Changelog
wordpress (4.1+dfsg-1+deb8u14) jessie-security; urgency=medium
* Backport patches from 4.7.5 Closes: #862816
- CVE-2017-9062
Improper handling of post meta data values in the XML-RPC API.
Changeset 40699
- CVE-2017-9065
Lack of capability checks for post meta data in the XML-RPC API.
Changeset 40684
- CVE-2017-9064
A Cross Site Request Forgery (CRSF) vulnerability was discovered
in the filesystem credentials dialog.
Changeset 40730
- CVE-2017-9061
A cross-site scripting (XSS) vulnerability was discovered when
attempting to upload very large files.
Changeset 40743
- CVE-2017-9063
A cross-site scripting (XSS) vulnerability was discovered related
to the Customizer.
Changeset 40711
* CVE-2017-9066 not fixed as the relevant code has changed dramatically
and there is no upstream patch for it.
Insufficient redirect validation in the HTTP class.
* CVE-2017-8295 Don't use client-provided data to form password reset
from email address, from WordPress ticket #23239 Closes: #862053
-- Craig Small <email address hidden> Wed, 24 May 2017 22:24:48 +1000