-
wordpress (4.1+dfsg-1+deb8u17) jessie-security; urgency=high
* Non-maintainer upload.
* Fix CVE-2018-10100: the redirection URL for the login page was not
validated or sanitized if forced to use HTTPS.
* Fix CVE-2018-10102: the version string was not escaped in the
get_the_generator function, and could lead to XSS in a generator tag.
(Closes: #895034)
-- Markus Koschany <email address hidden> Sat, 28 Apr 2018 22:49:06 +0200
-
wordpress (4.1+dfsg-1+deb8u15) jessie-security; urgency=medium
* Backport security patches from 4.8.2
- CVE-2017-14723
$wpdb->prepare() can create unexpected and unsafe queries leading to
potential SQL injection (SQLi)
Changeset 41472, 41498
- CVE-2017-14726
Cross-site scripting (XSS) vulnerability in the visual editor
Changeset 41436
- CVE-2017-14719
Path traversal vulnerability in the file unzipping code
Changeset 41459
- CVE-2017-14721
Cross-site scripting (XSS) vulnerability in the plugin editor
Changeset 41413
- CVE-2017-14725
Open redirect in the user edit screens
The term/tag edit screen does not have this issue.
Changeset 41424
- CVE-2017-14722
Path traversal vulnerability in the customizer
Changeset 41430
- CVE-2017-14720
Cross-site scripting (XSS) vulnerability in template names
Changeset 41413 (same as plugin editor)
- CVE-2017-14718
Cross-site scripting (XSS) vulnerability in the link modal
* Not vulnerable:
- CVE-2017-14724
Cross-site scripting (XSS) vulnerability in the oEmbed discovery
oEmbed feature not present in this version
* Hash user activation key Closes: #877629
Fixes CVE-2017-14990
-- Craig Small <email address hidden> Wed, 11 Oct 2017 21:27:47 +1100
-
wordpress (4.1+dfsg-1+deb8u14) jessie-security; urgency=medium
* Backport patches from 4.7.5 Closes: #862816
- CVE-2017-9062
Improper handling of post meta data values in the XML-RPC API.
Changeset 40699
- CVE-2017-9065
Lack of capability checks for post meta data in the XML-RPC API.
Changeset 40684
- CVE-2017-9064
A Cross Site Request Forgery (CRSF) vulnerability was discovered
in the filesystem credentials dialog.
Changeset 40730
- CVE-2017-9061
A cross-site scripting (XSS) vulnerability was discovered when
attempting to upload very large files.
Changeset 40743
- CVE-2017-9063
A cross-site scripting (XSS) vulnerability was discovered related
to the Customizer.
Changeset 40711
* CVE-2017-9066 not fixed as the relevant code has changed dramatically
and there is no upstream patch for it.
Insufficient redirect validation in the HTTP class.
* CVE-2017-8295 Don't use client-provided data to form password reset
from email address, from WordPress ticket #23239 Closes: #862053
-- Craig Small <email address hidden> Wed, 24 May 2017 22:24:48 +1000
-
wordpress (4.1+dfsg-1+deb8u13) jessie-security; urgency=medium
* Backport patches from 4.7.3 Closes: #857026
- CVE-2017-6814
Cross-site scripting (XSS) via media file metadata.
Changeset 40155
- CVE-2017-6815
Control characters can trick redirect URL validation.
Changeset 40190
- CVE-2017-6816
Unintended files can be deleted by administrators using the plugin
deletion functionality.
Changeset 40176
- CVE-2017-6817
Cross-site scripting (XSS) via video URL in YouTube embeds.
Chamgeset 40167
* Not vulnerable:
- CVE-2017-6819
Cross-site request forgery (CSRF) in Press This leading to excessive
use of server resources.
Press This introduced in 4.2
- CVE-2017-6818
Cross-site scripting (XSS) via taxonomy term names.
-- Craig Small <email address hidden> Thu, 16 Mar 2017 06:19:41 +1100
-
wordpress (4.1+dfsg-1+deb8u11) jessie-security; urgency=high
* Non-maintainer upload by the Security Team.
* debian/patches/CVE-2016-6635.patch:
- don't duplicate wp_encode_json() which has already been backported
upstream, just merge later changes, fix regression in the previous
upload. closes: #839190
* debian/languages: fix language with "\n" inconsistencies in msgid/msgstr.
-- Yves-Alexis Perez <email address hidden> Sat, 01 Oct 2016 11:38:14 +0200
-
wordpress (4.1+dfsg-1+deb8u9) jessie-security; urgency=high
* Backport patches from 4.5.3/4.1.12 Closes: #828225
* Fixes CVE-2016-5834, CVE-2016-5838, CVE-2016-5839
* Changeset 37762 admin auth redirect
* Changeset 37773 Customizer urls CVE-2016-5832
* Changeset 37781 Category check CVE-2016-5837
* Changeset 37790 admin escape attach
* Changeset 37800 Revision capability CVE-2016-5835
* Changeset 37815 escape url permalinks
* Changeset 37818 media extensionless filenames
* Changeset 32387 CVE-2015-8834 XSS in comments
-- Craig Small <email address hidden> Wed, 06 Jul 2016 20:52:08 +1000
-
wordpress (4.1+dfsg-1+deb8u8) jessie-security; urgency=high
* Changeset 36435 fixes SSRF for URLs CVE-2016-2222
* Changeset 36444 improved redirect checking CVE-2016-2221
* Closes: #813697
-- Craig Small <email address hidden> Sat, 06 Feb 2016 15:13:23 +1100
-
wordpress (4.1+dfsg-1+deb8u7) jessie-security; urgency=high
* Apply changeset 36185 fixes XSS CVE-2016-1564 Closes: #810325
-- Craig Small <email address hidden> Sat, 09 Jan 2016 08:21:54 +1100
-
wordpress (4.1+dfsg-1+deb8u4) jessie-security; urgency=high
* Rework changeset 33359 reliable shortcodes CVE-2015-5622 Closes: #794548
* Backports of 4.2.4 security fixes Closes: #794560
* Changeset 33555 SQL Injection CVE-2015-2213
* Changeset 33535 fixes timing attack CVE-2015-4730
* Changeset 33542 prevent posts lock attack CVE-2015-5731
* Changeset 33529 XSS widget title CVE-2015-5732
* CVE-2015-5733: Not vulnerable CS32176 fixes this
* Changeset 33549 theme preview XSS CVE-2015-5734
-- Craig Small <email address hidden> Wed, 05 Aug 2015 22:44:20 +1000
-
wordpress (4.1+dfsg-1+deb8u1) jessie-security; urgency=high
* Backports of 4.1.2 security fixes Closes: #783347
- Changeset 32163 sanity checks
- Changeset 32165 sanitize order by
- Changeset 32172 filename check
- Changeset 32174 multisite change extra checks
- Changeset 32176 Dashboard escapes titles
- Changeset 32234 More WPDB query sanity
* Backport of 4.2.1 for security fixes Closes: #783554
- Changeset 32307: XSS for long 64k+ comments
-- Craig Small <email address hidden> Sat, 02 May 2015 12:59:53 +1000
-
wordpress (4.1+dfsg-1) unstable; urgency=medium
* New upstream release
* Changed trigger to noawait Closes: #772862
* Updated apache example Closes: #773075
* Updated to standards 3.9.6
* Added getid3 and mediaelement to linktree Closes: #762523
* Removed two unbuildable mediaelement files
-- Craig Small <email address hidden> Sat, 20 Dec 2014 15:31:21 +1100
-
wordpress (4.0.1+dfsg-2) unstable; urgency=medium
* Fixed i18n updates
* twentyfourteen theme has translations Closes: #772205
-- Craig Small <email address hidden> Sat, 06 Dec 2014 18:54:49 +1100
-
wordpress (4.0.1+dfsg-1) unstable; urgency=high
* New upstream release
* Fixes several security bugs Closes: #770425
- Three cross-site scripting issues that a contributor or
author could use to compromise a site.
- A cross-site request forgery that could be used to trick a
user into changing their password.
- An issue that could lead to a denial of service when
passwords are checked.
- Additional protections for server-side request forgery
attacks when WordPress makes HTTP requests.
- An extremely unlikely hash collision could allow a user’s
account to be compromised, that also required that they
haven’t logged in since 2008.
- WordPress now invalidates the links in a password reset email
if the user remembers their password, logs in, and changes
their email address.
-- Craig Small <email address hidden> Sat, 22 Nov 2014 19:29:37 +1100
-
wordpress (4.0+dfsg-1) unstable; urgency=medium
* New upstream release
-- Craig Small <email address hidden> Fri, 05 Sep 2014 20:58:06 +1000
-
wordpress (3.9.2+dfsg-1) unstable; urgency=high
* New Upstream release
* Fixes XML Security bug Closes: #757312
-- Craig Small <email address hidden> Thu, 07 Aug 2014 18:26:39 +1000
-
wordpress (3.9.1+dfsg-1) unstable; urgency=medium
* New upstream release
* Use system CA certificate file Closes: #748965
-- Craig Small <email address hidden> Wed, 11 Jun 2014 22:33:48 +1000
-
wordpress (3.9+dfsg-1) unstable; urgency=medium
* New upstream release
* 3.9 seems to handle different locations for plugins so the
plugin directory handling patches have been cut back.
-- Craig Small <email address hidden> Thu, 17 Apr 2014 20:56:19 +1000
-
wordpress (3.8.2+dfsg-1) unstable; urgency=high
* New upstream release Fixes CVE-2014-0165, CVE-2014-0166
and Closes: #744019
-- Craig Small <email address hidden> Wed, 09 Apr 2014 22:13:54 +1000
-
wordpress (3.8.1+dfsg1-2) unstable; urgency=medium
* Updated copyright file Closes: #736514
-- Craig Small <email address hidden> Fri, 14 Feb 2014 22:03:49 +1100
-
wordpress (3.7.1+dfsg-1) unstable; urgency=low
* New upstream release.
* Enable usage of php5-mysqlnd as an alternative to php5-mysql.
Closes: #722552
* Improve wp-setup to cope with plugins/themes directories with
spaces. Thanks to Oskar Liljeblad <email address hidden> for the patch.
Closes: #723074
* Refresh patches
-- Raphaël Hertzog <email address hidden> Wed, 13 Nov 2013 20:41:09 +0100
-
wordpress (3.6.1+dfsg-1) unstable; urgency=high
* New upstream security release.
-- Raphaël Hertzog <email address hidden> Thu, 12 Sep 2013 07:58:57 +0200
-
wordpress (3.5.2+dfsg-1) unstable; urgency=low
* New upstream release with many security fixes. Closes: #713947
* Server-Side Request Forgery (SSRF) via the HTTP API. CVE-2013-2199.
* Privilege Escalation: Contributors can publish posts, and users can
reassign authorship. CVE-2013-2200.
* Cross-Site Scripting (XSS) in SWFUpload. CVE-2013-2205.
* Denial of Service (DoS) via Post Password Cookies. CVE-2013-2173.
* Content Spoofing via Flash Applet in TinyMCE Media Plugin.
CVE-2013-2204.
* Cross-Site Scripting (XSS) when Uploading Media. CVE-2013-2201.
* Full Path Disclosure (FPD) during File Upload. CVE-2013-2203.
* Additional security hardening includes:
* Cross-Site Scripting (XSS) (Low Severity) when Editing Media.
CVE-2013-2201.
* Cross-Site Scripting (XSS) (Low Severity) when Installing/Updating
Plugins/Themes. CVE-2013-2201.
* XML External Entity Injection (XXE) via oEmbed. CVE-2013-2202.
* Update the Vcs-Git and Vcs-Browser URLs.
* Update Standards-Version to 3.9.4.
-- Raphaël Hertzog <email address hidden> Tue, 25 Jun 2013 15:52:07 +0200
-
wordpress (3.5.1+dfsg-2) unstable; urgency=low
* Only replace tinymce files by symlinks if the content is exactly the same.
Closes: #700289
* Update debian/get-upstream-i18n to include supplementary PO files
and use a more efficient method to update them. Closes: #697208
-- Raphaël Hertzog <email address hidden> Mon, 11 Feb 2013 13:56:18 +0100