Your message dated Thu, 05 Nov 2020 21:49:25 +0000
with message-id <[email protected]>
and subject line Bug#973562: fixed in wordpress 5.5.3+dfsg1-1
has caused the Debian Bug report #973562,
regarding wordpress: Wordpress 5.5.2 security release
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
973562: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=973562
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: wordpress
Version: 5.5.1+dfsg1-2
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <[email protected]>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Wordpress versions less than 5.5.2 have the following security
vulnerabilities:
CVE-2020-28039: Protected meta that could lead to arbitrary file deletion.
CVE-2020-28035: XML-RPC privilege escalation.
CVE-2020-28036: XML-RPC privilege escalation.
CVE-2020-28032: Hardening deserialization requests.
CVE-2020-28037: DoS attack could lead to RCE.
CVE-2020-28038: Stored XSS in post slugs.
CVE-2020-28033: Disable spam embeds from disabled sites on a multisite network.
CVE-2020-28034: Cross-Site Scripting (XSS) via global variables.
CVE-2020-28040: CSRF attacks that change a theme's background image.
Debian LTS have released 4.7.19 which fixes this already.
I note the security tracker has these CVEs already.
- -- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.8.0-3-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8),
LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages wordpress depends on:
pn apache2 | httpd <none>
ii ca-certificates 20200601
pn default-mysql-client | virtual-mysql-client <none>
pn libapache2-mod-php | libapache2-mod-php5 | php | php5 <none>
pn libjs-cropper <none>
ii libjs-underscore 1.9.1~dfsg-1
pn php-gd | php5-gd <none>
pn php-getid3 <none>
pn php-mysql | php5-mysql | php-mysqlnd | php5-mysqlnd <none>
Versions of packages wordpress recommends:
pn wordpress-l10n <none>
pn wordpress-theme-twentytwenty <none>
Versions of packages wordpress suggests:
pn default-mysql-server | virtual-mysql-server <none>
pn php-ssh2 <none>
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAl+fIi8SHGNzbWFsbEBk
ZWJpYW4ub3JnAAoJEAIhZsD/PITjlZYQAJuQiDH0ATXjGn65FuJp8VxFEqlKbvNk
DDo+df4H17W1+SwVsnp6SGHvumHOuOOieKVMgzKoAsCWwOsjWBBuRjP91Fo4ASMv
sdn191skMJVIubNMUc3PA+NZFiljrHiYroA5YhElTka8YSJKxYQKHayxXh4genVg
0aMZdH9lq9XkiqTfCKMjdLZ/PnhlE0e1M6K21AVznW2PuoyLDLtgqwONUpT3Qm+d
Vu4LCczwh2/M8gxXH5UIF9BvswCk+4QHybuLwdVsUFpN5OPdmeIel5bPAglwRicY
OVUocLHMZkgZ+wRyjV79rehRHpy6/ZIUsNgZAyiNtE2OE20s9HW157dLfIxmWRfN
+lp84dAfJVHWm6BRHhL8W9KNLTyOFzbaVqtpOIMaCJIwTtBt/GHABRsUTqFOD7Cv
vWPd1F/YvgnOKSQ5NHcYUAyXDtSqFwHvuTgLpZs+xHLDPapo8Um8bGlww6rv78b0
SBVtfCkkuJs7uGQeFP4KUU+U9IDzruwRVhJE7LN9ZxOIv9F2qAQHMnR5ZdXa61qo
S82bIEX5YRhyIXApvsZwP08IiouNV/p7Y7p6cuH99y1FqT/nmQVYIQD/kmlF+wdz
2lhLXKrRjFlFaMIWrJpfMuOOAB5QYpg8pYEQHN9mRzbxWYE/RpfT2ceqHuS9Q7dX
hGEQ1blXwwWp
=lRON
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: wordpress
Source-Version: 5.5.3+dfsg1-1
Done: Craig Small <[email protected]>
We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Craig Small <[email protected]> (supplier of updated wordpress package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 03 Nov 2020 17:23:49 +1100
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentynineteen
wordpress-theme-twentyseventeen wordpress-theme-twentytwenty
Architecture: source all
Version: 5.5.3+dfsg1-1
Distribution: unstable
Urgency: high
Maintainer: Craig Small <[email protected]>
Changed-By: Craig Small <[email protected]>
Description:
wordpress - weblog manager
wordpress-l10n - weblog manager - language files
wordpress-theme-twentynineteen - weblog manager - twentynineteen theme files
wordpress-theme-twentyseventeen - weblog manager - twentyseventeen theme files
wordpress-theme-twentytwenty - weblog manager - twentytwenty theme files
Closes: 973562
Changes:
wordpress (5.5.3+dfsg1-1) unstable; urgency=high
.
* Security release, fixes 8 bugs Closes: #973562
- CVE-2020-28039: Protected meta that could lead to arbitrary
file deletion.
- CVE-2020-28035: XML-RPC privilege escalation.
- CVE-2020-28036: XML-RPC privilege escalation.
- CVE-2020-28032: Hardening deserialization requests.
- CVE-2020-28037: DoS attack could lead to RCE.
- CVE-2020-28038: Stored XSS in post slugs.
- CVE-2020-28033: Disable spam embeds from disabled sites
on a multisite network.
- CVE-2020-28034: Cross-Site Scripting (XSS) via global variables.
- CVE-2020-28040: CSRF attacks that change a theme's background image.
* Removed TinyMCE build dependency as its very old
* d/dirs: Add two more language directories
Checksums-Sha1:
9f0e840181f419418ee1b47f777696d306cc065d 2400 wordpress_5.5.3+dfsg1-1.dsc
a8ea7d911022e025144274d495c82cf97d1d4caf 8920328
wordpress_5.5.3+dfsg1.orig.tar.xz
4bfcb37da8866a30551fc0049ab8e210516cd98e 6823732
wordpress_5.5.3+dfsg1-1.debian.tar.xz
f7647519a725b32e7ed2dea54a3fa5dc69d26eb1 4383344
wordpress-l10n_5.5.3+dfsg1-1_all.deb
824cae1d4563bcbe9031ef2459257fd5baf55824 315596
wordpress-theme-twentynineteen_5.5.3+dfsg1-1_all.deb
c183de2ab258723fe357861626e874209cce2199 948240
wordpress-theme-twentyseventeen_5.5.3+dfsg1-1_all.deb
2fc5c6251c538886e89c178604bb2a65388c7a58 755352
wordpress-theme-twentytwenty_5.5.3+dfsg1-1_all.deb
e5d4d6ba0290a1693011ac131f189f2f8ad08d3c 7003388
wordpress_5.5.3+dfsg1-1_all.deb
b41512e188a05c49634fb241b3b2ade35df3931d 7193
wordpress_5.5.3+dfsg1-1_amd64.buildinfo
Checksums-Sha256:
29b3570bb7c8d3125adb7e63cfa6a83ef84f9578f5e5d51adda3caaf1768ae7f 2400
wordpress_5.5.3+dfsg1-1.dsc
8ad4d5c2e103beededfcb09e2f94de8f276191ee630f2fa5c53d2158a81ecebb 8920328
wordpress_5.5.3+dfsg1.orig.tar.xz
219c7cb1701026c76c84c3d51dcab87ba078b438dc5a029c9afaa2a1937bc6c3 6823732
wordpress_5.5.3+dfsg1-1.debian.tar.xz
d01807760da034f178c93731f7110a6bbf11542fba6e354b17ea12c870b43140 4383344
wordpress-l10n_5.5.3+dfsg1-1_all.deb
f5c2412b8cf4f45bf30ea183802064a7d40689f4f09282557816c3c6788fac67 315596
wordpress-theme-twentynineteen_5.5.3+dfsg1-1_all.deb
b322b52ba146e1921d1e8db03bddc29c3a6e73e69b68e2440be2d7319ac3a7a9 948240
wordpress-theme-twentyseventeen_5.5.3+dfsg1-1_all.deb
2c05ed5b42a743c0cdac14fe3882d6221f638941ee699fc3412180580275ebf6 755352
wordpress-theme-twentytwenty_5.5.3+dfsg1-1_all.deb
d9fae8239b1b1cc8e850cdd8147bcfc69ed2b7f0cdebeb45f6e5fb9f15224323 7003388
wordpress_5.5.3+dfsg1-1_all.deb
7118fce8acad9e6f09256eeb0e7ae99063e652fe541e71f6c53b27c7fee3bc31 7193
wordpress_5.5.3+dfsg1-1_amd64.buildinfo
Files:
6d6678bd747505d8822ea7611869217b 2400 web optional wordpress_5.5.3+dfsg1-1.dsc
c8dc794f7669f0bb2bc74fbd65aae001 8920328 web optional
wordpress_5.5.3+dfsg1.orig.tar.xz
7acd39ed650da63afc729b2f1a7ce9a0 6823732 web optional
wordpress_5.5.3+dfsg1-1.debian.tar.xz
a34cf0d1cd5953a441238421988da1c0 4383344 localization optional
wordpress-l10n_5.5.3+dfsg1-1_all.deb
442aab930993e3e7cfa6ea9b022f121d 315596 web optional
wordpress-theme-twentynineteen_5.5.3+dfsg1-1_all.deb
d4e75a99c5f4dc7431f9859c250ad891 948240 web optional
wordpress-theme-twentyseventeen_5.5.3+dfsg1-1_all.deb
43a2ba131ef46b75950c1bd186d345c1 755352 web optional
wordpress-theme-twentytwenty_5.5.3+dfsg1-1_all.deb
97ef1ecd586dcf858eeb4d84daaa94e9 7003388 web optional
wordpress_5.5.3+dfsg1-1_all.deb
06689de25bd29f0f9b442f8891c64940 7193 web optional
wordpress_5.5.3+dfsg1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAl+g9/YACgkQAiFmwP88
hOMC3xAAjTpowKWwl+xlFT0R5A/prSuefuw+9FDLFg6yJp0cIaTy9+CVKTHFcktU
xNjV9dtsJ7aF1zDaKEKiRi1/CVTQyj63XmRmzzeACrFWX0lSRJSBe0msJhVKdn4U
X/nRUC/M2vlFP8dQW3FJGgR6lFRM23Z1VXOJkdePTNfzAaChCB+4TkvteMDT78Pp
6Fh80FKr4zFHaQTfIxH++zMifUTYYkgNKvbVoGEgxRgF+3IQVGKGhQnvW3bIbWdq
UbtTwIYxFCBMYUe5pQMYcGbakQb+6CT+dxT5Cp416qIZueO5r0h7wv6eJWsPe5/Z
JFtxcyRqLt+HXG7dE+ZphohqXmKykCsRo+YSD+kj/toy8Py/A1rzseOxETni96iw
K12mLLyx7cD1h+vHTUtaXnHw6TlpvBNVlfqSq2Yn2R4kKYYPpL4aoWAoNuGdD7qP
mbBbpD+uXbbSKbPisE+B2RdQm1Ew8BXz0q5Lg26MMMWKaPu89wx2jrTkq5lHJnKh
mTRrhtsQtkAVWyxYJilqh6Cx+fOdD6Rv4b/81RRDuIyCwH5wG5v3Ww36DJV5JIz8
WUT7O3CppUj8P7b9TcDZYcScdQE7Z2cO+sIfNPGcp8Ta/sXqRS5ZdvbQVraPlQ2H
nPB5jlN5G+FaJIcojzWmTPPjXAPNElV3DGCsVxpBv+DDc/8FU3w=
=utqj
-----END PGP SIGNATURE-----
--- End Message ---
