Package: wordpress Version: 5.5.1+dfsg1-2 Severity: important Tags: security X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Wordpress versions less than 5.5.2 have the following security vulnerabilities: CVE-2020-28039: Protected meta that could lead to arbitrary file deletion. CVE-2020-28035: XML-RPC privilege escalation. CVE-2020-28036: XML-RPC privilege escalation. CVE-2020-28032: Hardening deserialization requests. CVE-2020-28037: DoS attack could lead to RCE. CVE-2020-28038: Stored XSS in post slugs. CVE-2020-28033: Disable spam embeds from disabled sites on a multisite network. CVE-2020-28034: Cross-Site Scripting (XSS) via global variables. CVE-2020-28040: CSRF attacks that change a theme's background image. Debian LTS have released 4.7.19 which fixes this already. I note the security tracker has these CVEs already. - -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.8.0-3-amd64 (SMP w/8 CPU threads) Kernel taint flags: TAINT_WARN Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages wordpress depends on: pn apache2 | httpd <none> ii ca-certificates 20200601 pn default-mysql-client | virtual-mysql-client <none> pn libapache2-mod-php | libapache2-mod-php5 | php | php5 <none> pn libjs-cropper <none> ii libjs-underscore 1.9.1~dfsg-1 pn php-gd | php5-gd <none> pn php-getid3 <none> pn php-mysql | php5-mysql | php-mysqlnd | php5-mysqlnd <none> Versions of packages wordpress recommends: pn wordpress-l10n <none> pn wordpress-theme-twentytwenty <none> Versions of packages wordpress suggests: pn default-mysql-server | virtual-mysql-server <none> pn php-ssh2 <none> -----BEGIN PGP SIGNATURE----- iQJGBAEBCgAwFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAl+fIi8SHGNzbWFsbEBk ZWJpYW4ub3JnAAoJEAIhZsD/PITjlZYQAJuQiDH0ATXjGn65FuJp8VxFEqlKbvNk DDo+df4H17W1+SwVsnp6SGHvumHOuOOieKVMgzKoAsCWwOsjWBBuRjP91Fo4ASMv sdn191skMJVIubNMUc3PA+NZFiljrHiYroA5YhElTka8YSJKxYQKHayxXh4genVg 0aMZdH9lq9XkiqTfCKMjdLZ/PnhlE0e1M6K21AVznW2PuoyLDLtgqwONUpT3Qm+d Vu4LCczwh2/M8gxXH5UIF9BvswCk+4QHybuLwdVsUFpN5OPdmeIel5bPAglwRicY OVUocLHMZkgZ+wRyjV79rehRHpy6/ZIUsNgZAyiNtE2OE20s9HW157dLfIxmWRfN +lp84dAfJVHWm6BRHhL8W9KNLTyOFzbaVqtpOIMaCJIwTtBt/GHABRsUTqFOD7Cv vWPd1F/YvgnOKSQ5NHcYUAyXDtSqFwHvuTgLpZs+xHLDPapo8Um8bGlww6rv78b0 SBVtfCkkuJs7uGQeFP4KUU+U9IDzruwRVhJE7LN9ZxOIv9F2qAQHMnR5ZdXa61qo S82bIEX5YRhyIXApvsZwP08IiouNV/p7Y7p6cuH99y1FqT/nmQVYIQD/kmlF+wdz 2lhLXKrRjFlFaMIWrJpfMuOOAB5QYpg8pYEQHN9mRzbxWYE/RpfT2ceqHuS9Q7dX hGEQ1blXwwWp =lRON -----END PGP SIGNATURE-----
