-
wordpress (5.0.15+dfsg1-0+deb10u1) buster-security; urgency=high
* Upstream security release Closes: #1003243
- CVE-2022-21662 - Stored XSS through authenticated users
- CVE-2022-21663 - Authenticated Object Injection in Multisites
- CVE-2022-21661 - WordPress: SQL Injection through WP_Query
- CVE-2022-21664 - SQL injection due to improper sanitization
in WP_Meta_Query
-- Craig Small <email address hidden> Sat, 08 Jan 2022 08:06:09 +1100
-
wordpress (5.0.12+dfsg1-0+deb10u1) buster-security; urgency=high
* Security release, fixes 2 bugs Closes: #987065
- CVE-2021-29450 - Authenticated disclosure of password-protected
posts and pages.
- CVE-2021-29447 - Authenticated XXE attack when installation is
running PHP 8
-- Craig Small <email address hidden> Sat, 17 Apr 2021 21:02:47 +1000
-
wordpress (5.0.11+dfsg1-0+deb10u1) buster-security; urgency=high
* Security release, fixes 8 bugs Closes: #973562
- CVE-2020-28039: Protected meta that could lead to arbitrary
file deletion.
- CVE-2020-28035: XML-RPC privilege escalation.
- CVE-2020-28036: XML-RPC privilege escalation.
- CVE-2020-28032: Hardening deserialization requests.
- CVE-2020-28037: DoS attack could lead to RCE.
- CVE-2020-28038: Stored XSS in post slugs.
- CVE-2020-28033: Disable spam embeds from disabled sites
on a multisite network.
- CVE-2020-28034: Cross-Site Scripting (XSS) via global variables.
- CVE-2020-28040: CSRF attacks that change a theme's background image.
* Remove duplicated changeset 45974 Closes: #971914
-- Craig Small <email address hidden> Tue, 03 Nov 2020 18:02:39 +1100
-
wordpress (5.0.10+dfsg1-0+deb10u1) buster-security; urgency=medium
* Security release, fixes 6 security bugs Closes: #962685
- CVE-2020-4046
Authenticated XSS through embed block
- CVE-2020-4047
Authenticated XSS via media attachment page
- CVE-2020-4048
Open redirect in wp_validate_redirect()
- CVE-2020-4049
Authenticated self-XSS via theme uploads
- CVE-2020-4050
'set-screen-option' filter misuse by plugins leading to privilege
escalation
* Prevent unmoderated comments from search engine indexation
-- Craig Small <email address hidden> Fri, 19 Jun 2020 15:46:30 +1000
-
wordpress (5.0.4+dfsg1-1+deb10u1) buster-security; urgency=medium
* Backport of the 5.3.1 security release Closes: #946905
- CVE-2019-20043
an unprivileged user could make a post sticky via the REST API.
- CVE-2019-20042
cross-site scripting (XSS) could be stored in well-crafted links
- CVE-2019-20041
hardening wp_kses_bad_protocol() to ensure that it is aware
of the named colon attribute.
- CVE-2019-16780 and CVE-2019-16781
stored XSS vulnerability using block editor content.
* Backport of the 5.2.4 security release Closes: #942459
- CVE-2019-17674
Stored XSS in the Customizer
- CVE-2019-17671
Viewing unauthenticated posts
- CVE-2019-17672
Stored XSS to inject javascript into style tags
- CVE-2019-17673
Poisoning JSON GET requests
- CVE-2019-17669
SSRF in URL vaidation
- CVE-2019-17675
Referer validation in admin screens
* Backport of 5.2.3 security release, Closes: #939543
- CVE-2019-16223
XSS in post previews
- CVE-2019-16218
XSS in stored comments
- CVE-2019-16220
Open redirect due to validation and sanitization
- CVE-2019-16217
XSS in media uploads
- CVE-2019-16219
XSS in shortcode previews
- CVE-2019-16221
XSS in dashboard
- CVE-2019-16222
XSS in URL sanitization
-- Craig Small <email address hidden> Fri, 27 Dec 2019 15:26:33 +1100
-
wordpress (5.0.4+dfsg1-1) buster; urgency=medium
* Backport of 5.1.1 patches
* Fix XSS security hole in comments Closes: #924546 CVE-2019-9787
-- Craig Small <email address hidden> Sun, 24 Mar 2019 09:20:02 +1100
-
wordpress (5.0.3+dfsg1-1) unstable; urgency=medium
* New upstream release
* Update to Debian standards 4.3.0
-- Craig Small <email address hidden> Tue, 05 Feb 2019 22:23:39 +1100
-
wordpress (5.0.2+dfsg1-1) unstable; urgency=medium
* New upstream release
-- Craig Small <email address hidden> Fri, 28 Dec 2018 16:00:13 +1100
-
wordpress (5.0.1+dfsg1-1) unstable; urgency=high
* New upstream source. fixes 7 Security issues Closes: #916403
- CVE-2018-20147
Delete files through altered meta data
- CVE-2018-20152
Create posts of unauthorized post types
- CVE-2018-20148
PHP object injection through crafted meta data
- CVE-2018-20153
Edit other users comments, leading to XSS
- CVE-2018-20150
XSS in plugins through crafted URL inputs
- CVE-2018-20151
User activation screen visible to search engines
- CVE-2018-20149
Bypass MIME verification causing XSS
* Themes: Remove twentyfifteen, add twentynineteen and make default
* Remove remote emojis
-- Craig Small <email address hidden> Sun, 16 Dec 2018 10:45:32 +1100
-
wordpress (4.9.8+dfsg1-1) unstable; urgency=medium
* New upstream source
Verify plugin uploads CVE-2018-14028 Closes: #906565
-- Craig Small <email address hidden> Tue, 21 Aug 2018 20:47:44 +1000
-
wordpress (4.9.7+dfsg1-1) unstable; urgency=high
* New upstream source
* Fix directory traversal in thumb parameter
CVE-2018-12895 Closes: #902876
-- Craig Small <email address hidden> Sat, 07 Jul 2018 22:29:18 +1000
-
wordpress (4.9.5+dfsg1-1) unstable; urgency=medium
* New upstream source, fixes 3 Security issues Closes: #895034
- CVE-2018-TBA
Don't treat localhost as same host by default.
- CVE-2018-TBA
Use safe redirects when redirecting login page if SSL is forced
- CVE-2018-TBA
Make sure version string is correctly escaped for use in
generator tags
* Update to standards version 4.1.4
* Remove get-orig-source in rules and use uscan
-- Craig Small <email address hidden> Sun, 08 Apr 2018 08:11:40 +1000
-
wordpress (4.9.4+dfsg-1) unstable; urgency=medium
* New upstream release
* Removed remove_jshint patch as upstream has found a different hinter
-- Craig Small <email address hidden> Fri, 09 Feb 2018 21:35:34 +1100
-
wordpress (4.9.2+dfsg-1) unstable; urgency=high
* New upstream security release Closes: #887596
and resolves CVE-2018-5776
* Update standards version to 4.1.3 - no change
-- Craig Small <email address hidden> Sat, 20 Jan 2018 18:02:18 +1100
-
wordpress (4.9.1+dfsg-1) unstable; urgency=high
* New upstream release
* Release 4.9 was never packaged due to licensing problems
* This release fixes 6 security issues Closes: #883314
- CVE-2017-17091
Use a properly generated hash for the newbloguser key instead
of a determinate substring.
- CVE-2017-17092
Remove the ability to upload JavaScript files for users who
do not have the unfiltered_html capability
- CVE-2017-17093
Add escaping to the language attributes used on html elements
- CVE-2017-17094
Ensure the attributes of enclosures are correctly escaped in
RSS and Atom feeds
* Updated to standards 4.1.1
* New linting for Javascript is disabled due to jshint.js licensing
issues
-- Craig Small <email address hidden> Sat, 09 Dec 2017 16:57:09 +1100
-
wordpress (4.8.3+dfsg-1) unstable; urgency=high
* New upstream security release Closes: #880528
-- Craig Small <email address hidden> Thu, 02 Nov 2017 22:16:15 +1100
-
wordpress (4.8.2+dfsg-2) unstable; urgency=high
* Hash user activation key Closes: #877629
Fixes CVE-2017-14990
-- Craig Small <email address hidden> Wed, 04 Oct 2017 21:59:11 +1100
-
wordpress (4.8.2+dfsg-1) unstable; urgency=high
* New upstream security release fixes 9 security issues closes: #876274
CVE IDs will be updated when issued
- CVE-2017-XXX
$wpdb->prepare() can create unexpected and unsafe queries leading to
potential SQL injection (SQLi)
- CVE-2017-TBA
Cross-site scripting (XSS) vulnerability in the oEmbed discovery
- CVE-2017-TBA
Cross-site scripting (XSS) vulnerability in the visual editor
- CVE-2017-TBA
Path traversal vulnerability in the file unzipping code
- CVE-2017-TBA
Cross-site scripting (XSS) vulnerability in the plugin editor
- CVE-2017-TBA
Open redirect in the user and term edit screens
- CVE-2017-TBA
Path traversal vulnerability in the customizer
- CVE-2017-TBA
Cross-site scripting (XSS) vulnerability in template names
- CVE-2017-TBA
Cross-site scripting (XSS) vulnerability in the link modal
-- Craig Small <email address hidden> Fri, 22 Sep 2017 21:57:06 +1000
-
wordpress (4.8.1+dfsg-1) unstable; urgency=medium
* New upstream release
-- Craig Small <email address hidden> Thu, 03 Aug 2017 21:35:33 +1000
-
wordpress (4.8+dfsg-1) unstable; urgency=medium
* New upstream release
-- Craig Small <email address hidden> Fri, 09 Jun 2017 22:43:40 +1000