Back to wordpress PTS page

Accepted wordpress 3.6.1+dfsg-1~deb7u13 (source all) into oldstable

To: dispatch@tracker.debian.org, debian-lts-changes@lists.debian.org
Subject: Accepted wordpress 3.6.1+dfsg-1~deb7u13 (source all) into oldstable
From: Markus Koschany <apo@debian.org>
Date: Wed, 01 Feb 2017 07:20:18 +0000
Mail-followup-to: debian-lts@lists.debian.org
Message-id: <E1cYpDG-0003aN-Hc@seger.debian.org>
Reply-to: debian-lts@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 01 Feb 2017 06:51:12 +0100
Source: wordpress
Binary: wordpress wordpress-l10n
Architecture: source all
Version: 3.6.1+dfsg-1~deb7u13
Distribution: wheezy-security
Urgency: high
Maintainer: Giuseppe Iuculano <iuculano@debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description: 
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
Changes: 
 wordpress (3.6.1+dfsg-1~deb7u13) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the LTS team.
   * Backport security fixes from 4.7.1 and 4.7.2 to Wheezy.
   * CVE-2017-5488:
     Multiple cross-site scripting (XSS) vulnerabilities in
     wp-admin/update-core.php in WordPress before 4.7.1 allow remote attackers
     to inject arbitrary web script or HTML via the (1) name or (2) version
     header of a plugin.
   * CVE-2017-5489:
     Cross-site request forgery (CSRF) vulnerability in WordPress before 4.7.1
     allows remote attackers to hijack the authentication of unspecified victims
     via vectors involving a Flash file upload.
   * CVE-2017-5490:
     Cross-site scripting (XSS) vulnerability in the theme-name fallback
     functionality in wp-includes/class-wp-theme.php in WordPress before 4.7.1
     allows remote attackers to inject arbitrary web script or HTML via a
     crafted directory name of a theme, related to
     wp-admin/includes/class-theme-installer-skin.php.
   * CVE-2017-5491:
     wp-mail.php in WordPress before 4.7.1 might allow remote attackers to
     bypass intended posting restrictions via a spoofed mail server with the
     mail.example.com name.
   * CVE-2017-5492:
     Cross-site request forgery (CSRF) vulnerability in the widget-editing
     accessibility-mode feature in WordPress before 4.7.1 allows remote
     attackers to hijack the authentication of unspecified victims for requests
     that perform a widgets-access action, related to
     wp-admin/includes/class-wp-screen.php and wp-admin/widgets.php.
   * CVE-2017-5493:
     wp-includes/ms-functions.php in the Multisite WordPress API in WordPress
     before 4.7.1 does not properly choose random numbers for keys, which makes
     it easier for remote attackers to bypass intended access restrictions via a
     crafted (1) site signup or (2) user signup.
   * CVE-2017-5610:
     wp-admin/includes/class-wp-press-this.php in Press This in WordPress before
     4.7.2 does not properly restrict visibility of a taxonomy-assignment user
     interface, which allows remote attackers to bypass intended access
     restrictions by reading terms.
   * CVE-2017-5611:
     SQL injection vulnerability in wp-includes/class-wp-query.php in WP_Query
     in WordPress before 4.7.2 allows remote attackers to execute arbitrary SQL
     commands by leveraging the presence of an affected plugin or theme that
     mishandles a crafted post type name.
   * CVE-2017-5612:
     Cross-site scripting (XSS) vulnerability in
     wp-admin/includes/class-wp-posts-list-table.php in the posts list table in
     WordPress before 4.7.2 allows remote attackers to inject arbitrary web
     script or HTML via a crafted excerpt.
Checksums-Sha1: 
 460c9920e8e27163c43829f5e7c6545cbbd7b5a8 2488 wordpress_3.6.1+dfsg-1~deb7u13.dsc
 43ab238f79577dd4b9c30fcf42f046d9dffbf498 5231628 wordpress_3.6.1+dfsg-1~deb7u13.debian.tar.xz
 47510e33a8831fdceb258089ff390d98192c9600 3985258 wordpress_3.6.1+dfsg-1~deb7u13_all.deb
 860d97c351b02ae4d8047599f1b28f3e31f6f342 8871544 wordpress-l10n_3.6.1+dfsg-1~deb7u13_all.deb
Checksums-Sha256: 
 9a3c913214ab53b2307f3450e612d5859bf19d31ff6a535604ee999a9e031fdf 2488 wordpress_3.6.1+dfsg-1~deb7u13.dsc
 3e0fe25e91e942fde37ee94138ca3ccb77e0dc0551040e295df718d5300c7138 5231628 wordpress_3.6.1+dfsg-1~deb7u13.debian.tar.xz
 047e50ef09bc9e268d3c64d07537d027d07e181e160d932afe60fdb00852fa52 3985258 wordpress_3.6.1+dfsg-1~deb7u13_all.deb
 4824946f3157db8198271dc7827e8e69c2cda7862f3426aff67c821b1a735cf9 8871544 wordpress-l10n_3.6.1+dfsg-1~deb7u13_all.deb
Files: 
 4765efa07d97a39a715bd99e766d0d87 2488 web optional wordpress_3.6.1+dfsg-1~deb7u13.dsc
 7953030d5e17635f8493431ddaba64d0 5231628 web optional wordpress_3.6.1+dfsg-1~deb7u13.debian.tar.xz
 4b2415a2223287720a1b7b984549f03b 3985258 web optional wordpress_3.6.1+dfsg-1~deb7u13_all.deb
 acac0794515069d5f8645fa5be419ccc 8871544 localization optional wordpress-l10n_3.6.1+dfsg-1~deb7u13_all.deb

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAliRipFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hki04QAJQAk7CM9lJGHUi1LnWguRexENQGBht/Nthx
bmL89j3fU6MDdTv8gxprpPMNZJwwyD+UTp/gioZOnJLPz70SMVkIVgy3np8snasN
TLMewUFOV0gKGQbpByd+VUTQmQaPOObtMSSouzmcIuaaFrhBi9nbPO3aum6cDb/N
deH/eBc9ur4moqzD1aUpWE71YOssrL2P50fUTCDY+t5EzWXF45NpRVBUZUD+UWwd
Y7UYftg9Ojl/4fxCBTZfErGAYUnbpqVcxTCGWTV2qO2tILOzk97pac5dBn5MyMqA
Wcqq276BpI/MYzA0QwhGkfJQouIsQLOg9H+FKQQvZOBk+YAsKNh0f9KK4rwDp5j+
MgcEEL7UQS/KRdiNkRd+vI4JALBz4nuQX0e3ajyz5p9ndQNzfcAjFG7XW47SWK4g
xI1+VXGa5TqpsGDrBtz1L0ZzGD9cU8p+K0yi0WmaBpW3Mu7vr6BXklSdB4IJEBQw
ncMHKSEUMMe+BMXcxqtrOUwXe7cXdXJXxFoPnQbOZGcezRRQwlKWmyfswlVS8Hii
V2coOD6rOzVywnT61spzqkxcGTwuONyeV5GjmXa3GvDMWHqZduvd2Uj7FlPNQTRM
D+uO/Fe+flm8bIrpNX95liSPfDRscbam1h29zyKpV+wvbLOyqBIETVzRnF3Uewg/
M6YYrqYC
=qHoR
-----END PGP SIGNATURE-----