Bug#823640: marked as done (wordpress: Reflected XSS in PLupload and mediaelement)

Fri, 06 May 2016 21:03:57 -0700 

Your message dated Sat, 07 May 2016 04:00:32 +0000
with message-id <[email protected]>
and subject line Bug#823640: fixed in wordpress 4.5.2+dfsg-1
has caused the Debian Bug report #823640,
regarding wordpress: Reflected XSS in PLupload and mediaelement
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
823640: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823640
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: wordpress
Version: 4.5.1
Severity: important
Tags: security upstream

Wordpress 4.2 to 4.5.1 has a XSS vulnerability in Plupload and
mediaelement.  I haven't yet done the analysis to see if we are
fully vulnerable (some mediaelement items are removed due to DFSG
problems) but most likely it is.

No CVE items as yet from what I can tell.

Given this problem was introduced in 4.2 then jessie and wheezy should
not be impacted. I'll have a look at them in case they no longer care
about such old versions.

They mention an imagemagick problem too, but sounds more about the
library. Cannot find a DSA about it though.

https://wordpress.org/news/2016/05/wordpress-4-5-2/


-- System Information:
Debian Release: stretch/sid
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.4.0-1-amd64 (SMP w/6 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages wordpress depends on:
pn  apache2 | httpd                 <none>
ii  ca-certificates                 20160104
ii  libjs-cropper                   1.2.2-1
ii  libphp-phpmailer                5.2.14+dfsg-2
ii  libphp-snoopy                   2.0.0-1
ii  mysql-client                    5.6.28-1
ii  php5                            5.6.19+dfsg-2
pn  php5-gd                         <none>
ii  php5-mysql                      5.6.19+dfsg-2+b1
pn  wordpress-theme-twentyfourteen  <none>

Versions of packages wordpress recommends:
pn  wordpress-l10n                <none>
pn  wordpress-theme-twentytwelve  <none>

Versions of packages wordpress suggests:
ii  mysql-server  5.6.28-1

--- End Message ---
--- Begin Message --- 
Source: wordpress
Source-Version: 4.5.2+dfsg-1

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Craig Small <[email protected]> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 07 May 2016 12:39:47 +1000
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentysixteen 
wordpress-theme-twentyfifteen wordpress-theme-twentyfourteen
Architecture: source all
Version: 4.5.2+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Craig Small <[email protected]>
Changed-By: Craig Small <[email protected]>
Description:
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
 wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files
 wordpress-theme-twentyfourteen - weblog manager - twentyfourteen theme files
 wordpress-theme-twentysixteen - weblog manager - twentysixteen theme files
Closes: 823640
Changes:
 wordpress (4.5.2+dfsg-1) unstable; urgency=high
 .
   * New upstream release
   * Fixes reflected XSS attack in plupload Closes: #823640
   * Do not use old mediaelelement
Checksums-Sha1:
 7a8b2321bca388e01d7d38e2dc73547e58561064 2521 wordpress_4.5.2+dfsg-1.dsc
 448cb6e58385c8be4082f498eb854848a68006e8 6027876 
wordpress_4.5.2+dfsg.orig.tar.xz
 41912ff2cf3bf964bc593b3b4ecb003199444f0f 6054920 
wordpress_4.5.2+dfsg-1.debian.tar.xz
 c9e7e72c269f0db12e716159d9aa6ea50633aed2 4364886 
wordpress-l10n_4.5.2+dfsg-1_all.deb
 cd6e890b6272f07c8c88fd9bf5cb158309c558b8 699832 
wordpress-theme-twentyfifteen_4.5.2+dfsg-1_all.deb
 d45dfeac7ceb19552e718e3686a8f1760902b7b7 1119018 
wordpress-theme-twentyfourteen_4.5.2+dfsg-1_all.deb
 077287025fd3c9a2db66c038f81e16b97fc4afd9 588412 
wordpress-theme-twentysixteen_4.5.2+dfsg-1_all.deb
 6389c0e22b4e8773f9088288e4f536a8023641d8 3716538 wordpress_4.5.2+dfsg-1_all.deb
Checksums-Sha256:
 b09a91feeaea2dd9b1aea63b9ddb891e24f1f925889a661265fb3162c2045c14 2521 
wordpress_4.5.2+dfsg-1.dsc
 3063c0d3ba39fdc0106a19d3855a8ae555530dfdf435bd3d352dd2707722e7ac 6027876 
wordpress_4.5.2+dfsg.orig.tar.xz
 55a2f34ea5765996f756477b7b30617d20e8a32204800cbd310351a0df7371f4 6054920 
wordpress_4.5.2+dfsg-1.debian.tar.xz
 6cebd701639132e8ea752b2af7e2f56010154347cdf3012d332723de2b936bee 4364886 
wordpress-l10n_4.5.2+dfsg-1_all.deb
 175070ec7e5e7f28d113797cf3a382a37f8312b14846f09ceddadb41f53575db 699832 
wordpress-theme-twentyfifteen_4.5.2+dfsg-1_all.deb
 1d75b49cd9b77bc8ffa16fb37e68a3b69c501827707ccd9823be83dc84331c8f 1119018 
wordpress-theme-twentyfourteen_4.5.2+dfsg-1_all.deb
 30e67b645eae889260b7707063f02227318e151ffb18fb8859da3305965ad8d1 588412 
wordpress-theme-twentysixteen_4.5.2+dfsg-1_all.deb
 d44f9ecb960eaeec6ad409d28cb91685bf4c0cd62f6be8253618d96f22bae96a 3716538 
wordpress_4.5.2+dfsg-1_all.deb
Files:
 292ab1f6dddffc5168b03d1819b7ed67 2521 web optional wordpress_4.5.2+dfsg-1.dsc
 fbbc17a38dc083d764e52e2e7648901e 6027876 web optional 
wordpress_4.5.2+dfsg.orig.tar.xz
 fe47b85657167451d5b0a23c753160fa 6054920 web optional 
wordpress_4.5.2+dfsg-1.debian.tar.xz
 2bbb0092d0ec41a6f75df1fd9f6937dd 4364886 localization optional 
wordpress-l10n_4.5.2+dfsg-1_all.deb
 0b2d92f3a84110a8ab277d063225bb86 699832 web optional 
wordpress-theme-twentyfifteen_4.5.2+dfsg-1_all.deb
 2625b3c88fd7d6e498060a1630a71372 1119018 web optional 
wordpress-theme-twentyfourteen_4.5.2+dfsg-1_all.deb
 45229d8c4169bcd07b4ad0e3a791a0f3 588412 web optional 
wordpress-theme-twentysixteen_4.5.2+dfsg-1_all.deb
 054d6c3005f02143f7e5920a7360a6b8 3716538 web optional 
wordpress_4.5.2+dfsg-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJXLVaAAAoJEAIhZsD/PITjmfcP/3c0XVyqmb7Um4jQzDfc5fsu
y9Wa9tSrM1MGBKlc0o9z7y0Q1DYMv9H+VNNpYucL1r61s6ck7NLxl70RPVagWgAj
R0SE7TQ2b7uaTUxVDczGeY862HTgdlqrOu0L+7epmWIptEyxbrKPIpAwmC+iFwwF
fVenyCxgQQZuK1LQ1h57JGuZT2bGWHuwZlU/RZs5M1ZYX+4ZRL5KZmmPFIvnT0yM
edd/veRXNFIH6WTKGOtQJPUxQ+1e956coGFWjkV2VDLLDnswzft+0AlAGp07roS4
8GWQRjeESzUreBhaLsOF/E6Ekad0QURubdLqXgiOwPdfxOyp/XK3/o2RAsxrZi/j
k23kDYZj7/ijfg00sOCPmv7pCHU1g+5nOD9btpvLpaGllu+ms3NDcF/7SLcb7Iz8
GeNmZCPqs/7mcO3qC6aBTQZAofa0t6RqARbs5n0jHZQ4njZnvClV11rc8xujysHI
r7O13SScfG2fuSMCx/Xew0E4V5dyDFkFMydBn260ykG5zz7wq+sBcf4RrFq86bIm
tGuCnq7Na3s96Mdk6MvPZ3A/660ZxvGfshyuKJG3dLzT3bCNlcxybOl/EQfOOTuq
WdHcLaEqj+/ygCugJWuwseB8V7O2TZQ0+Q+eJboOYeJ0gLaTapvpHo+UBOrCiOGU
V6OLmhwG4/SJ9Yoq8cW1
=PBVN
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to