Bug#783347: marked as done (wordpress: New critical security release available: 4.1.2 (CVE-2015-3438 CVE-2015-3439))

Mon, 01 Jun 2015 04:58:15 -0700 

Your message dated Mon, 01 Jun 2015 11:53:09 +0000
with message-id <[email protected]>
and subject line Bug#783347: fixed in wordpress 3.6.1+dfsg-1~deb6u6
has caused the Debian Bug report #783347,
regarding wordpress: New critical security release available: 4.1.2 
(CVE-2015-3438 CVE-2015-3439)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
783347: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783347
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: wordpress
Version: 4.1+dfsg-1
Severity: important

Dear Maintainer,

Version 4.1.2 was released on April 21st, tagged as a "critical security 
release", and containing several security-related fixes, including an important 
XSS fix.
As far as I can tell, this release is not available in neither stable nor 
unstable, nor have the fixes as of yet been backported to a stable release.
I therefore request that you please consider packaging and uploading this fixed 
version.
Note also that version 4.2 was released on April 23rd, which should likely be 
considered for unstable.

I understand this must have been a busy week, and apologize if this is already 
being looked into.

Thanks, and thanks for maintaining WordPress!

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.16-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages wordpress depends on:
ii  apache2                          2.4.9-1
ii  apache2-bin [httpd]              2.4.9-1
ii  apache2-mpm-itk [httpd]          2.4.9-1
ii  ca-certificates                  20141019
ii  libapache2-mod-php5              5.6.0+dfsg-1
ii  libjs-cropper                    1.2.2-1
ii  libjs-mediaelement               2.15.1+dfsg-1
ii  libphp-phpmailer                 5.2.9+dfsg-2
ii  mysql-client-5.5 [mysql-client]  5.5.40-1
ii  php-getid3                       1.9.8-3
ii  php5                             5.4.4-15.1
ii  php5-gd                          5.6.0+dfsg-1
ii  php5-mysql                       5.6.0+dfsg-1
ii  wordpress-theme-twentyfifteen    4.1+dfsg-1

Versions of packages wordpress recommends:
ii  wordpress-l10n  4.1+dfsg-1

Versions of packages wordpress suggests:
ii  mysql-server  5.5.40-1

-- Configuration Files:
/etc/wordpress/htaccess [Errno 2] No such file or directory: 
u'/etc/wordpress/htaccess'

-- no debconf information

-- debsums errors found:
sh: /usr/sbin/dpkg-divert: No such file or directory

--- End Message ---
--- Begin Message --- 
Source: wordpress
Source-Version: 3.6.1+dfsg-1~deb6u6

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Gabriel <[email protected]> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 01 Jun 2015 13:07:25 +0200
Source: wordpress
Binary: wordpress wordpress-l10n
Architecture: source all
Version: 3.6.1+dfsg-1~deb6u6
Distribution: squeeze-lts
Urgency: medium
Maintainer: Giuseppe Iuculano <[email protected]>
Changed-By: Mike Gabriel <[email protected]>
Description: 
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
Closes: 770425 783347 783554
Changes: 
 wordpress (3.6.1+dfsg-1~deb6u6) squeeze-lts; urgency=medium
 .
   [ Mike Gabriel ]
   * Non-maintainer upload by the Squeeze LTS Team.
     + Backport patch set from wordpress in Debian wheezy
       (3.6.1+dfsg-1~deb7u5 and 3.6.1+dfsg-1~deb7u6).
     + For details, see below.
 .
   [ Craig Small ]
   * From 3.6.1+dfsg-1~deb7u6...
   * Backports of 4.1.2 security fixes (CVE-2015-3438, CVE-2015-3439).
     (Closes: #783347).
     - Changeset 32163 sanity checks
     - Changeset 32165 sanitize order by
     - Changeset 32174 multisite change extra checks
     - Changeset 32176 Dashboard escapes titles
     - Changeset 32234 More WPDB query sanity
   * Backport of 4.2.1 for security fixes Closes: #783554
     - Changeset 32307: XSS for long 64k+ comments (CVE-2015-3440).
   * Changeset 32172 NOT applied as bug introduced later.
 .
   * From 3.6.1+dfsg-1~deb7u5...
   * Backport patches for 3.7.4->3.7.5 (Closes: #770425).
     - CVE-2014-9031 XSS in wptexturize() via comments or posts
     - CVE-2014-9033 CSRF in the password reset process
     - CVE-2014-9034 Denial of service for giant passwords
     - CVE-2014-9035 XSS in Press This
     - CVE-2014-9036 XSS in HTML filtering of CSS in posts
     - CVE-2014-9037 Hash comparison vulnerability in old passwords
     - CVE-2014-9038 SSRF: Safe HTTP requests did not sufficiently block
       the loopback IP address space
     - CVE-2014-9039 Email address change didn't invalidate previously sent
       password reset
Checksums-Sha1: 
 8579908c887fbf54853c35656000f252b859ad5f 2194 wordpress_3.6.1+dfsg-1~deb6u6.dsc
 d6c057f370bbe0e14a4e401e0f4af4ca0f39900b 11018022 
wordpress_3.6.1+dfsg-1~deb6u6.debian.tar.gz
 f47b685b0549607a5ed361883932d563b802ee7a 3992404 
wordpress_3.6.1+dfsg-1~deb6u6_all.deb
 fa08938e7c79647ed5b81431794b566afb2c717e 8869726 
wordpress-l10n_3.6.1+dfsg-1~deb6u6_all.deb
Checksums-Sha256: 
 0973d67ec3bfb3d5640f40d4f05720cb9312c83ff170e4bbdd5c84375bed5928 2194 
wordpress_3.6.1+dfsg-1~deb6u6.dsc
 313a26e3b23acc805c883faacdc70dcbd7388478ba07fb76312c7a2b12bd8e1f 11018022 
wordpress_3.6.1+dfsg-1~deb6u6.debian.tar.gz
 877e790334675ee6e77d4e130d61cd381e260ae724ccf30996994ac19a70d490 3992404 
wordpress_3.6.1+dfsg-1~deb6u6_all.deb
 e72c9b4bb1985a04ae0b6006faba85184d031f6758d1914956d8f6f31dd39071 8869726 
wordpress-l10n_3.6.1+dfsg-1~deb6u6_all.deb
Files: 
 83ee2d80c631c8506d121dc0fc2b0c28 2194 web optional 
wordpress_3.6.1+dfsg-1~deb6u6.dsc
 166957d040da2b4a989d6574070ac6bf 11018022 web optional 
wordpress_3.6.1+dfsg-1~deb6u6.debian.tar.gz
 bb6760d7fd9db4ae24c253739e02e445 3992404 web optional 
wordpress_3.6.1+dfsg-1~deb6u6_all.deb
 2c0ca74294de6264aa48e4fe63d14d34 8869726 localization optional 
wordpress-l10n_3.6.1+dfsg-1~deb6u6_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJVbEIrAAoJEJr0azAldxsx3mQQAJwp+0XGRI2IdL3ObCKd2ic3
3iqRo2EcQME9z8+KI1uDXzLNa+1GFAUW1WiqzIetvcrNAIz9YVt7DGVaL6SZQSQu
adZcHsXgtw/+NJBiqx6Nfjk6Uo6Xh7WMBhHVwt2QpHIt5I7xKK6RWN3aiXdNOuGq
lYqvGZt/TAu5FiPU09iUqp5OcflcCVnHvRm/d/UwU20cS43voYvhrhj3kXXqOMyV
x3uuAC/Uz9Lp64WO+FDFH+skIAUV4zTQw0auQCefOF+vNjvcWezUiDTfez0t0XUv
yLNHFM/w1Heu4ZOaOC+ntO3hyJzyEFTqFpoPu9d2ilM5KGQcqn4vEXHIyEA0pwD7
a++5v+S9Q+ELwc1LUKEElv7gOu0NTk2+cHk0IQ2b2CcANu+I43vXN313Vhua/TF4
sYIp8Q7hv52fpgtWeaCGhZZPdUC65D8Z28pBFcIjNZek8JMH++m9s9r3yx4xHSqT
b3s1lsVWGfa4ZC2XjVF7FPrAb2b1g+ld7TG7f+N4NEV2hJN+DKKeU/GZZREm/o4t
AocQcqmJsxi0KGSZCXbqZTvTCyT6WOuVU6sWPvypKuEJuUvO48ZOdDFCqzbPUyqp
DUdPqPShD5qdDgEghug+7dbcoc+yF6t5Zzo7f308O/acIJnHAMknAC23Z3Sj7TA3
6vuQhTo9ij4MxEOZGb/m
=ylZN
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to