Your message dated Fri, 13 Nov 2020 11:03:41 +0000
with message-id <[email protected]>
and subject line Bug#973562: fixed in wordpress 5.0.11+dfsg1-0+deb10u1
has caused the Debian Bug report #973562,
regarding wordpress: Wordpress 5.5.2 security release
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
973562: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=973562
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: wordpress
Version: 5.5.1+dfsg1-2
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <[email protected]>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Wordpress versions less than 5.5.2 have the following security
vulnerabilities:
CVE-2020-28039: Protected meta that could lead to arbitrary file deletion.
CVE-2020-28035: XML-RPC privilege escalation.
CVE-2020-28036: XML-RPC privilege escalation.
CVE-2020-28032: Hardening deserialization requests.
CVE-2020-28037: DoS attack could lead to RCE.
CVE-2020-28038: Stored XSS in post slugs.
CVE-2020-28033: Disable spam embeds from disabled sites on a multisite network.
CVE-2020-28034: Cross-Site Scripting (XSS) via global variables.
CVE-2020-28040: CSRF attacks that change a theme's background image.
Debian LTS have released 4.7.19 which fixes this already.
I note the security tracker has these CVEs already.
- -- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.8.0-3-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8),
LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages wordpress depends on:
pn apache2 | httpd <none>
ii ca-certificates 20200601
pn default-mysql-client | virtual-mysql-client <none>
pn libapache2-mod-php | libapache2-mod-php5 | php | php5 <none>
pn libjs-cropper <none>
ii libjs-underscore 1.9.1~dfsg-1
pn php-gd | php5-gd <none>
pn php-getid3 <none>
pn php-mysql | php5-mysql | php-mysqlnd | php5-mysqlnd <none>
Versions of packages wordpress recommends:
pn wordpress-l10n <none>
pn wordpress-theme-twentytwenty <none>
Versions of packages wordpress suggests:
pn default-mysql-server | virtual-mysql-server <none>
pn php-ssh2 <none>
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAl+fIi8SHGNzbWFsbEBk
ZWJpYW4ub3JnAAoJEAIhZsD/PITjlZYQAJuQiDH0ATXjGn65FuJp8VxFEqlKbvNk
DDo+df4H17W1+SwVsnp6SGHvumHOuOOieKVMgzKoAsCWwOsjWBBuRjP91Fo4ASMv
sdn191skMJVIubNMUc3PA+NZFiljrHiYroA5YhElTka8YSJKxYQKHayxXh4genVg
0aMZdH9lq9XkiqTfCKMjdLZ/PnhlE0e1M6K21AVznW2PuoyLDLtgqwONUpT3Qm+d
Vu4LCczwh2/M8gxXH5UIF9BvswCk+4QHybuLwdVsUFpN5OPdmeIel5bPAglwRicY
OVUocLHMZkgZ+wRyjV79rehRHpy6/ZIUsNgZAyiNtE2OE20s9HW157dLfIxmWRfN
+lp84dAfJVHWm6BRHhL8W9KNLTyOFzbaVqtpOIMaCJIwTtBt/GHABRsUTqFOD7Cv
vWPd1F/YvgnOKSQ5NHcYUAyXDtSqFwHvuTgLpZs+xHLDPapo8Um8bGlww6rv78b0
SBVtfCkkuJs7uGQeFP4KUU+U9IDzruwRVhJE7LN9ZxOIv9F2qAQHMnR5ZdXa61qo
S82bIEX5YRhyIXApvsZwP08IiouNV/p7Y7p6cuH99y1FqT/nmQVYIQD/kmlF+wdz
2lhLXKrRjFlFaMIWrJpfMuOOAB5QYpg8pYEQHN9mRzbxWYE/RpfT2ceqHuS9Q7dX
hGEQ1blXwwWp
=lRON
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: wordpress
Source-Version: 5.0.11+dfsg1-0+deb10u1
Done: Craig Small <[email protected]>
We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Craig Small <[email protected]> (supplier of updated wordpress package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 03 Nov 2020 18:02:39 +1100
Source: wordpress
Architecture: source
Version: 5.0.11+dfsg1-0+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Craig Small <[email protected]>
Changed-By: Craig Small <[email protected]>
Closes: 971914 973562
Changes:
wordpress (5.0.11+dfsg1-0+deb10u1) buster-security; urgency=high
.
* Security release, fixes 8 bugs Closes: #973562
- CVE-2020-28039: Protected meta that could lead to arbitrary
file deletion.
- CVE-2020-28035: XML-RPC privilege escalation.
- CVE-2020-28036: XML-RPC privilege escalation.
- CVE-2020-28032: Hardening deserialization requests.
- CVE-2020-28037: DoS attack could lead to RCE.
- CVE-2020-28038: Stored XSS in post slugs.
- CVE-2020-28033: Disable spam embeds from disabled sites
on a multisite network.
- CVE-2020-28034: Cross-Site Scripting (XSS) via global variables.
- CVE-2020-28040: CSRF attacks that change a theme's background image.
* Remove duplicated changeset 45974 Closes: #971914
Checksums-Sha1:
e4820375381b46020335517ed946d58ef166a9dc 2481
wordpress_5.0.11+dfsg1-0+deb10u1.dsc
393f5377f30a34e141bee96392674d0dddfe72cb 7844528
wordpress_5.0.11+dfsg1.orig.tar.xz
2d28ee9fee963d10c36613067b2f54211ba0ce88 6818260
wordpress_5.0.11+dfsg1-0+deb10u1.debian.tar.xz
e3cf34ad23e5ba40e6ac83be4ce95195a9b762fb 7368
wordpress_5.0.11+dfsg1-0+deb10u1_amd64.buildinfo
Checksums-Sha256:
9ea6e6f2c2cb2317dbda94baa0e6f990f32138000a9e99c4dbee65530af46925 2481
wordpress_5.0.11+dfsg1-0+deb10u1.dsc
5331feb3ba5447e4c86b6a7ebaf35ed75761856b0723da4d680d64a45386ec41 7844528
wordpress_5.0.11+dfsg1.orig.tar.xz
b205064bd8f2268b93e0d885546693cc833b3a9e9523aeab54dad62c137cf8bc 6818260
wordpress_5.0.11+dfsg1-0+deb10u1.debian.tar.xz
2bffda02eae47ee378e729eac0460c1240fb7cbddded535f4104f4c69004657b 7368
wordpress_5.0.11+dfsg1-0+deb10u1_amd64.buildinfo
Files:
b582367e5a236bca37fc160a5c8cae7f 2481 web optional
wordpress_5.0.11+dfsg1-0+deb10u1.dsc
b9dde1e40049404358bf090594558e46 7844528 web optional
wordpress_5.0.11+dfsg1.orig.tar.xz
9faba375a89a796e4b371850b2983735 6818260 web optional
wordpress_5.0.11+dfsg1-0+deb10u1.debian.tar.xz
21c647c462bfea3103be6a1674925927 7368 web optional
wordpress_5.0.11+dfsg1-0+deb10u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAl+jx2UACgkQAiFmwP88
hOO5Wg//evL37DK25tuF71R0NAn43KtMLds+SFE9/xft7NYijVPA0zpVcBkeb7KX
hsOZlXepvBFvXxtu83PCsGlteCBvkE3I4cx/q0nWFKpPpDZN4lBeaRgIKEXaY3iS
kDzSjl2G9CpIdZVz4kSTOGt3likeMvUvgpWToX9bT0qluJfhCrDv7VjXnzMjylWz
i1r9uhNGYfuW6gLHUbxLTtTT1AAL2frSy/b2KfothJbUQrBLiuLVsZ9BP/eeoaUJ
E6NPFB0PEBsb8IBdrfmjgHkilXTIyRlxbpb8dwY07b4BdQWGnK4pHmRB/jqaEoq9
k6W7dUeUukZq4D8k9FAD6mEZP6sVce104N+RRbUHrjSj3YB/sWdV/l43+7vXT5/9
OBgJy9xGzbeOKqC01lArVj1hBepK9T7dXY5+xMJSn9w/jcZhuHGBoBoD0rui1iIP
GTnY6Q3+rthcHDW3x4zy/xK07knhGCbzjktKIZr4Fgt0xyx+aZi+RyDBE8gEeuOj
xoBggye+dNVmClJKzWZOlhTSu/7qFGbQjK/V7EPLmk8+73xkNQhgPY50SKcDCuiJ
9pheEQJQtn7xuDIztsVmQTqWLNS/S07W+1dMIoBY05YjJ4ZCbhDNBdtZKeomUeSm
wBCvsEj2b3nTp7QnjZMddd7BWniehY+wDmP1FloWMh0FfHe2ccY=
=J/wJ
-----END PGP SIGNATURE-----
--- End Message ---
