tag 851310 pending thanks Hello,
Bug #851310 reported by you has been fixed in the Git repository. You can see the changelog below, and you can check the diff of the fix at: http://git.debian.org/?p=collab-maint/wordpress.git;a=commitdiff;h=ec93ce3 --- commit ec93ce3033255ce3a96d827384fe1ef79b337b1b Author: Craig Small <csm...@debian.org> Date: Sat Jan 14 11:21:04 2017 +1100 Backport the 4.7.1 security patches - Cryptographically Weak Pseudo-Random Number Generator - Accessibility Mode Cross-Site Request Forgery (CSRF) - Post via Email Checks mail.example.com by Default - Stored Cross-Site Scripting (XSS) via Theme Name fallback - Authenticated Cross-Site scripting (XSS) in update-core.php - Potential Remote Command Execution (RCE) in PHPMailer * Not vulnerable * User Information Disclosure via REST API - API doesn't exist * Documented not vulnerable but unsure (no changeset or proof of concept) * Cross-Site Request Forgery (CSRF) via Flash Upload References: https://bugs.debian.org/851310 https://wpvulndb.com/wordpresses/47 https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/ diff --git a/debian/changelog b/debian/changelog index 5e2fddc..4d1238c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,19 @@ +wordpress (4.1+dfsg-1+deb8u12) UNRELEASED; urgency=medium + + * Backport patches from 4.7.1 Closes: #851310 + - Cryptographically Weak Pseudo-Random Number Generator + - Accessibility Mode Cross-Site Request Forgery (CSRF) + - Post via Email Checks mail.example.com by Default + - Stored Cross-Site Scripting (XSS) via Theme Name fallback + - Authenticated Cross-Site scripting (XSS) in update-core.php + - Potential Remote Command Execution (RCE) in PHPMailer + * Not vulnerable + * User Information Disclosure via REST API - API doesn't exist + * Documented not vulnerable but unsure (no changeset or proof of concept) + * Cross-Site Request Forgery (CSRF) via Flash Upload + + -- Craig Small <csm...@debian.org> Sat, 14 Jan 2017 09:38:21 +1100 + wordpress (4.1+dfsg-1+deb8u11) jessie-security; urgency=high * Non-maintainer upload by the Security Team.