Changelog
wordpress (4.7.5+dfsg-2+deb9u2) stretch-security; urgency=high
* Backport security patches from 4.9.1 Closes: #883314
- CVE-2017-17091
Use a properly generated hash for the newbloguser key instead
of a determinate substring.
Changeset 42272
- CVE-2017-17092
Remove the ability to upload JavaScript files for users who
do not have the unfiltered_html capability
Changeset 42275
- CVE-2017-17093
Add escaping to the language attributes used on html elements
Changeset 42273
- CVE-2017-17094
Ensure the attributes of enclosures are correctly escaped in
RSS and Atom feeds
Changeset 42274
* Also backport patch for $wpdb->prepare CVE-2017-16510
Closes: 880528
-- Craig Small <email address hidden> Thu, 04 Jan 2018 18:19:44 +1100