Back to wordpress PTS page

Accepted wordpress 4.7.5+dfsg-2+deb9u6 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates

To: debian-changes@lists.debian.org
Subject: Accepted wordpress 4.7.5+dfsg-2+deb9u6 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Sat, 09 May 2020 15:33:48 +0000
Mail-followup-to: debian-devel@lists.debian.org
Message-id: <E1jXRU4-0006NT-89@fasolo.debian.org>
Reply-to: debian-devel@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 02 May 2020 15:23:57 +1000
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentysixteen wordpress-theme-twentyfifteen wordpress-theme-twentyseventeen
Architecture: source
Version: 4.7.5+dfsg-2+deb9u6
Distribution: stretch-security
Urgency: high
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Description:
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
 wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files
 wordpress-theme-twentyseventeen - weblog manager - twentyseventeen theme files
 wordpress-theme-twentysixteen - weblog manager - twentysixteen theme files
Closes: 924546 939543 942459 946905 959391
Changes:
 wordpress (4.7.5+dfsg-2+deb9u6) stretch-security; urgency=high
 .
   * Importing Wordpress 4.7.17/5.4.1 updates Closes: #959391
    - CVE-2020-11025
      XSS vulnerability in the navigation section of Customizer allows
      JavaScript code to be executed.
    - CVE-2020-11026
      uploaded files to Media section to lead to script execution
    - CVE-2020-11027
      Password reset link does not expire
    - CVE-2020-11028
      Private posts can be found through searching by date
    - CVE-2020-11029
      XSS in stats() method in class-wp-object-cache
    Not vulnerable:
    - CVE-2020-11030 (feature introduced 5.0)
      Special payload can execute scripts in block editor
   * Importing Wordpress 4.7.16/5.3.1 updates Closes: #946905
     - CVE-2019-20043
       an unprivileged user could make a post sticky via the REST API.
     - CVE-2019-20041
       hardening wp_kses_bad_protocol() to ensure that it is aware
       of the named colon attribute.
     Not vulnerable:
     - CVE-2019-20042 (function introduced 5.1.0)
       cross-site scripting (XSS) could be stored in well-crafted links
     - CVE-2019-16780 and CVE-2019-16781 (feature introduced 5.0)
       stored XSS vulnerability using block editor content.
   * Importing Wordpress 4.7.15/5.2.4 updates Closes: #942459
      - CVE-2019-17674
        Stored XSS in the Customizer
      - CVE-2019-17671
        Viewing unauthenticated posts
      - CVE-2019-17672
        Stored XSS to inject javascript into style tags
      - CVE-2019-17673
        Poisoning JSON GET requests
      - CVE-2019-17669
        SSRF in URL vaidation
      - CVE-2019-17675
        Referer validation in admin screens
   * Importing Wordpress 4.7.14/5.2.3 updates Closes: #939543
      - CVE-2019-16223
        XSS in post previews
      - CVE-2019-16218
        XSS in stored comments
      - CVE-2019-16220
        Open redirect due to validation and sanitization
      - CVE-2019-16217
        XSS in media uploads
      - CVE-2019-16219
        XSS in shortcode previews
      - CVE-2019-16221
        XSS in dashboard
      - CVE-2019-16222
        XSS in URL sanitization
   * Security patches from 5.1.1/4.7.13
   * Fixes XSS security hole in comments CVE-2019-9787 Closes: #924546
Checksums-Sha1:
 e578da770e89b37231e62beaf21167cd1a3bbcbb 2567 wordpress_4.7.5+dfsg-2+deb9u6.dsc
 dc36d0ebb054c9f215d8e5430d4ecb94c87ec34a 6834780 wordpress_4.7.5+dfsg-2+deb9u6.debian.tar.xz
 c1bd39b032c5edb941434e9a2e07150fe3f8fa59 7841 wordpress_4.7.5+dfsg-2+deb9u6_amd64.buildinfo
Checksums-Sha256:
 ebf02bb97a238345edfa259e3a6197941efe70ba9ce53b21965317745277b414 2567 wordpress_4.7.5+dfsg-2+deb9u6.dsc
 b21523640b8854944f8239634d5695c7c9398421dd7a00b448c3ed43c42e78a1 6834780 wordpress_4.7.5+dfsg-2+deb9u6.debian.tar.xz
 afd3d9c96318763227ace066cba187fefd84e77b089a57cd1370efe3a9d20123 7841 wordpress_4.7.5+dfsg-2+deb9u6_amd64.buildinfo
Files:
 9d886fa75fef2d75da4aa64866487a65 2567 web optional wordpress_4.7.5+dfsg-2+deb9u6.dsc
 b01623c5fb1b5d2af3c1e46f434a57e1 6834780 web optional wordpress_4.7.5+dfsg-2+deb9u6.debian.tar.xz
 3cef192f52b7480ba154fc29fd25710e 7841 web optional wordpress_4.7.5+dfsg-2+deb9u6_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAl6v7PwACgkQAiFmwP88
hONH9w/6A6Sj7vsemRIIE8Sj7bORELmy9ppoydgQ7TsGu29jHPJ/3c0i6RSU8Srb
qXZNpj9yiQa7eF0AXfaFtr2mc1BL1KlmO5oXDjZq0/4+c/IQRC7ayijdFSLrqtbA
skAuV3MCB79UWm6HP/6tmIOyhfAD+DRxEAPdBBYXoqqu+ePD3mlhS48bXCHQstR0
lAP204zmLr72/8lJaD5uM4Q8NGe7YsDY8TvZyakAfP0s4tOO4UegueKS1WSbQJ3s
N7ou+uhP/9SrCmRCoevpW2nN2EIkW156VgnFHm2YF475ixmoszm53jEPxSU5Czs/
iTvflMN12IaZvN4JlFlsBeTSIIfVb/bFi7/8U0O74CF2nAvz9C7hfKhMCdWcmRf/
qJAMbuyxr/W9sCqUNjQ2/NTzWtwYIk/VYaAdO3PaVCrF/fGGISoMcB/GKO+wR3Yw
7+BnNDbB0vZbiKy7S+mCcVA8C0+kP2HUht4d0GykEyjz84BIxn1hLFv4n4UCr26w
++KWtV1MbPGW6JnAFt42KcNnXXUVpXULuZ9F1cWy7sEM3of7WoLZHpGRl1WE7hfP
V/rcTGhDQtVqmK9RMSMRqIpGMx+UUzcfX04M5QlIFiOE+cw9eb6ES+eEx8oAvc+A
18WexQFUZckZKs0COpcEfejxLY4VCZ3/4eeaOD81yfdNMmK22uY=
=wL1N
-----END PGP SIGNATURE-----