Change log for wordpress package in Debian
| 76 → 150 of 177 results | First • Previous • Next • Last |
| Superseded in jessie-release |
wordpress (4.1+dfsg-1+deb8u13) jessie-security; urgency=medium
* Backport patches from 4.7.3 Closes: #857026
- CVE-2017-6814
Cross-site scripting (XSS) via media file metadata.
Changeset 40155
- CVE-2017-6815
Control characters can trick redirect URL validation.
Changeset 40190
- CVE-2017-6816
Unintended files can be deleted by administrators using the plugin
deletion functionality.
Changeset 40176
- CVE-2017-6817
Cross-site scripting (XSS) via video URL in YouTube embeds.
Chamgeset 40167
* Not vulnerable:
- CVE-2017-6819
Cross-site request forgery (CSRF) in Press This leading to excessive
use of server resources.
Press This introduced in 4.2
- CVE-2017-6818
Cross-site scripting (XSS) via taxonomy term names.
-- Craig Small <email address hidden> Thu, 16 Mar 2017 06:19:41 +1100
| Superseded in sid-release |
wordpress (4.7.4+dfsg-1) unstable; urgency=medium * New upstream maintenance release -- Craig Small <email address hidden> Sat, 22 Apr 2017 09:01:42 +1000
Available diffs
- diff from 4.7.3+dfsg-1 to 4.7.4+dfsg-1 (516.3 KiB)
wordpress (4.7.3+dfsg-1) unstable; urgency=high
* New upstream release fixes 6 security issues Closes: #857026
* Will update CVE IDs when available
- CVE-2016-XXX
Cross-site scripting (XSS) via media file metadata.
- CVE-2016-XXX
Control characters can trick redirect URL validation.
- CVE-2016-XXX
Unintended files can be deleted by administrators using the plugin
deletion functionality.
- CVE-2016-XXX
Cross-site scripting (XSS) via video URL in YouTube embeds.
- CVE-2016-XXX
Cross-site scripting (XSS) via taxonomy term names.
- CVE-2016-XXX
Cross-site request forgery (CSRF) in Press This leading to excessive
use of server resources.
-- Craig Small <email address hidden> Tue, 07 Mar 2017 21:59:02 +1100
Available diffs
- diff from 4.7.2+dfsg-1 to 4.7.3+dfsg-1 (129.1 KiB)
wordpress (4.7.2+dfsg-1) unstable; urgency=high
* New upstream release fixes 3 security issues Closes: #852767
- CVE-2017-5610
The user interface for assigning taxonomy terms in Press This is
shown to users who do not have permissions to use it.
- CVE-2017-5611
WP_Query is vulnerable to a SQL injection (SQLi)
- CVE-2017-5612
XSS in the posts list table
-- Craig Small <email address hidden> Sun, 29 Jan 2017 08:22:44 +1100
Available diffs
- diff from 4.7.1+dfsg-1 to 4.7.2+dfsg-1 (7.7 KiB)
| Superseded in jessie-release |
wordpress (4.1+dfsg-1+deb8u11) jessie-security; urgency=high
* Non-maintainer upload by the Security Team.
* debian/patches/CVE-2016-6635.patch:
- don't duplicate wp_encode_json() which has already been backported
upstream, just merge later changes, fix regression in the previous
upload. closes: #839190
* debian/languages: fix language with "\n" inconsistencies in msgid/msgstr.
-- Yves-Alexis Perez <email address hidden> Sat, 01 Oct 2016 11:38:14 +0200
wordpress (4.7.1+dfsg-1) unstable; urgency=high
* New upstream release fixes 8 security issues, Closes: #851310
- Cryptographically Weak Pseudo-Random Number Generator
- Accessibility Mode Cross-Site Request Forgery (CSRF)
- Post via Email Checks mail.example.com by Default
- Stored Cross-Site Scripting (XSS) via Theme Name fallback
- Cross-Site Request Forgery (CSRF) via Flash Upload
- Authenticated Cross-Site scripting (XSS) in update-core.php
- User Information Disclosure via REST API
- Potential Remote Command Execution (RCE) in PHPMailer
-- Craig Small <email address hidden> Sat, 14 Jan 2017 09:30:12 +1100
Available diffs
- diff from 4.7+dfsg-2 to 4.7.1+dfsg-1 (112.7 KiB)
wordpress (4.7+dfsg-2) unstable; urgency=medium * Add virtual-mysql-* as an option Closes: #847597 -- Craig Small <email address hidden> Sat, 10 Dec 2016 06:57:01 +1100
Available diffs
- diff from 4.7+dfsg-1 to 4.7+dfsg-2 (601 bytes)
| Superseded in sid-release |
wordpress (4.7+dfsg-1) unstable; urgency=medium * New upstream release * Removed theme twentyfourteen * Added new theme twentyseventeen -- Craig Small <email address hidden> Wed, 07 Dec 2016 22:14:14 +1100
Available diffs
- diff from 4.6.1+dfsg-2 to 4.7+dfsg-1 (2.2 MiB)
wordpress (4.6.1+dfsg-2) unstable; urgency=medium * Remove -e from for loop Closes: #845388 * Thanks to Santiago Vila for above patch * Update and fix the language files -- Craig Small <email address hidden> Wed, 30 Nov 2016 22:40:08 +1100
Available diffs
- diff from 4.6.1+dfsg-1 to 4.6.1+dfsg-2 (5.3 KiB)
| Superseded in jessie-release |
wordpress (4.1+dfsg-1+deb8u9) jessie-security; urgency=high * Backport patches from 4.5.3/4.1.12 Closes: #828225 * Fixes CVE-2016-5834, CVE-2016-5838, CVE-2016-5839 * Changeset 37762 admin auth redirect * Changeset 37773 Customizer urls CVE-2016-5832 * Changeset 37781 Category check CVE-2016-5837 * Changeset 37790 admin escape attach * Changeset 37800 Revision capability CVE-2016-5835 * Changeset 37815 escape url permalinks * Changeset 37818 media extensionless filenames * Changeset 32387 CVE-2015-8834 XSS in comments -- Craig Small <email address hidden> Wed, 06 Jul 2016 20:52:08 +1000
wordpress (4.6.1+dfsg-1) unstable; urgency=medium
* New upstream security release, Closes: #837090, fixes CVE-2016-6896 and
CVE-2016-6897
-- Craig Small <email address hidden> Fri, 09 Sep 2016 21:56:22 +1000
Available diffs
wordpress (4.5.3+dfsg-1) unstable; urgency=medium * New upstream release, various security fixes * Update tinymce missing sources -- Craig Small <email address hidden> Thu, 23 Jun 2016 22:18:26 +1000
wordpress (4.5.2+dfsg-2) unstable; urgency=medium
* Updated language files Closes: #772498
* Add alias to nginx example configuration
* Add warning in description and README about googleapis
Closes: #781449
-- Craig Small <email address hidden> Mon, 13 Jun 2016 12:29:11 +1000
wordpress (4.5.2+dfsg-1) unstable; urgency=high * New upstream release * Fixes reflected XSS attack in plupload Closes: #823640 * Do not use old mediaelelement -- Craig Small <email address hidden> Sat, 07 May 2016 12:39:47 +1000
| Superseded in sid-release |
wordpress (4.5.1+dfsg-1) unstable; urgency=medium * New upstream release * Update to standard version 3.9.8 -- Craig Small <email address hidden> Mon, 02 May 2016 22:18:13 +1000
wordpress (4.5+dfsg-1) unstable; urgency=medium * New upstream release -- Craig Small <email address hidden> Wed, 13 Apr 2016 21:07:16 +1000
wordpress (4.4.2+dfsg-3) unstable; urgency=medium * Keep php5* alternates Closes: #820288 -- Craig Small <email address hidden> Thu, 07 Apr 2016 21:28:32 +1000
| Superseded in sid-release |
wordpress (4.4.2+dfsg-2) unstable; urgency=medium * Update libphp-phpmailer dependency Closes: #818870 * Update to non-version PHP dependencies * Update to standards 3.9.7 no change -- Craig Small <email address hidden> Tue, 05 Apr 2016 22:13:33 +1000
| Published in wheezy-release |
wordpress (3.6.1+dfsg-1~deb7u10) wheezy-security; urgency=high * Changeset 36435 fixes SSRF for URLs CVE-2016-2222 * Changeset 36444 improved redirect checking CVE-2016-2221 * Closes: #813697 -- Craig Small <email address hidden> Sat, 06 Feb 2016 15:40:51 +1100
| Superseded in jessie-release |
wordpress (4.1+dfsg-1+deb8u8) jessie-security; urgency=high * Changeset 36435 fixes SSRF for URLs CVE-2016-2222 * Changeset 36444 improved redirect checking CVE-2016-2221 * Closes: #813697 -- Craig Small <email address hidden> Sat, 06 Feb 2016 15:13:23 +1100
wordpress (4.4.2+dfsg-1) unstable; urgency=medium * New upstream release Closes: #813697 * Fixes open redirection attack CVE-2016-2221 * Fixes possible SSRF for local URIs CVE-2016-2222 -- Craig Small <email address hidden> Fri, 05 Feb 2016 20:34:42 +1100
Available diffs
- diff from 4.4.1+dfsg-1 to 4.4.2+dfsg-1 (9.8 KiB)
| Superseded in jessie-release |
wordpress (4.1+dfsg-1+deb8u7) jessie-security; urgency=high * Apply changeset 36185 fixes XSS CVE-2016-1564 Closes: #810325 -- Craig Small <email address hidden> Sat, 09 Jan 2016 08:21:54 +1100
wordpress (4.4.1+dfsg-1) unstable; urgency=medium * New upstream release * Fixes XSS vulnerability Closes: #810325 -- Craig Small <email address hidden> Fri, 08 Jan 2016 22:05:11 +1100
Available diffs
- diff from 4.4+dfsg-1 to 4.4.1+dfsg-1 (124.0 KiB)
wordpress (4.4+dfsg-1) unstable; urgency=medium
* New upstream release
* Add languages directory to install Closes: #798382
* Update the setup-mysql script to use correct wp-content dirs
Closes: #755530, #311821, #732134, #783331
* Updated language files
-- Craig Small <email address hidden> Fri, 11 Dec 2015 21:37:01 +1100
Available diffs
- diff from 4.3.1+dfsg-1 to 4.4+dfsg-1 (4.6 MiB)
wordpress (4.3.1+dfsg-1) unstable; urgency=medium * New upstream release * Fixes CVE-2015-5714 CVE-2015-5715 Closes: #799140 -- Craig Small <email address hidden> Fri, 18 Sep 2015 20:54:53 +1000
Available diffs
- diff from 4.3+dfsg-1 to 4.3.1+dfsg-1 (444.1 KiB)
wordpress (4.3+dfsg-2) unstable; urgency=medium * Backport changeset 33646 to fix cron entries Closes: #798350 -- Craig Small <email address hidden> Tue, 08 Sep 2015 22:22:11 +1000
| Superseded in wheezy-release |
wordpress (3.6.1+dfsg-1~deb7u6) wheezy-security; urgency=high
* Wordpress 4.2.1 and 4.1.2 security fixes
* Backports of 4.1.2 security fixes Closes: #783347
- Changeset 32163 sanity checks
- Changeset 32165 sanitize order by
- Changeset 32174 multisite change extra checks
- Changeset 32176 Dashboard escapes titles
- Changeset 32234 More WPDB query sanity
* Backport of 4.2.1 for security fixes Closes: #783554
- Changeset 32307: XSS for long 64k+ comments
* Changeset 32172 NOT applied as bug introduced later
-- Craig Small <email address hidden> Sat, 02 May 2015 14:04:44 +1000
| Superseded in jessie-release |
wordpress (4.1+dfsg-1+deb8u4) jessie-security; urgency=high * Rework changeset 33359 reliable shortcodes CVE-2015-5622 Closes: #794548 * Backports of 4.2.4 security fixes Closes: #794560 * Changeset 33555 SQL Injection CVE-2015-2213 * Changeset 33535 fixes timing attack CVE-2015-4730 * Changeset 33542 prevent posts lock attack CVE-2015-5731 * Changeset 33529 XSS widget title CVE-2015-5732 * CVE-2015-5733: Not vulnerable CS32176 fixes this * Changeset 33549 theme preview XSS CVE-2015-5734 -- Craig Small <email address hidden> Wed, 05 Aug 2015 22:44:20 +1000
wordpress (4.3+dfsg-1) unstable; urgency=medium * New upstream release * Adjusted some wp-content directories * Added symlink for themes -- Craig Small <email address hidden> Wed, 19 Aug 2015 22:48:32 +1000
Available diffs
- diff from 4.2.4+dfsg-1 to 4.3+dfsg-1 (1.5 MiB)
wordpress (4.2.4+dfsg-1) unstable; urgency=high * New upstream release * Security fix for 3 XSS and a SQL injection bugs Closes: #794560 -- Craig Small <email address hidden> Tue, 04 Aug 2015 22:48:41 +1000
Available diffs
- diff from 4.2.3+dfsg-1 to 4.2.4+dfsg-1 (12.0 KiB)
wordpress (4.2.3+dfsg-1) unstable; urgency=medium * New upstream release * Moved theme to Recommends Closes: #784689 * Remove reference to TODO Closes: #786427 -- Craig Small <email address hidden> Fri, 24 Jul 2015 20:54:50 +1000
Available diffs
- diff from 4.2.2+dfsg-1 to 4.2.3+dfsg-1 (185.2 KiB)
| Superseded in jessie-release |
wordpress (4.1+dfsg-1+deb8u1) jessie-security; urgency=high
* Backports of 4.1.2 security fixes Closes: #783347
- Changeset 32163 sanity checks
- Changeset 32165 sanitize order by
- Changeset 32172 filename check
- Changeset 32174 multisite change extra checks
- Changeset 32176 Dashboard escapes titles
- Changeset 32234 More WPDB query sanity
* Backport of 4.2.1 for security fixes Closes: #783554
- Changeset 32307: XSS for long 64k+ comments
-- Craig Small <email address hidden> Sat, 02 May 2015 12:59:53 +1000
wordpress (4.2.2+dfsg-1) unstable; urgency=medium * New upstream release * Fixes security bug in themes on genericons Closes: #784603 -- Craig Small <email address hidden> Wed, 13 May 2015 22:32:03 +1000
Available diffs
- diff from 4.2.1+dfsg-1 to 4.2.2+dfsg-1 (239.3 KiB)
wordpress (4.2.1+dfsg-1) unstable; urgency=high * New Security release Closes: #783554 * Patches another XSS due to field length -- Craig Small <email address hidden> Tue, 28 Apr 2015 08:32:48 +1000
Available diffs
- diff from 4.1.1+dfsg-1 to 4.2.1+dfsg-1 (1.5 MiB)
| Superseded in sid-release |
wordpress (4.2+dfsg-1) unstable; urgency=high
* New upstream release
* Fixes security bugs:
- XSS vulnerability
- files with invalid or unsafe names could be added
- another limited XSS
- some plugins vulnerable to SQL injection
* README.debian: Added permission note for config file Closes: #773079
* Added php5-ssh2 to suggests Closes: 783333
* Added ngix example Closes: #783334
-- Craig Small <email address hidden> Sun, 26 Apr 2015 21:35:58 +1000
| Superseded in sid-release |
wordpress (4.1.1+dfsg-1) unstable; urgency=medium * New upstream release -- Craig Small <email address hidden> Sat, 28 Feb 2015 11:17:46 +1100
Available diffs
- diff from 4.1+dfsg-1 to 4.1.1+dfsg-1 (33.3 KiB)
| Superseded in wheezy-release |
wordpress (3.6.1+dfsg-1~deb7u5) wheezy-security; urgency=high
* Non-maintainer upload by the Security Team.
* Backport patches for 3.7.4->3.7.5 Closes: #770425
* The patches fix the following security bugs:
- CVE-2014-9031 XSS in wptexturize() via comments or posts
- CVE-2014-9033 CSRF in the password reset process
- CVE-2014-9034 Denial of service for giant passwords
- CVE-2014-9035 XSS in Press This
- CVE-2014-9036 XSS in HTML filtering of CSS in posts
- CVE-2014-9037 Hash comparison vulnerability in old passwords
- CVE-2014-9038 SSRF: Safe HTTP requests did not sufficiently block
the loopback IP address space
- CVE-2014-9039 Email address change didn't invalidate previously sent
password reset
-- Craig Small <email address hidden> Wed, 03 Dec 2014 17:49:41 +1100
wordpress (4.1+dfsg-1) unstable; urgency=medium * New upstream release * Changed trigger to noawait Closes: #772862 * Updated apache example Closes: #773075 * Updated to standards 3.9.6 * Added getid3 and mediaelement to linktree Closes: #762523 * Removed two unbuildable mediaelement files -- Craig Small <email address hidden> Sat, 20 Dec 2014 15:31:21 +1100
Available diffs
- diff from 4.0.1+dfsg-2 to 4.1+dfsg-1 (2.9 MiB)
wordpress (4.0.1+dfsg-2) unstable; urgency=medium * Fixed i18n updates * twentyfourteen theme has translations Closes: #772205 -- Craig Small <email address hidden> Sat, 06 Dec 2014 18:54:49 +1100
Available diffs
- diff from 4.0.1+dfsg-1 to 4.0.1+dfsg-2 (6.4 MiB)
wordpress (4.0.1+dfsg-1) unstable; urgency=high
* New upstream release
* Fixes several security bugs Closes: #770425
- Three cross-site scripting issues that a contributor or
author could use to compromise a site.
- A cross-site request forgery that could be used to trick a
user into changing their password.
- An issue that could lead to a denial of service when
passwords are checked.
- Additional protections for server-side request forgery
attacks when WordPress makes HTTP requests.
- An extremely unlikely hash collision could allow a user’s
account to be compromised, that also required that they
haven’t logged in since 2008.
- WordPress now invalidates the links in a password reset email
if the user remembers their password, logs in, and changes
their email address.
-- Craig Small <email address hidden> Sat, 22 Nov 2014 19:29:37 +1100
Available diffs
- diff from 4.0+dfsg-1 to 4.0.1+dfsg-1 (78.2 KiB)
| Superseded in wheezy-release |
wordpress (3.6.1+dfsg-1~deb7u4) wheezy-security; urgency=high * Non-maintainer upload by the Security Team. * Import Wordpress 3.9.2 changesets Closes: #757312 * Changeset 29405 - Ignore entites in XML-RPC * Changeset 29390 - Disable entities in ID3 * Changeset 29384 - Constant time for wp_verify_nonce * Changeset 29408 - delimiters on nonce * Changeset 29398 - Escape late in get_avatar -- Craig Small <email address hidden> Thu, 07 Aug 2014 22:42:41 +1000
wordpress (4.0+dfsg-1) unstable; urgency=medium * New upstream release -- Craig Small <email address hidden> Fri, 05 Sep 2014 20:58:06 +1000
Available diffs
- diff from 3.9.2+dfsg-1 to 4.0+dfsg-1 (1.4 MiB)
wordpress (3.9.2+dfsg-1) unstable; urgency=high * New Upstream release * Fixes XML Security bug Closes: #757312 -- Craig Small <email address hidden> Thu, 07 Aug 2014 18:26:39 +1000
Available diffs
- diff from 3.9.1+dfsg-1 to 3.9.2+dfsg-1 (13.7 KiB)
| Published in squeeze-release |
wordpress (3.6.1+dfsg-1~deb6u4) squeeze-security; urgency=medium * Non-maintainer upload by the Security Team. * fixed dependency for libjs-cropper Closes: #745189 -- Craig Small <email address hidden> Mon, 21 Apr 2014 09:47:09 +1000
wordpress (3.9.1+dfsg-1) unstable; urgency=medium * New upstream release * Use system CA certificate file Closes: #748965 -- Craig Small <email address hidden> Wed, 11 Jun 2014 22:33:48 +1000
Available diffs
- diff from 3.9+dfsg-1 to 3.9.1+dfsg-1 (253.0 KiB)
| Superseded in wheezy-release |
wordpress (3.6.1+dfsg-1~deb7u3) wheezy-security; urgency=high
* Non-maintainer upload by the Security Team.
* Import Wordpress 3.8.3 changesets to fix Quick Drafts
that was broken in 3/6/1+dfsg-1~deb7u2 Closes: #745030
- Changeset 28073
- Changeset 28114
-- Craig Small <email address hidden> Thu, 17 Apr 2014 19:37:47 +1000
wordpress (3.9+dfsg-1) unstable; urgency=medium
* New upstream release
* 3.9 seems to handle different locations for plugins so the
plugin directory handling patches have been cut back.
-- Craig Small <email address hidden> Thu, 17 Apr 2014 20:56:19 +1000
Available diffs
- diff from 3.8.2+dfsg-1 to 3.9+dfsg-1 (3.2 MiB)
| Superseded in sid-release |
wordpress (3.8.3+dfsg-1) unstable; urgency=medium * New upstream release - fixes Quick Draft tool that broke in 3.8.2 -- Craig Small <email address hidden> Wed, 16 Apr 2014 22:48:26 +1000
wordpress (3.8.2+dfsg-1) unstable; urgency=high
* New upstream release Fixes CVE-2014-0165, CVE-2014-0166
and Closes: #744019
-- Craig Small <email address hidden> Wed, 09 Apr 2014 22:13:54 +1000
Available diffs
- diff from 3.8.1+dfsg1-2 to 3.8.2+dfsg-1 (14.0 KiB)
| Superseded in squeeze-release |
wordpress (3.6.1+dfsg-1~deb6u1) squeeze-security; urgency=high
* Non-maintainer upload by the Security Team.
* Import Wordpress 3.6.1 from Jessie to fix all the security issues present
in Squeeze: closes: #722537
- CVE-2013-4338: unsafe PHP unserialization can causes arbitrary code
execution.
- CVE-2013-4339: unproper input validation in URL parsing can lead to
arbitrary redirection.
- CVE-2013-4340: privilege escalation allowing an user with an author role
to create an entry appearing as written by another user.
- CVE-2013-5738: authenticated users can conduct cross-site scripting
attacks (XSS) using crafted html file uploads.
- CVE-2013-5739: default Wordpress configuration doesn't prevent upload
for .swf and .exe files, making it easier for authenticated users to
conduct XSS attacks.
-- Yves-Alexis Perez <email address hidden> Sat, 14 Sep 2013 10:30:29 +0200
wordpress (3.8.1+dfsg1-2) unstable; urgency=medium * Updated copyright file Closes: #736514 -- Craig Small <email address hidden> Fri, 14 Feb 2014 22:03:49 +1100
Available diffs
- diff from 3.8.1+dfsg-1 to 3.8.1+dfsg1-2 (57.2 KiB)
| Superseded in sid-release |
wordpress (3.8.1+dfsg1-1) unstable; urgency=medium * Added Breaks/Replaces for combined wordpress Closes: #736688 * Removed moxieplayer.swf and added missing sources Closes: #736804 -- Craig Small <email address hidden> Thu, 06 Feb 2014 22:42:07 +1100
| Superseded in wheezy-release |
wordpress (3.6.1+dfsg-1~deb7u1) wheezy-security; urgency=high
* Non-maintainer upload by the Security Team.
* Import Wordpress 3.6.1 from Jessie to fix all the security issues present
in Squeeze closes: #72253
- CVE-2013-4338: unsafe PHP unserialization can causes arbitrary code
execution.
- CVE-2013-4339: unproper input validation in URL parsing can lead to
arbitrary redirection.
- CVE-2013-4340: privilege escalation allowing an user with an author
role to create an entry appearing as written by another user.
- CVE-2013-5738: authenticated users can conduct cross-site scripting
attacks (XSS) using crafted html file uploads.
- CVE-2013-5739: default Wordpress configuration doesn't prevent upload
for .swf and .exe files, making it easier for authenticated users to
conduct XSS attacks.
-- Yves-Alexis Perez <email address hidden> Sat, 14 Sep 2013 10:35:45 +0200
| Superseded in sid-release |
wordpress (3.8.1+dfsg-1) unstable; urgency=medium * New upstream release. * Depend on either mysql or mariadb client Closes: #732914 -- Craig Small <email address hidden> Fri, 24 Jan 2014 22:20:08 +1100
Available diffs
- diff from 3.7.1+dfsg-1 to 3.8.1+dfsg-1 (986.8 KiB)
wordpress (3.7.1+dfsg-1) unstable; urgency=low
* New upstream release.
* Enable usage of php5-mysqlnd as an alternative to php5-mysql.
Closes: #722552
* Improve wp-setup to cope with plugins/themes directories with
spaces. Thanks to Oskar Liljeblad <email address hidden> for the patch.
Closes: #723074
* Refresh patches
-- Raphaël Hertzog <email address hidden> Wed, 13 Nov 2013 20:41:09 +0100
Available diffs
- diff from 3.6.1+dfsg-1 to 3.7.1+dfsg-1 (1.2 MiB)
| Superseded in squeeze-release |
wordpress (3.5.2+dfsg-1~deb6u1) squeeze-security; urgency=high
* Non-maintainer upload by the Security Team.
* Import wordpress from Jessie to fix all the security issues present in
Squeeze.
-- Yves-Alexis Perez <email address hidden> Sat, 29 Jun 2013 13:49:37 +0200
| Superseded in wheezy-release |
wordpress (3.5.2+dfsg-1~deb7u1) wheezy-security; urgency=low
* New upstream release with many security fixes. Closes: #713947
* Server-Side Request Forgery (SSRF) via the HTTP API. CVE-2013-2199.
* Privilege Escalation: Contributors can publish posts, and users can
reassign authorship. CVE-2013-2200.
* Cross-Site Scripting (XSS) in SWFUpload. CVE-2013-2205.
* Denial of Service (DoS) via Post Password Cookies. CVE-2013-2173.
* Content Spoofing via Flash Applet in TinyMCE Media Plugin.
CVE-2013-2204.
* Cross-Site Scripting (XSS) when Uploading Media. CVE-2013-2201.
* Full Path Disclosure (FPD) during File Upload. CVE-2013-2203.
* Additional security hardening includes:
* Cross-Site Scripting (XSS) (Low Severity) when Editing Media.
CVE-2013-2201.
* Cross-Site Scripting (XSS) (Low Severity) when Installing/Updating
Plugins/Themes. CVE-2013-2201.
* XML External Entity Injection (XXE) via oEmbed. CVE-2013-2202.
* Update the Vcs-Git and Vcs-Browser URLs.
* Update Standards-Version to 3.9.4.
-- Raphaël Hertzog <email address hidden> Tue, 25 Jun 2013 15:52:07 +0200
wordpress (3.6.1+dfsg-1) unstable; urgency=high * New upstream security release. -- Raphaël Hertzog <email address hidden> Thu, 12 Sep 2013 07:58:57 +0200
Available diffs
- diff from 3.6+dfsg-1 to 3.6.1+dfsg-1 (35.4 KiB)
| Superseded in sid-release |
wordpress (3.6+dfsg-1) unstable; urgency=low
* New upstream release.
* Improve wp-settings to verify that $_SERVER['HTTP_X_FORWARDED_PROTO']
exists before accessing it (avoids a PHP notice).
Thanks to Paul Dreik <email address hidden> for the report and the patch.
* Document in README.Debian the need to login to /wp-admin/ to complete
an upgrade.
* Drop useless debian/README.source
* Drop 008CVE2008-2392.patch since upstream now disables unfiltered
uploads by default. See http://core.trac.wordpress.org/ticket/10692
* Drop 009CVE2008-6767.patch since the backto parameter is validated
against a whitelist, and externally triggered upgrades are not a
security problem as long as they work.
* Update debian/missing-sources with latest versions.
* Update upstream l10n.
-- Raphaël Hertzog <email address hidden> Wed, 04 Sep 2013 23:18:58 +0200
Available diffs
- diff from 3.5.2+dfsg-1 to 3.6+dfsg-1 (4.3 MiB)
wordpress (3.5.2+dfsg-1) unstable; urgency=low
* New upstream release with many security fixes. Closes: #713947
* Server-Side Request Forgery (SSRF) via the HTTP API. CVE-2013-2199.
* Privilege Escalation: Contributors can publish posts, and users can
reassign authorship. CVE-2013-2200.
* Cross-Site Scripting (XSS) in SWFUpload. CVE-2013-2205.
* Denial of Service (DoS) via Post Password Cookies. CVE-2013-2173.
* Content Spoofing via Flash Applet in TinyMCE Media Plugin.
CVE-2013-2204.
* Cross-Site Scripting (XSS) when Uploading Media. CVE-2013-2201.
* Full Path Disclosure (FPD) during File Upload. CVE-2013-2203.
* Additional security hardening includes:
* Cross-Site Scripting (XSS) (Low Severity) when Editing Media.
CVE-2013-2201.
* Cross-Site Scripting (XSS) (Low Severity) when Installing/Updating
Plugins/Themes. CVE-2013-2201.
* XML External Entity Injection (XXE) via oEmbed. CVE-2013-2202.
* Update the Vcs-Git and Vcs-Browser URLs.
* Update Standards-Version to 3.9.4.
-- Raphaël Hertzog <email address hidden> Tue, 25 Jun 2013 15:52:07 +0200
Available diffs
- diff from 3.5.1+dfsg-2 to 3.5.2+dfsg-1 (193.3 KiB)
wordpress (3.5.1+dfsg-2) unstable; urgency=low
* Only replace tinymce files by symlinks if the content is exactly the same.
Closes: #700289
* Update debian/get-upstream-i18n to include supplementary PO files
and use a more efficient method to update them. Closes: #697208
-- Raphaël Hertzog <email address hidden> Mon, 11 Feb 2013 13:56:18 +0100
Available diffs
- diff from 3.5.1+dfsg-1 to 3.5.1+dfsg-2 (7.6 MiB)
| Superseded in sid-release |
wordpress (3.5.1+dfsg-1) unstable; urgency=low * New upstream maintenance and security release. Closes: #698916 -- Raphaël Hertzog <email address hidden> Mon, 28 Jan 2013 17:15:27 +0100
Available diffs
- diff from 3.5+dfsg-1 to 3.5.1+dfsg-1 (280.6 KiB)
| Superseded in sid-release |
wordpress (3.5+dfsg-1) unstable; urgency=low
* New upstream release.
* Fix sample apache.conf so that Alias directives are in the proper order
(from the most specific to the less specific). Closes: #693122
Thanks to Jérôme Marant for the report.
* Update debian/missing-sources/ with latest upstream changes.
* Update all translations.
* Try to deduplicate (i.e. replace with symlinks) backbone.js and
underscore.js too.
* Drop debian/patches/006rss_language.patch, the rss_language option
is no longer used.
* Update/refresh all other patches on top of the new release.
* Update lintian overrides and debian/wordpress.linktrees to match the
latest changes concerning javascript libraries shipped by WordPress.
* Document the loss of the twentyten theme.
-- Raphaël Hertzog <email address hidden> Fri, 21 Dec 2012 14:17:50 +0100
Available diffs
- diff from 3.4.2+dfsg-1 to 3.5+dfsg-1 (5.2 MiB)
| Superseded in squeeze-release |
wordpress (3.3.2+dfsg-1~squeeze1) stable-security; urgency=low
* Import wordpress from Wheezy to fix all the security issues present in
Squeeze. This fixes:
- CVE-2011-3122, CVE-2011-3125, CVE-2011-3126, CVE-2011-3127,
CVE-2011-3128, CVE-2011-3129, CVE-2011-3130 (multiple unspecified
vulnerabilities) which were allocated from
the Wordpress 3.1.3 / 3.2 beta2 release announcement
- CVE-2011-4956 (missing input sanitization) and CVE-2011-4957 (missing
URL length check in make_clickable() function) allocated from Wordpress
3.1.1 release announcement.
- CVE-2012-2399 (unspecified vulnerability in
wp-includes/js/swfupload/swfupload.swf), CVE-2012-2400 (unspecified
vulnerability in wp-includes/js/swfobject.js), CVE-2012-2401 (Same-Origin
Policy bypass in Plupload plugin), CVE-2012-2402 (access restriction
bypass by authenticated site administrators), CVE-2012-2403 (Wordpress
supports clickable links inside attributes, making it easier to conduct
XSS attacks) CVE-2012-2404 (Wordpress supports offsite redirects,
making it easier to conduct XSS attacks), which were allocated from the
3.3.2 release announcement. closes: #670124
* debian/wordpress.linktrees:
- don't symlink TinyMCE, it's too old in Squeeze.
- don't deduplicate jquery, same thing.
- don't deduplicate jquery-form, doesn't exist in Squeeze.
* debian/control:
- drop build-dep on tinymce, libjs-jquery and libjs-jquery-form, we'll use
the embedded versions.
-- Yves-Alexis Perez <email address hidden> Thu, 10 May 2012 23:00:46 +0200
wordpress (3.4.2+dfsg-1) unstable; urgency=low
* New upstream security & bugfix release.
* Also setup languages symlink in setup-mysql. Closes: #684628
Thanks to Jun NOGATA <email address hidden> for the analysis.
* Add new patch 011support-symlinks-for-plugins.patch grabbed
in the upstream ticket to allow plugin directories to be
symlinks (which is required for the Debian package since
we put symlinks in /var/lib/wordpress/wp-content/plugins/).
Closes: #686228
-- Raphaël Hertzog <email address hidden> Wed, 12 Sep 2012 14:52:14 +0200
Available diffs
- diff from 3.4.1+dfsg-1 to 3.4.2+dfsg-1 (45.5 KiB)
wordpress (3.4.1+dfsg-1) unstable; urgency=high * New upstream security & bugfix release. -- Raphaël Hertzog <email address hidden> Tue, 03 Jul 2012 08:36:08 +0200
Available diffs
- diff from 3.4+dfsg-3 to 3.4.1+dfsg-1 (62.9 KiB)
wordpress (3.4+dfsg-3) unstable; urgency=low
* [f7a1c09] Drop useless postrm.
* [d92219b] Add a prerm script calling wp-setup --purge-wp-content on
remove. Closes: #678842
* [2fbf903] Allow wp-setup to symlink files as well as directories.
* [cef928f] Let wp-setup also manage
/var/lib/wordpress/wp-content/languages/.
* [ac86408] Densify output of wp-setup.
-- Raphaël Hertzog <email address hidden> Tue, 26 Jun 2012 10:47:25 +0200
Available diffs
- diff from 3.4+dfsg-2 to 3.4+dfsg-3 (1.9 KiB)
| Superseded in sid-release |
wordpress (3.4+dfsg-2) unstable; urgency=low
* [2e63535] Merge unused debian/NEWS into debian/wordpress.NEWS so that
users are correctly informed of the latest changes.
* [e3b7b1c] Improve preinst to also move the
/usr/share/wordpress/wp-content/uploads directory to its new location in
/var/lib/wordpress/wp-content/. The package never created this directory
but many users probably created it and we need to do this to let dpkg
install the symlink that we put into place.
* [5c0a29b] Add a trigger that watches /usr/share/wordpress/wp-content.
When activated, it will execute wp-setup --sync-wp-content
which updates /var/lib/wordpress/wp-content/ with symlinks
to plugins/themes that have been added and it drops symlinks
to plugins/themes which have disappeared. (Closes: #677889)
-- Raphaël Hertzog <email address hidden> Thu, 21 Jun 2012 20:44:53 +0200
Available diffs
- diff from 3.4+dfsg-1 to 3.4+dfsg-2 (3.4 KiB)
| Superseded in sid-release |
wordpress (3.4+dfsg-1) unstable; urgency=low
* New upstream release. Closes: #677534
[ Raphaël Hertzog ]
* [a1c0409] Refresh and update all patches to correctly apply on version
3.4.
* [3804496] Update debian/missing-sources/ to match the current versions of
embedded javascript and flash files.
* [185b051] Drop the old "default" theme (and its French translation)
* [966ce6c] Grab latest translations
* [1983326] Update Standards-Version to 3.9.3 (no change).
* [29c48b6] Increase debhelper compat level to 9.
* [73e16d0] Replace debian/dh_linktree by the packaged version.
* [359b660] Update debian/wordpress.linktrees to match latest developments.
* [645b650] Let setup-mysql lowercase the FQDN since the configuration
scheme expects this. Thanks to Chris Butler <email address hidden> for the
report (Closes: #658395)
* [5433e90] Fix setup-mysql to avoid creating /srv/www with restricted
permissions (Closes: #616400)
* [dd2ef1d] Move back wp-config.php to /usr/share/wordpress/ since it's only
a dispatcher to the real configuration file (Closes: #592502)
* [b602372] Improve wp-config.php so that WordPress works behind an https
reverse-proxy.
* [ba0b729] Entirely update and rewrite README.debian. (Closes: #575985,
#639980)
* [683a908] Update wp-config.php to not redefine constants which have
already been set. Thanks to Richard van den Berg <email address hidden> for
the report. (Closes: #613283)
* [315eb68] Let wordpress-l10n depend on the same version than wordpress.
(Closes: #623557)
* [a6d0b9f] Default configuration now sets WP_CONTENT_DIR to
/var/lib/wordpress/wp-content. And the package provides this new directory
appropriately setup with write rights to www-data on blogs.dir and
uploads. themes and plugins are root-owned directories with symlinks
pointing back to the default themes and plugins. (Closes: #675469)
* [4db98c6] Update setup-mysql to use WP_CONTENT_DIR (and no longer use
$upload_dir). (Closes: #658508)
* [a1970da] Extend debian/wordpress.linktrees to cover swfobject.js.
* [8d46dab] Use dpkg-maintscript-helper to drop obsolete
/etc/wordpress/wp-config.php
[ Martin Bagge / brother ]
* [56d0a34] Improve the setup script to be able to use a remote MySQL
server.
-- Raphaël Hertzog <email address hidden> Sat, 16 Jun 2012 01:19:20 +0200
Available diffs
- diff from 3.3.2+dfsg-1 to 3.4+dfsg-1 (7.4 MiB)
wordpress (3.3.2+dfsg-1) unstable; urgency=high * New upstream security release. Closes: #670124 * Use the embedded copy of SimplePie until #669054 is resolved. -- Raphaël Hertzog <email address hidden> Tue, 24 Apr 2012 00:31:42 +0200
Available diffs
- diff from 3.3.1+dfsg-1 to 3.3.2+dfsg-1 (35.4 KiB)
wordpress (3.3.1+dfsg-1) unstable; urgency=low * New upstream security release. Fixes CVE-2012-0287. -- Raphaël Hertzog <email address hidden> Wed, 04 Jan 2012 10:15:05 +0100
Available diffs
wordpress (3.3+dfsg-1) unstable; urgency=low
* New upstream release. Closes: #652041
* [4deb832] Add all the missing sources in debian/missing-sources/.
(Closes: #646729)
* [913eba5] Refresh all patches.
* [ae61778] Use xz compression for the debian tarball to save some space.
-- Raphaël Hertzog <email address hidden> Tue, 20 Dec 2011 01:01:50 +0100
wordpress (3.2.1+dfsg-3) unstable; urgency=medium
* Upload with urgency medium to speed up a bit the transition to testing
since the testing version is broken.
* [72d01a3] Improve dh_linktree.
It is now able to generate dependencies and to have different behaviour
for each file to replace. Modify wordpress.linktrees to ensure we have
the very same JQuery files but blindly replaces all the other files.
Drop the explicit dependencies in favor of the autogenerated dependencies.
As a side-effect this fixes installation of widgets which was broken
by the mismatch of some JQuery ui files.
* [bbce711] Add lintian overrides for warnings about the embedded copy of JQuery.
We do a reasonable effort to replace it if it matches.
-- Raphaël Hertzog <email address hidden> Thu, 27 Oct 2011 16:01:49 +0200
| Superseded in sid-release |
wordpress (3.2.1+dfsg-2) unstable; urgency=low
* [af74ce2] Add a preinst to drop symlinks to directories for tinymce
and cropper. The new dh_linktree only symlinks files and hierarchies are
duplicated. So we have to drop symlinks to directories in the preinst,
otherwise dpkg installs the new symlinks in the tinymce/cropper
directories instead of in the wordpress ones.
Also drop the upgrade code in the postinst converting the same directories
into symlinks... (Closes: #639733)
* [0b51c4f] Invite users affected by #639733 to reinstall
tinymce/libjs-cropper.
* [55af033] Fix invalid test in postinst (upgrade → configure)
"upgrade" is not a valid parameter in the postinst. Instead
we get "configure".
-- Raphaël Hertzog <email address hidden> Sat, 22 Oct 2011 17:01:25 +0200
wordpress (3.2.1+dfsg-1) unstable; urgency=low
[ Paul Tagliamonte ]
* [c5e4b2c] Added a get-orig-source target to recreate the DFSG-clean
tarball. It drops all the sourceless flash files. Closes: #625773
[ Raphaël Hertzog ]
* [d1035bd] Imported Upstream version 3.2.1+dfsg
* [b968405] Update and refresh all patches.
* [10ab97c] Drop manifest.patch because the description in its header
doesn't make any sense.
* [87537db] Update dependencies as per new upstream requirements.
* [0c534ec] Update packaging to avoid using even more embedded PHP/JS
libraries.
* [ec5c11e] Use a new dh_linktree to replace embedded PHP/JS libraries.
* [8690719] Add lintian override for embedded-php-library streams.php since
it's a false positive.
* [83c15bc] Upgrade Standards-Version to 3.9.2 (no changes needed).
* [938fb15] Update internationalization files.
* [6ac0357] Install class-smtp.php and class-phpmailer.php so that they can
be replaced by dh_linktree.
-- Raphaël Hertzog <email address hidden> Mon, 08 Aug 2011 23:06:20 +0200
| 76 → 150 of 177 results | First • Previous • Next • Last |
