Accepted wordpress 4.7.18+dfsg-1+deb9u1 (source) into oldstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 11 Sep 2020 15:46:13 +0200
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentysixteen wordpress-theme-twentyfifteen wordpress-theme-twentyseventeen
Architecture: source
Version: 4.7.18+dfsg-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Sylvain Beucler <beuc@debian.org>
Description:
wordpress - weblog manager
wordpress-l10n - weblog manager - language files
wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files
wordpress-theme-twentyseventeen - weblog manager - twentyseventeen theme files
wordpress-theme-twentysixteen - weblog manager - twentysixteen theme files
Changes:
wordpress (4.7.18+dfsg-1+deb9u1) stretch-security; urgency=high
.
* Non-maintainer upload by the LTS Security Team.
* New upstream release for stable 4.7 branch.
* CVE-2020-4047: authenticated users with upload permissions (like
authors) are able to inject JavaScript into some media file attachment
pages in a certain way. This can lead to script execution in the
context of a higher privileged user when the file is viewed by them.
* CVE-2020-4048: due to an issue in wp_validate_redirect() and URL
sanitization, an arbitrary external link can be crafted leading to
unintended/open redirect when clicked.
* CVE-2020-4049: when uploading themes, the name of the theme folder can
be crafted in a way that could lead to JavaScript execution in
/wp-admin on the themes page.
* CVE-2020-4050: misuse of the `set-screen-option` filter's return value
allows arbitrary user meta fields to be saved. It does require an
admin to install a plugin that would misuse the filter. Once
installed, it can be leveraged by low privileged users.
* Fix CVE-2020-4050 regression.
* CVE-2019-17670: WordPress has a Server Side Request Forgery (SSRF)
vulnerability because Windows paths are mishandled during certain
validation of relative URLs.
* Editor: Ensure latest comments can only be viewed from public posts
(WordPress says this is not a security issue).
* Fix user activation protected against CVE 2017-14990 (broken in
4.7.5+dfsg-2+deb9u5).
Checksums-Sha1:
692908a7e762cc6603e963cf2888ac540d014b29 2229 wordpress_4.7.18+dfsg-1+deb9u1.dsc
d6880802f5d13ccb16238dd773a80f9f5117299e 6250864 wordpress_4.7.18+dfsg.orig.tar.xz
a79961fbca8855a9b5c78a78c605da6525cbd520 6783080 wordpress_4.7.18+dfsg-1+deb9u1.debian.tar.xz
0951c6d0341ed3fe0063aa9ba11792c09e08e269 7475 wordpress_4.7.18+dfsg-1+deb9u1_amd64.buildinfo
Checksums-Sha256:
8558f2bfb4fe03f183dbab7e03289ac935d94c99d6909b477ad9aaddfdaf5a9c 2229 wordpress_4.7.18+dfsg-1+deb9u1.dsc
f316f7154d946c34cd94b7330724ab89b93aa7bb9c49075d55352666f64260dd 6250864 wordpress_4.7.18+dfsg.orig.tar.xz
ac0b0954c90157af0eae5b3712754e547feedec70f94a515ea2295c1fc7ed678 6783080 wordpress_4.7.18+dfsg-1+deb9u1.debian.tar.xz
2048453a74c705a6f80aa1f3fc27846d69a35a79663425d427b54eff52c3a67c 7475 wordpress_4.7.18+dfsg-1+deb9u1_amd64.buildinfo
Files:
fb3bed4297d5bfe4f461056e6012807d 2229 web optional wordpress_4.7.18+dfsg-1+deb9u1.dsc
3d2d2d28bf524c8244007025a09f434f 6250864 web optional wordpress_4.7.18+dfsg.orig.tar.xz
3722bfe9ec17e976771639df1d8aa6d6 6783080 web optional wordpress_4.7.18+dfsg-1+deb9u1.debian.tar.xz
c4fcab7176d2ed4ac7f6819daefaa113 7475 web optional wordpress_4.7.18+dfsg-1+deb9u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAl9bgeMACgkQj/HLbo2J
BZ8JkAf/RvFanEFq21ZI6+flP/KKivHnjKrLLC1SIY7m8MzBqLsCTy3OBRMIJEXt
4mWCENGdIGDci0Zq1uU8KOILBAoJzKdSBOF/YKP/swC7R+VxhXBjUBeTijgLfFs3
C+BUdKhLM1T/dxALPFmTDxBepOOix+EiNBhzvxXCtlmODP8sryWgudpy2Zu7R/F8
5pa0l6DUQeZzFFUxGXw50BME7lZAvdF9YpxJvJc/pGHYIGQITeoy7QUGMWD0RoXl
S/AauycPdKYZLqkJIup71/JxzcgSJgYaA/4I13ytFOPhaRdVwfMXytb4MboC5+bd
cSKruBGHAZ9zzlSJ0TN3VqkzHmBKog==
=8z9p
-----END PGP SIGNATURE-----