Your message dated Tue, 26 Feb 2013 08:16:42 +0100
with message-id <[email protected]>
and subject line Re: Bug#701667: CVE-2012-6112: wordpress: Google spellchecker
can make requests to remote servers
has caused the Debian Bug report #701667,
regarding CVE-2012-6112: wordpress: Google spellchecker can make requests to
remote servers
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
701667: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701667
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: wordpress
Version: 3.3.2+dfsg-1~squeeze1
Severity: important
Tags: security
Hello,
http://www.tinymce.com/forum/viewtopic.php?id=30036 reports:
This version includes an important security upgrade where it's possible to use
the Google spellchecker logic to make requests to remote servers. We strongly
recommend people to upgrade if they are using the PHP spellchecker with the
Google spellchecker engine enabled.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6112
https://github.com/tinymce/tinymce_spellchecker_php/commit/22910187bfb9edae90c26e10100d8145b505b974
/usr/share/wordpress/wp-includes/js/tinymce/plugins/spellchecker/classes/GoogleSpell.php
Haven't reproduced this issue, but I did check source code. Please ask if you
need help.
--
Henri Salo
-- System Information:
Debian Release: 6.0.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages wordpress depends on:
ii apache2 2.2.16-6+squeeze10 Apache HTTP Server metapackage
ii apache2-mpm-prefork [ 2.2.16-6+squeeze10 Apache HTTP Server - traditional n
ii libapache2-mod-php5 5.3.3-7+squeeze14 server-side, HTML-embedded scripti
ii libjs-cropper 1.2.1-2 JavaScript image cropper UI
ii libjs-prototype 1.6.1-1 JavaScript Framework for dynamic w
ii libjs-scriptaculous 1.8.3-1 JavaScript library for dynamic web
ii libphp-phpmailer 5.1-1 full featured email transfer class
ii libphp-snoopy 1.2.4-2 Snoopy is a PHP class that simulat
ii mysql-client-5.1 [mys 5.1.66-0+squeeze1 MySQL database client binaries
ii php5 5.3.3-7+squeeze14 server-side, HTML-embedded scripti
ii php5-gd 5.3.3-7+squeeze14 GD module for php5
ii php5-mysql 5.3.3-7+squeeze14 MySQL module for php5
Versions of packages wordpress recommends:
ii wordpress-l10n 3.3.2+dfsg-1~squeeze1 weblog manager - language files
Versions of packages wordpress suggests:
pn mysql-server <none> (no description available)
-- no debconf information
--- End Message ---
--- Begin Message ---
Version: 3.5.1+dfsg-1
On Mon, 25 Feb 2013, Henri Salo wrote:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6112
> https://github.com/tinymce/tinymce_spellchecker_php/commit/22910187bfb9edae90c26e10100d8145b505b974
> /usr/share/wordpress/wp-includes/js/tinymce/plugins/spellchecker/classes/GoogleSpell.php
>
> Haven't reproduced this issue, but I did check source code. Please ask if you
> need help.
The sid version (3.5.1+dfsg-2) has the fix already. For the stable
version, there are other more important security issues that are still
not solved.
It would be nice to get 3.5.1+dfsg-2 migrated to wheezy though.
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Get the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/
--- End Message ---
