Source: wordpress Version: 4.9.4-1 Severity: grave Tags: security upstream Justification: user security hole
WordPress 4.9.5 fixes 3 security issues: 1) Don't treat localhost as same host by default. 2) Use safe redirects when redirecting the login page if SSL is forced. 3) Make sure the version string is correctly escaped for use in generator tags. The patches are: 1) 42894 - https://core.trac.wordpress.org/changeset/42894 2) 42892 - https://core.trac.wordpress.org/changeset/42892 3) 42893 - https://core.trac.wordpress.org/changeset/42893 Sid, Buster, Stretch and Jessie all have these issues. - Craig -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.15.0-2-amd64 (SMP w/6 CPU cores) Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8), LANGUAGE=en_AU.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled