Bug#851310: marked as pending

Fri, 13 Jan 2017 16:27:46 -0800 

tag 851310 pending
thanks

Hello,

Bug #851310 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://git.debian.org/?p=collab-maint/wordpress.git;a=commitdiff;h=ec93ce3

---
commit ec93ce3033255ce3a96d827384fe1ef79b337b1b
Author: Craig Small <csm...@debian.org>
Date:   Sat Jan 14 11:21:04 2017 +1100

    Backport the 4.7.1 security patches
    
     - Cryptographically Weak Pseudo-Random Number Generator
     - Accessibility Mode Cross-Site Request Forgery (CSRF)
     - Post via Email Checks mail.example.com by Default
     - Stored Cross-Site Scripting (XSS) via Theme Name fallback
     - Authenticated Cross-Site scripting (XSS) in update-core.php
     - Potential Remote Command Execution (RCE) in PHPMailer
    
    * Not vulnerable
     * User Information Disclosure via REST API - API doesn't exist
    * Documented not vulnerable but unsure (no changeset or proof of concept)
     * Cross-Site Request Forgery (CSRF) via Flash Upload
    
    References:
      https://bugs.debian.org/851310
      https://wpvulndb.com/wordpresses/47
      
https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/

diff --git a/debian/changelog b/debian/changelog
index 5e2fddc..4d1238c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,19 @@
+wordpress (4.1+dfsg-1+deb8u12) UNRELEASED; urgency=medium
+
+  *  Backport patches from 4.7.1 Closes: #851310
+     - Cryptographically Weak Pseudo-Random Number Generator
+     - Accessibility Mode Cross-Site Request Forgery (CSRF)
+     - Post via Email Checks mail.example.com by Default
+     - Stored Cross-Site Scripting (XSS) via Theme Name fallback
+     - Authenticated Cross-Site scripting (XSS) in update-core.php
+     - Potential Remote Command Execution (RCE) in PHPMailer
+  * Not vulnerable
+     * User Information Disclosure via REST API - API doesn't exist
+  * Documented not vulnerable but unsure (no changeset or proof of concept)
+     * Cross-Site Request Forgery (CSRF) via Flash Upload
+
+ -- Craig Small <csm...@debian.org>  Sat, 14 Jan 2017 09:38:21 +1100
+
 wordpress (4.1+dfsg-1+deb8u11) jessie-security; urgency=high
 
   * Non-maintainer upload by the Security Team.

Reply via email to