Bug#864247: marked as done (unblock: wordpress/4.7.5+dfsg-2)

Debian Bug Tracking System Mon, 05 Jun 2017 11:04:17 -0700

Your message dated Mon, 05 Jun 2017 17:58:24 +0000
with message-id <[email protected]>
and subject line unblock wordpress
has caused the Debian Bug report #864247,
regarding unblock: wordpress/4.7.5+dfsg-2
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
864247: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864247
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock

Hi

Please unblock package wordpress

It fixes #862053, CVE-2017-8295, which was addressed already in the
DSA for jessie (and would otherwise be a regression).

Changelog entry:

>wordpress (4.7.5+dfsg-2) unstable; urgency=medium
>
>  * Don't trust SERVER_NAME variable for emails
>    CVE-2017-8295 Closes: #862053
>
> -- Craig Small <[email protected]>  Mon, 05 Jun 2017 21:45:59 +1000

unblock wordpress/4.7.5+dfsg-2

I'm attaching the full debdiff against the current version in testing.
Note it as well adjust the older changelog entry to add the CVE
identiiers.

Regards,
Salvatore

diff -Nru wordpress-4.7.5+dfsg/debian/changelog 
wordpress-4.7.5+dfsg/debian/changelog
--- wordpress-4.7.5+dfsg/debian/changelog       2017-05-17 14:28:18.000000000 
+0200
+++ wordpress-4.7.5+dfsg/debian/changelog       2017-06-05 13:45:59.000000000 
+0200
@@ -1,20 +1,26 @@
+wordpress (4.7.5+dfsg-2) unstable; urgency=medium
+
+  * Don't trust SERVER_NAME variable for emails
+    CVE-2017-8295 Closes: #862053
+
+ -- Craig Small <[email protected]>  Mon, 05 Jun 2017 21:45:59 +1000
+
 wordpress (4.7.5+dfsg-1) unstable; urgency=high
 
   * New upstream release fixes 6 security issues Closes: #862816
-    CVEs to be added once issued
-    - CVE-2017-XXX
+    - CVE-2017-9066
       Insufficient redirect validation in the HTTP class.
-    - CVE-2017-XXX
+    - CVE-2017-9062
       Improper handling of post meta data values in the XML-RPC API.
-    - CVE-2017-XXX
+    - CVE-2017-9065
       Lack of capability checks for post meta data in the XML-RPC API.
-    - CVE-2017-XXX
+    - CVE-2017-9064
       A Cross Site Request Forgery (CRSF) vulnerability was discovered
       in the filesystem credentials dialog.
-    - CVE-2017-XXX
+    - CVE-2017-9061
       A cross-site scripting (XSS) vulnerability was discovered when
       attempting to upload very large files.
-    - CVE-2017-XXX
+    - CVE-2017-9063
       A cross-site scripting (XSS) vulnerability was discovered related
       to the Customizer.
 
diff -Nru wordpress-4.7.5+dfsg/debian/patches/CVE-2017-8295 
wordpress-4.7.5+dfsg/debian/patches/CVE-2017-8295
--- wordpress-4.7.5+dfsg/debian/patches/CVE-2017-8295   1970-01-01 
01:00:00.000000000 +0100
+++ wordpress-4.7.5+dfsg/debian/patches/CVE-2017-8295   2017-06-05 
13:45:59.000000000 +0200
@@ -0,0 +1,36 @@
+Description: Don't use SERVER_NAME for emails
+ WordPress uses the SERVER_NAME variable to generate the from address for
+ password resets. This variable can be set by the hostname sent by the
+ client, which means it can be spoofed.
+
+ This patch fixes CVE-2017-8295
+Author: Maarten de Boer
+Origin: upstream, 
https://core.trac.wordpress.org/attachment/ticket/25239/CVE-2017-8295.patch
+Bug: https://core.trac.wordpress.org/ticket/25239
+Bug-Debian: https://bugs.debian.org/862053
+Reviewed-by: Craig Small <[email protected]>
+--- a/wp-includes/pluggable.php
++++ b/wp-includes/pluggable.php
+@@ -323,11 +323,8 @@
+ 
+       if ( !isset( $from_email ) ) {
+               // Get the site domain and get rid of www.
+-              $sitename = strtolower( $_SERVER['SERVER_NAME'] );
+-              if ( substr( $sitename, 0, 4 ) == 'www.' ) {
+-                      $sitename = substr( $sitename, 4 );
+-              }
+-
++              $sitename = parse_url( network_home_url(), PHP_URL_HOST );
++              
+               $from_email = 'wordpress@' . $sitename;
+       }
+ 
+@@ -1491,7 +1488,7 @@
+               $notify_message .= sprintf( __( 'Spam it: %s' ), admin_url( 
"comment.php?action=spam&c={$comment->comment_ID}#wpbody-content" ) ) . "\r\n";
+       }
+ 
+-      $wp_email = 'wordpress@' . preg_replace('#^www\.#', '', 
strtolower($_SERVER['SERVER_NAME']));
++      $wp_email = 'wordpress@' . parse_url(network_home_url(), PHP_URL_HOST);
+ 
+       if ( '' == $comment->comment_author ) {
+               $from = "From: \"$blogname\" <$wp_email>";
diff -Nru wordpress-4.7.5+dfsg/debian/patches/series 
wordpress-4.7.5+dfsg/debian/patches/series
--- wordpress-4.7.5+dfsg/debian/patches/series  2017-05-17 14:28:18.000000000 
+0200
+++ wordpress-4.7.5+dfsg/debian/patches/series  2017-06-05 13:45:59.000000000 
+0200
@@ -3,3 +3,4 @@
 003installer.patch
 010disabling_update_note.patch
 #011support-symlinks-for-plugins.patch
+CVE-2017-8295

--- End Message ---

--- Begin Message ---
Unblocked wordpress.
--- End Message ---

Bug#864247: marked as done (unblock: wordpress/4.7.5+dfsg-2)

Reply via email to