Bug#874416: marked as done (wordpress-shibboleth: XSS due to add_query_arg)

Tue, 05 Sep 2017 14:54:33 -0700 

Your message dated Tue, 05 Sep 2017 21:51:21 +0000
with message-id <[email protected]>
and subject line Bug#874416: fixed in wordpress-shibboleth 1.8-1
has caused the Debian Bug report #874416,
regarding wordpress-shibboleth: XSS due to add_query_arg
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
874416: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=874416
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: wordpress-shibboleth
Version: 1.4-2
Severity: important
X-Debbugs-Cc: [email protected]
Tags: security

I have just become aware of an old security issue that was fixed
in upstream:

https://github.com/michaelryanmcneill/shibboleth/commit/1d65ad6786282d23ba1865f5
6e2fd19188e7c26a

As far as I understand, this is 

https://make.wordpress.org/plugins/2015/04/20/fixing-add_query_arg-and-remove_q
uery_arg-usage/

Given that noone has noticed and reported this as an issue for a year
in the Debian package, and I'm not completely sure of how easy it is
to exploit, I'm not exactly sure of the correct severity or whether
this warrants a DSA or just a point release update. I'm CCing
the Wordpress maintainer in case they have any ideas.

This bug will be fixed in unstable shortly.

--- End Message ---
--- Begin Message --- 
Source: wordpress-shibboleth
Source-Version: 1.8-1

We believe that the bug you reported is fixed in the latest version of
wordpress-shibboleth, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <[email protected]> (supplier of updated wordpress-shibboleth 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 05 Sep 2017 22:17:59 +0100
Source: wordpress-shibboleth
Binary: wordpress-shibboleth
Architecture: source
Version: 1.8-1
Distribution: unstable
Urgency: medium
Maintainer: Dominic Hargreaves <[email protected]>
Changed-By: Dominic Hargreaves <[email protected]>
Description:
 wordpress-shibboleth - Shibboleth plugin for WordPress
Closes: 874416
Changes:
 wordpress-shibboleth (1.8-1) unstable; urgency=medium
 .
   * Correct Vcs-* fields
   * Switch to minimal dh style packaging
   * Update watch file and Homepage to https
   * Update Standards-Version (no changes)
   * Switch to dpkg-source 3.0 (quilt) format
   * New upstream release (Closes: #874416)
   * Relax versioned dependency on wordpress, as the minimum supported
     version 3.3 is satisfied even in oldoldstable
Checksums-Sha1:
 e11231f04539f8c739669118b7060e299bab1092 1956 wordpress-shibboleth_1.8-1.dsc
 9888b9976ab907080e4e321ce543ae64456e9cad 20161 
wordpress-shibboleth_1.8.orig.tar.gz
 f6abebc742357032ac95b9db7cca34a0c1fb93c9 2244 
wordpress-shibboleth_1.8-1.debian.tar.xz
Checksums-Sha256:
 7f9dd64d511e11cf907afb1b2358e0dede98b7105eaed035f4d75c78c1d3f0c9 1956 
wordpress-shibboleth_1.8-1.dsc
 693cb24233e3ff8c5bd221fc9da3df410b7871902836d5f23a8c840c6f001e55 20161 
wordpress-shibboleth_1.8.orig.tar.gz
 3c10c5113aee1b23b503b6aeed13b871368cc05df302681ea36ef16d4cec0e41 2244 
wordpress-shibboleth_1.8-1.debian.tar.xz
Files:
 46b33e9c647aac06a24198463a6bbd2f 1956 php optional 
wordpress-shibboleth_1.8-1.dsc
 2b6a62916bdf9a0a26d17a54c27bca48 20161 php optional 
wordpress-shibboleth_1.8.orig.tar.gz
 027613c870d92c587ff31359a7184730 2244 php optional 
wordpress-shibboleth_1.8-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJZrxUaAAoJEMAFfnFNaU+ykH4QAJrfIQSTg92ilrxtmdX1uK64
2+fvSrHw7F9zG5tJSHjOSMIQuO7nxAclBNtCPOtgVlz8CHmy3hf1bp+nPncmKa3+
Ep0EEALCItHBIKG0B74JfpKyfe/liRtqew/4MvKgJ4IvI78AFQ3RcL20vQ+mnnPe
Aq2FiTodQYDatzALg/PExpJRTuCo1uR/I53Gde7k264L2qKq2UfWYuulKdIn29HO
Xq4s4pV2g37M0bwK98ScUKuYzk6UBA+XpmKSxxkujNrwcS2B7AG3fdLOfRsL+Ti2
U37/Ex9tuApj/Xtoogas07/jT4p0mgq1f3pnrWXzr+Sp/HBNc5SjjUs1GsxPTbah
4m4AIkE6mXq9NKBYbnh36GDuWjAZxMxQvH3X/2Yzlv7giJIWCcLqZSx+yjApQMA/
ahAgHxpGcLm3qgfHRwelWH09v9zxKM5YsKpW95wVgYoVIsh3vlr21kxkenwqC3EH
UndyplhSG61q8qW5w3N7BwO73+l1Ao/5o4TxP/jH3rUiDY2RibI3RGwvAJihu5rD
/qFfJq7YVydgD9PKEed2gQIcK9Ab/xtUhAnOXcgWLpeN2M1LDWK7wl+JlHzQkAOQ
g6N3gAdmRWHoNfJ26XKHtaFCf7GPVKv8YENBF2qOjAA821bdOtB2Tjn7f4Y5L6Wz
Vql0KU76SzkbKJxn4D0M
=Nfmq
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to