Hi Salvatore, I'll go ask for them over the weekend. I'll look into backports for the relevant patches. Definitely a festival of XSS going on for this one!
- Craig On Fri, 6 Sep 2019 at 17:47, Salvatore Bonaccorso <car...@debian.org> wrote: > Hi Craig, > > On Fri, Sep 06, 2019 at 05:37:45PM +1000, Craig Small wrote: > > Source: wordpress > > Version: 5.2.2+dfsg1-1 > > Severity: normal > > Tags: security > > > > Wordpress has release 5.2.3 which fixes several security holes. > > > > From > https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/ > > > > Security Updates > > Props to Simon Scannell of RIPS Technologies for finding and disclosing > two issues. The first, a cross-site scripting (XSS) vulnerability found in > post previews by contributors. The second was a cross-site scripting > vulnerability in stored comments. > > Props to Tim Coen for disclosing an issue where validation and > sanitization of a URL could lead to an open redirect. > > Props to Anshul Jain for disclosing reflected cross-site scripting > during media uploads. > > Props to Zhouyuan Yang of Fortinet’s FortiGuard Labs who disclosed a > vulnerability for cross-site scripting (XSS) in shortcode previews. > > Props to Ian Dunn of the Core Security Team for finding and disclosing a > case where reflected cross-site scripting could be found in the dashboard. > > Props to Soroush Dalili (@irsdl) from NCC Group for disclosing an issue > with URL sanitization that can lead to cross-site scripting (XSS) attacks. > > In addition to the above changes, we are also updating jQuery on older > versions of WordPress. This change was added in 5.2.1 and is now being > brought to older versions. > > I guess you can/will ask for CVes for those issues? Can you report > those back here and on team@s.d.o once known? > > Regards, > Salvatore >