1-1) unstable; urgency=medium * Security release, fixes 6 security bugs Closes: #962685 - CVE-2020-4046 Authenticated XSS through embed block - CVE-2020-4047 Authenticated XSS via media attachment page - CVE-2020-4048 Open redirect in wp_validate_redirect() - CVE-2020-4049 Authenticated self-XSS via theme uploads - CVE-2020-4050 'set-screen-option' filter misuse by plugins leading to privilege escalation * Prevent unmoderated comments from search engine indexation -- Craig Small <email address hidden> Mon, 15 Jun 2020 07:53:44 +1000
Superseded in sid-release |
wordpress (5.4.1+dfsg1-1) unstable; urgency=medium * Security release, fixes 6 security bugs Closes: #959391 - CVE-2020-11025 XSS vulnerability in the navigation section of Customizer allows JavaScript code to be executed. - CVE-2020-11026 uploaded files to Media section to lead to script execution - CVE-2020-11027 Password reset link does not expire - CVE-2020-11028 Private posts can be found through searching by date - CVE-2020-11029 XSS in stats() method in class-wp-object-cache - CVE-2020-11030 Special payload can execute scripts in block editor * Add multi-arch tags * Update to standards 4.5.0 -- Craig Small <email address hidden> Sat, 02 May 2020 14:21:58 +1000
Superseded in sid-release |
wordpress (5.4+dfsg1-1) unstable; urgency=medium * New upstream source * Remove debian.cnf call for create database Closes: #884877 * Add note for iputils-ping required for setup-mysql. Closes: #944465 * Themes: twentysixteen removed, twentytwenty added * Themes: remove conflict with ancient wordpress -- Craig Small <email address hidden> Sun, 05 Apr 2020 12:00:08 +1000
Superseded in buster-release |
wordpress (5.0.4+dfsg1-1+deb10u1) buster-security; urgency=medium * Backport of the 5.3.1 security release Closes: #946905 - CVE-2019-20043 an unprivileged user could make a post sticky via the REST API. - CVE-2019-20042 cross-site scripting (XSS) could be stored in well-crafted links - CVE-2019-20041 hardening wp_kses_bad_protocol() to ensure that it is aware of the named colon attribute. - CVE-2019-16780 and CVE-2019-16781 stored XSS vulnerability using block editor content. * Backport of the 5.2.4 security release Closes: #942459 - CVE-2019-17674 Stored XSS in the Customizer - CVE-2019-17671 Viewing unauthenticated posts - CVE-2019-17672 Stored XSS to inject javascript into style tags - CVE-2019-17673 Poisoning JSON GET requests - CVE-2019-17669 SSRF in URL vaidation - CVE-2019-17675 Referer validation in admin screens * Backport of 5.2.3 security release, Closes: #939543 - CVE-2019-16223 XSS in post previews - CVE-2019-16218 XSS in stored comments - CVE-2019-16220 Open redirect due to validation and sanitization - CVE-2019-16217 XSS in media uploads - CVE-2019-16219 XSS in shortcode previews - CVE-2019-16221 XSS in dashboard - CVE-2019-16222 XSS in URL sanitization -- Craig Small <email address hidden> Fri, 27 Dec 2019 15:26:33 +1100
Superseded in sid-release |
wordpress (5.3.2+dfsg1-1) unstable; urgency=high * Fixes some important but non-security bugs. * Thanks to Nils Radtke <email address hidden> for their assistance. * Version 5.3.1 is a security release, fixes several issues Closes: #946905 - an unprivileged user could make a post sticky via the REST API. - cross-site scripting (XSS) could be stored in well-crafted links - hardening wp_kses_bad_protocol() to ensure that it is aware of the named colon attribute. - stored XSS vulnerability using block editor content. * Fix error in CVE-2017-14990 patch where sub-sites cannot authenticate users. Thanks Connor for your help! -- Craig Small <email address hidden> Fri, 27 Dec 2019 15:18:07 +1100
Available diffs
- diff from 5.2.4+dfsg1-1 to 5.3.2+dfsg1-1 (6.3 MiB)
Superseded in sid-release |
wordpress (5.2.4+dfsg1-1) unstable; urgency=high * Security release, fixes several issues Closes: #942459 - Stored XSS in the Customizer - Viewing unauthenticated posts - Stored XSS to inject ajavascript into style tags - Poisoning JSON GET requests - SSRF in URL vaidation - Referer validation in admin screens -- Craig Small <email address hidden> Thu, 17 Oct 2019 21:32:54 +1100
Available diffs
- diff from 5.2.2+dfsg1-1 to 5.2.4+dfsg1-1 (206.7 KiB)
Superseded in sid-release |
wordpress (5.2.3+dfsg1-1) unstable; urgency=medium * Security release, fixes several issues Closes: #939543 - XSS in post previews - XSS in stored comments - Open redirect due to validation and sanitization - XSS in media uploads - XSS in shortcode previews - XSS in dashboard - XSS in URL sanitization * Use replace for dh-linktrees for underscore-js -- Craig Small <email address hidden> Fri, 06 Sep 2019 18:39:10 +1000
Superseded in sid-release |
wordpress (5.2.2+dfsg1-1) unstable; urgency=medium * New upstream release -- Craig Small <email address hidden> Tue, 25 Jun 2019 21:03:42 +1000
Available diffs
- diff from 5.2.1+dfsg1-1 to 5.2.2+dfsg1-1 (260.4 KiB)
Superseded in sid-release |
wordpress (5.2.1+dfsg1-1) unstable; urgency=medium * New upstream release -- Craig Small <email address hidden> Sun, 26 May 2019 16:42:33 +1000
Available diffs
- diff from 5.1.1+dfsg1-1 to 5.2.1+dfsg1-1 (4.2 MiB)
Superseded in buster-release |
wordpress (5.0.4+dfsg1-1) buster; urgency=medium * Backport of 5.1.1 patches * Fix XSS security hole in comments Closes: #924546 CVE-2019-9787 -- Craig Small <email address hidden> Sun, 24 Mar 2019 09:20:02 +1100
Superseded in stretch-release |
wordpress (4.7.5+dfsg-2+deb9u5) stretch-security; urgency=medium * Backport security patches from wordpress 5.0.1 Closes: #916403 - CVE-2018-20147 Delete files through altered meta data - CVE-2018-20152 Create posts of unauthorized post types - CVE-2018-20148 PHP object injection through crafted meta data - CVE-2018-20153 Edit other users comments, leading to XSS - CVE-2018-20150 XSS in plugins through crafted URL inputs - CVE-2018-20151 User activation screen visible to search engines - CVE-2018-20149 Bypass MIME verification causing XSS - CVE-2019-8942 Remote Code Execution (RCE) in uploaded image files -- Craig Small <email address hidden> Thu, 28 Feb 2019 20:25:00 +1100
Superseded in sid-release |
wordpress (5.1.1+dfsg1-1) unstable; urgency=medium * New upstream release * Fixes XSS security hole in comments Closes: #924546 * Added new/better config example -- Craig Small <email address hidden> Thu, 14 Mar 2019 22:10:00 +1100
Available diffs
- diff from 5.0.3+dfsg1-1 to 5.1.1+dfsg1-1 (4.5 MiB)
wordpress (5.0.3+dfsg1-1) unstable; urgency=medium * New upstream release * Update to Debian standards 4.3.0 -- Craig Small <email address hidden> Tue, 05 Feb 2019 22:23:39 +1100
Available diffs
- diff from 5.0.2+dfsg1-1 to 5.0.3+dfsg1-1 (895.3 KiB)
wordpress (5.0.2+dfsg1-1) unstable; urgency=medium * New upstream release -- Craig Small <email address hidden> Fri, 28 Dec 2018 16:00:13 +1100
Available diffs
- diff from 5.0.1+dfsg1-1 to 5.0.2+dfsg1-1 (1.1 MiB)
wordpress (5.0.1+dfsg1-1) unstable; urgency=high * New upstream source. fixes 7 Security issues Closes: #916403 - CVE-2018-20147 Delete files through altered meta data - CVE-2018-20152 Create posts of unauthorized post types - CVE-2018-20148 PHP object injection through crafted meta data - CVE-2018-20153 Edit other users comments, leading to XSS - CVE-2018-20150 XSS in plugins through crafted URL inputs - CVE-2018-20151 User activation screen visible to search engines - CVE-2018-20149 Bypass MIME verification causing XSS * Themes: Remove twentyfifteen, add twentynineteen and make default * Remove remote emojis -- Craig Small <email address hidden> Sun, 16 Dec 2018 10:45:32 +1100
Available diffs
- diff from 4.9.8+dfsg1-1 to 5.0.1+dfsg1-1 (2.7 MiB)
Superseded in stretch-release |
wordpress (4.7.5+dfsg-2+deb9u4) stretch-security; urgency=high * Backport security patch from 4.9.7 Closes: #902876 - CVE-2018-12895 Fix directory traversal in thumb parameter -- Craig Small <email address hidden> Sun, 08 Jul 2018 22:06:46 +1000
wordpress (4.9.8+dfsg1-1) unstable; urgency=medium * New upstream source Verify plugin uploads CVE-2018-14028 Closes: #906565 -- Craig Small <email address hidden> Tue, 21 Aug 2018 20:47:44 +1000
Available diffs
- diff from 4.9.7+dfsg1-1 to 4.9.8+dfsg1-1 (673.8 KiB)
Superseded in stretch-release |
wordpress (4.7.5+dfsg-2+deb9u3) stretch-security; urgency=high * Backport security patches from 4.9.5 Closes: #895034 - CVE-2018-10101 Don't treat localhost as same host by default. - CVE-2018-10100 Use safe redirects when redirecting login page if SSL is forced - CVE-2018-10102 Make sure version string is correctly escaped for use in generator tags -- Craig Small <email address hidden> Mon, 16 Apr 2018 21:05:38 +1000
wordpress (4.9.7+dfsg1-1) unstable; urgency=high * New upstream source * Fix directory traversal in thumb parameter CVE-2018-12895 Closes: #902876 -- Craig Small <email address hidden> Sat, 07 Jul 2018 22:29:18 +1000
Available diffs
- diff from 4.9.5+dfsg1-1 to 4.9.7+dfsg1-1 (877.0 KiB)
Published in jessie-release |
wordpress (4.1+dfsg-1+deb8u17) jessie-security; urgency=high * Non-maintainer upload. * Fix CVE-2018-10100: the redirection URL for the login page was not validated or sanitized if forced to use HTTPS. * Fix CVE-2018-10102: the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag. (Closes: #895034) -- Markus Koschany <email address hidden> Sat, 28 Apr 2018 22:49:06 +0200
wordpress (4.9.5+dfsg1-1) unstable; urgency=medium * New upstream source, fixes 3 Security issues Closes: #895034 - CVE-2018-TBA Don't treat localhost as same host by default. - CVE-2018-TBA Use safe redirects when redirecting login page if SSL is forced - CVE-2018-TBA Make sure version string is correctly escaped for use in generator tags * Update to standards version 4.1.4 * Remove get-orig-source in rules and use uscan -- Craig Small <email address hidden> Sun, 08 Apr 2018 08:11:40 +1000
Available diffs
- diff from 4.9.4+dfsg-1 to 4.9.5+dfsg1-1 (134.0 KiB)
Superseded in stretch-release |
wordpress (4.7.5+dfsg-2+deb9u2) stretch-security; urgency=high * Backport security patches from 4.9.1 Closes: #883314 - CVE-2017-17091 Use a properly generated hash for the newbloguser key instead of a determinate substring. Changeset 42272 - CVE-2017-17092 Remove the ability to upload JavaScript files for users who do not have the unfiltered_html capability Changeset 42275 - CVE-2017-17093 Add escaping to the language attributes used on html elements Changeset 42273 - CVE-2017-17094 Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds Changeset 42274 * Also backport patch for $wpdb->prepare CVE-2017-16510 Closes: 880528 -- Craig Small <email address hidden> Thu, 04 Jan 2018 18:19:44 +1100
wordpress (4.9.4+dfsg-1) unstable; urgency=medium * New upstream release * Removed remove_jshint patch as upstream has found a different hinter -- Craig Small <email address hidden> Fri, 09 Feb 2018 21:35:34 +1100
Available diffs
- diff from 4.9.2+dfsg-1 to 4.9.4+dfsg-1 (517.2 KiB)
wordpress (4.9.2+dfsg-1) unstable; urgency=high * New upstream security release Closes: #887596 and resolves CVE-2018-5776 * Update standards version to 4.1.3 - no change -- Craig Small <email address hidden> Sat, 20 Jan 2018 18:02:18 +1100
Available diffs
- diff from 4.9.1+dfsg-1 to 4.9.2+dfsg-1 (97.5 KiB)
Superseded in jessie-release |
wordpress (4.1+dfsg-1+deb8u15) jessie-security; urgency=medium * Backport security patches from 4.8.2 - CVE-2017-14723 $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi) Changeset 41472, 41498 - CVE-2017-14726 Cross-site scripting (XSS) vulnerability in the visual editor Changeset 41436 - CVE-2017-14719 Path traversal vulnerability in the file unzipping code Changeset 41459 - CVE-2017-14721 Cross-site scripting (XSS) vulnerability in the plugin editor Changeset 41413 - CVE-2017-14725 Open redirect in the user edit screens The term/tag edit screen does not have this issue. Changeset 41424 - CVE-2017-14722 Path traversal vulnerability in the customizer Changeset 41430 - CVE-2017-14720 Cross-site scripting (XSS) vulnerability in template names Changeset 41413 (same as plugin editor) - CVE-2017-14718 Cross-site scripting (XSS) vulnerability in the link modal * Not vulnerable: - CVE-2017-14724 Cross-site scripting (XSS) vulnerability in the oEmbed discovery oEmbed feature not present in this version * Hash user activation key Closes: #877629 Fixes CVE-2017-14990 -- Craig Small <email address hidden> Wed, 11 Oct 2017 21:27:47 +1100
Superseded in stretch-release |
wordpress (4.7.5+dfsg-2+deb9u1) stretch-security; urgency=medium * Backport patches from 4.8.2 Closes: #876274 - CVE-2017-14723 $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi) Changeset 41472, 41498 - CVE-2017-14724 Cross-site scripting (XSS) vulnerability in the oEmbed discovery Changeset 41451 - CVE-2017-14726 Cross-site scripting (XSS) vulnerability in the visual editor Changeset 41436 - CVE-2017-14719 Path traversal vulnerability in the file unzipping code Changeset 41459 - CVE-2017-14721 Cross-site scripting (XSS) vulnerability in the plugin editor Changeset 41413 - CVE-2017-14725 Open redirect in the user and term edit screens Changeset 41418 - CVE-2017-14722 Path traversal vulnerability in the customizer Changeset 41430 - CVE-2017-14720 Cross-site scripting (XSS) vulnerability in template names Changeset 41413 (same as plugin editor) - CVE-2017-14718 Cross-site scripting (XSS) vulnerability in the link modal * Hash user activation key Closes: #877629 Fixes CVE-2017-14990 -- Craig Small <email address hidden> Sat, 07 Oct 2017 07:11:32 +1100
wordpress (4.9.1+dfsg-1) unstable; urgency=high * New upstream release * Release 4.9 was never packaged due to licensing problems * This release fixes 6 security issues Closes: #883314 - CVE-2017-17091 Use a properly generated hash for the newbloguser key instead of a determinate substring. - CVE-2017-17092 Remove the ability to upload JavaScript files for users who do not have the unfiltered_html capability - CVE-2017-17093 Add escaping to the language attributes used on html elements - CVE-2017-17094 Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds * Updated to standards 4.1.1 * New linting for Javascript is disabled due to jshint.js licensing issues -- Craig Small <email address hidden> Sat, 09 Dec 2017 16:57:09 +1100
Available diffs
- diff from 4.8.3+dfsg-1 to 4.9.1+dfsg-1 (2.3 MiB)
wordpress (4.8.3+dfsg-1) unstable; urgency=high * New upstream security release Closes: #880528 -- Craig Small <email address hidden> Thu, 02 Nov 2017 22:16:15 +1100
Available diffs
- diff from 4.8.2+dfsg-2 to 4.8.3+dfsg-1 (11.0 KiB)
wordpress (4.8.2+dfsg-2) unstable; urgency=high * Hash user activation key Closes: #877629 Fixes CVE-2017-14990 -- Craig Small <email address hidden> Wed, 04 Oct 2017 21:59:11 +1100
Available diffs
- diff from 4.8.2+dfsg-1 to 4.8.2+dfsg-2 (3.3 KiB)
wordpress (4.8.2+dfsg-1) unstable; urgency=high * New upstream security release fixes 9 security issues closes: #876274 CVE IDs will be updated when issued - CVE-2017-XXX $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi) - CVE-2017-TBA Cross-site scripting (XSS) vulnerability in the oEmbed discovery - CVE-2017-TBA Cross-site scripting (XSS) vulnerability in the visual editor - CVE-2017-TBA Path traversal vulnerability in the file unzipping code - CVE-2017-TBA Cross-site scripting (XSS) vulnerability in the plugin editor - CVE-2017-TBA Open redirect in the user and term edit screens - CVE-2017-TBA Path traversal vulnerability in the customizer - CVE-2017-TBA Cross-site scripting (XSS) vulnerability in template names - CVE-2017-TBA Cross-site scripting (XSS) vulnerability in the link modal -- Craig Small <email address hidden> Fri, 22 Sep 2017 21:57:06 +1000
Available diffs
- diff from 4.8.1+dfsg-1 to 4.8.2+dfsg-1 (31.2 KiB)
wordpress (4.8.1+dfsg-1) unstable; urgency=medium * New upstream release -- Craig Small <email address hidden> Thu, 03 Aug 2017 21:35:33 +1000
Available diffs
- diff from 4.8+dfsg-1 to 4.8.1+dfsg-1 (113.2 KiB)
Superseded in jessie-release |
wordpress (4.1+dfsg-1+deb8u14) jessie-security; urgency=medium * Backport patches from 4.7.5 Closes: #862816 - CVE-2017-9062 Improper handling of post meta data values in the XML-RPC API. Changeset 40699 - CVE-2017-9065 Lack of capability checks for post meta data in the XML-RPC API. Changeset 40684 - CVE-2017-9064 A Cross Site Request Forgery (CRSF) vulnerability was discovered in the filesystem credentials dialog. Changeset 40730 - CVE-2017-9061 A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files. Changeset 40743 - CVE-2017-9063 A cross-site scripting (XSS) vulnerability was discovered related to the Customizer. Changeset 40711 * CVE-2017-9066 not fixed as the relevant code has changed dramatically and there is no upstream patch for it. Insufficient redirect validation in the HTTP class. * CVE-2017-8295 Don't use client-provided data to form password reset from email address, from WordPress ticket #23239 Closes: #862053 -- Craig Small <email address hidden> Wed, 24 May 2017 22:24:48 +1000
wordpress (4.8+dfsg-1) unstable; urgency=medium * New upstream release -- Craig Small <email address hidden> Fri, 09 Jun 2017 22:43:40 +1000
Available diffs
- diff from 4.7.5+dfsg-2 to 4.8+dfsg-1 (1.7 MiB)
wordpress (4.7.5+dfsg-2) unstable; urgency=medium * Don't trust SERVER_NAME variable for emails CVE-2017-8295 Closes: #862053 -- Craig Small <email address hidden> Mon, 05 Jun 2017 21:45:59 +1000
Available diffs
- diff from 4.7.5+dfsg-1 to 4.7.5+dfsg-2 (1.4 KiB)
wordpress (4.7.5+dfsg-1) unstable; urgency=high * New upstream release fixes 6 security issues Closes: #862816 CVEs to be added once issued - CVE-2017-XXX Insufficient redirect validation in the HTTP class. - CVE-2017-XXX Improper handling of post meta data values in the XML-RPC API. - CVE-2017-XXX Lack of capability checks for post meta data in the XML-RPC API. - CVE-2017-XXX A Cross Site Request Forgery (CRSF) vulnerability was discovered in the filesystem credentials dialog. - CVE-2017-XXX A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files. - CVE-2017-XXX A cross-site scripting (XSS) vulnerability was discovered related to the Customizer. -- Craig Small <email address hidden> Wed, 17 May 2017 22:28:18 +1000
Available diffs
- diff from 4.7.4+dfsg-1 to 4.7.5+dfsg-1 (53.3 KiB)
1 → 75 of 177 results | First • Previous • Next • Last |