Back to wordpress PTS page

Accepted wordpress 3.6.1+dfsg-1~deb7u17 (source all) into oldoldstable



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 31 Oct 2017 15:13:56 +0100
Source: wordpress
Binary: wordpress wordpress-l10n
Architecture: source all
Version: 3.6.1+dfsg-1~deb7u17
Distribution: wheezy-security
Urgency: high
Maintainer: Giuseppe Iuculano <iuculano@debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description: 
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
Changes: 
 wordpress (3.6.1+dfsg-1~deb7u17) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the LTS team.
   * Backport security fixes from 4.8.2.
   * CVE-2016-9263:
     When domain-based flashmediaelement.swf sandboxing is not used, allows
     remote attackers to conduct cross-domain Flash injection (XSF) attacks by
     leveraging code contained within the
     wp-includes/js/mediaelement/flashmediaelement.swf file.
     This issue was resolved by completely removing flashmediaelement.swf.
   * CVE-2017-14718:
     WordPress was susceptible to a Cross-Site Scripting attack in the link
     modal via a javascript: or data: URL.
   * CVE-2017-14719:
     WordPress was vulnerable to a directory traversal attack during unzip
     operations in the ZipArchive and PclZip components.
   * CVE-2017-14720:
     WordPress allowed a Cross-Site scripting attack in the template list view
     via a crafted template name.
   * CVE-2017-14721:
     WordPress allowed Cross-Site scripting in the plugin editor via a crafted
     plugin name.
   * CVE-2017-14722:
     WordPress allowed a Directory Traversal attack in the Customizer component
     via a crafted theme filename.
   * CVE-2017-14723:
     WordPress mishandled % characters and additional placeholder values in
     $wpdb->prepare, and thus did not properly address the possibility of
     plugins and themes enabling SQL injection attacks.
   * CVE-2017-14725:
     WordPress was susceptible to an open redirect attack in
     wp-admin/user-edit.php.
   * CVE-2017-14990:
     WordPress stores cleartext wp_signups.activation_key values (but
     stores the analogous wp_users.user_activation_key values as hashes), which
     might make it easier for remote attackers to hijack unactivated user
     accounts by leveraging database read access (such as access gained through
     an unspecified SQL injection vulnerability).
Checksums-Sha1: 
 841ea3f7ee82299c35c19cd43677a6d5a2fd2ca0 2488 wordpress_3.6.1+dfsg-1~deb7u17.dsc
 9993b964732b530d8f52181db90ee036708a2776 5279372 wordpress_3.6.1+dfsg-1~deb7u17.debian.tar.xz
 8b412db73c039ecf7953f3bd4fd33835cec4f074 3959110 wordpress_3.6.1+dfsg-1~deb7u17_all.deb
 e6ec78d49e4f34a3bd6edf771e03587f1585024f 8871762 wordpress-l10n_3.6.1+dfsg-1~deb7u17_all.deb
Checksums-Sha256: 
 58df783cc0e96ddc57aeeab25a8e089adf57297e7c881f31c7f2c0046170d906 2488 wordpress_3.6.1+dfsg-1~deb7u17.dsc
 4427792e5fb04942c9d719f170baa2786d7cbe9b1bc8eb624a5fae4a423290d4 5279372 wordpress_3.6.1+dfsg-1~deb7u17.debian.tar.xz
 52f5c9e349350d31157354373545be7a65c1ca4e62ed7d3d9b22c2a50616d001 3959110 wordpress_3.6.1+dfsg-1~deb7u17_all.deb
 7f81c7bf5436dd9266a9607132165e39c1a5b91b36e9324fac21813c683ef3e2 8871762 wordpress-l10n_3.6.1+dfsg-1~deb7u17_all.deb
Files: 
 bcd80d029c57fe99e950e0d3a7aecd8a 2488 web optional wordpress_3.6.1+dfsg-1~deb7u17.dsc
 a844dbc470fb7b90f624f753d9636a53 5279372 web optional wordpress_3.6.1+dfsg-1~deb7u17.debian.tar.xz
 8b5dd4d8ed9cd3794f1434aa84c23651 3959110 web optional wordpress_3.6.1+dfsg-1~deb7u17_all.deb
 7cfbae96da6ed29eddecf4d377369857 8871762 localization optional wordpress-l10n_3.6.1+dfsg-1~deb7u17_all.deb

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAln4h0tfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkD/kP/RsBpX3DKx7Qf6dGjxntT7SfH61m0yAQva7Y
ARKArWMKYRyt6/qItp963le/9WxPW9jlLVDSY0JSxsuzkNSjnR8+FJZT5/ST+lgG
Qi75O/oGEaHDiW9MRoBmE3H84l28rU5hn0LFW7gD+b+LX443MHk32aWQxXZHZ6/g
gxbdR2DsjUSdW/uPdF4tb75n6zYIKr8o5W9cocOFfN98tFj0UOBX/rWXhxAFEC64
dlVWGpUiQKvKiOKrh3WhD9UG8gvN967IR7sEFcQpbAf/geOiThbAhG+EOLZNhQgQ
g8J/HHz6SwleKhMmSVF0ofR6qX84wyMtbaR8lNEqAJU4/bbzWA5w+CXaD4U9cNRl
sEKc0EUBZQgw3rsOQazn0xJzAv4cBypW/64UGSwkFgZgGPT2UP8pNzreJsF/9fU9
I71e/3lbrvMAqUAukL92UAqDpYagiZDbVQsk7B9Zpcdr9X2fVMMa+m5mpYofUsDp
1VMOAx9UneV1QuVSdrbv6uvcJSaqRbwIop6xx7GZd6zLFVkimKZODOwfKXKjPPgH
hiIZUTy2tChF1pKYcWg/BmjGQYJe3BbBI68WlTFuBkm1KC+skq5BnmNDBIZxwpqL
CRLakrPbewmu2xIYfixLgFpxJ1EVBHlG3DmWSsF0hlPah12mExF9OHziIFjxfdXk
B2eJYYLO
=s5+d
-----END PGP SIGNATURE-----