Guilhem Moulin pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
05f299b5 by Guilhem Moulin at 2023-04-24T15:10:13+02:00
Triage CVE-2022-43504/wordpress
- - - - -
cd20d498 by Guilhem Moulin at 2023-04-24T15:10:15+02:00
Triage CVE-2022-{43497,43500,XXXXX}/wordpress
WordPress 6.0.3 release notes have many (>3) XSS vulnerability fixes;
not clear exactly which ones CVE-2022-{43497,43500,XXXXX} refer to, but
I checked that all security fixes coming with 6.0.3 were also backported
in 5.0.18's https://core.trac.wordpress.org/changeset/54571 . (Except
{search, feature image, RSS, widget} block XSS fixes, as the code is not
present in 5.0.)
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -43542,17 +43542,19 @@ CVE-2022-43508 (Use-after free vulnerability exists
in CX-Programmer v.9.77 and
CVE-2022-43504 (Improper authentication vulnerability in WordPress versions
prior to 6 ...)
{DSA-5279-1}
- wordpress 6.0.3+dfsg1-1 (bug #1022575)
- [buster] - wordpress <postponed> (wait for CVE assignment)
+ [buster] - wordpress 5.0.18+dfsg1-0+deb10u1
NOTE:
https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
+ NOTE: Fixed by: https://core.trac.wordpress.org/changeset/54531 (6.0)
+ NOTE: Follow-up: https://core.trac.wordpress.org/changeset/54533 (6.0)
CVE-2022-43500 (Cross-site scripting vulnerability in WordPress versions prior
to 6.0. ...)
{DSA-5279-1}
- wordpress 6.0.3+dfsg1-1 (bug #1022575)
- [buster] - wordpress <postponed> (wait for CVE assignment)
+ [buster] - wordpress 5.0.18+dfsg1-0+deb10u1
NOTE:
https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
CVE-2022-43497 (Cross-site scripting vulnerability in WordPress versions prior
to 6.0. ...)
{DSA-5279-1}
- wordpress 6.0.3+dfsg1-1 (bug #1022575)
- [buster] - wordpress <postponed> (wait for CVE assignment)
+ [buster] - wordpress 5.0.18+dfsg1-0+deb10u1
NOTE:
https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
CVE-2022-43487 (Cross-site scripting vulnerability in Salon booking system
versions pr ...)
NOT-FOR-US: Salon booking system
@@ -55846,7 +55848,7 @@ CVE-2006-20001 (A carefully crafted If: request header
can cause a memory read,
CVE-2022-XXXX [wordpress 6.0.3]
- wordpress 6.0.3+dfsg1-1 (bug #1022575)
[bullseye] - wordpress 5.7.8+dfsg1-0+deb11u1
- [buster] - wordpress <postponed> (wait for CVE assignment)
+ [buster] - wordpress 5.0.18+dfsg1-0+deb10u1
NOTE:
https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
NOTE: Some issues covered by CVE-2022-43497, CVE-2022-43500 and
CVE-2022-43504
CVE-2022-XXXX [wordpress 6.0.2]
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/88028fdad75aa51bddad4a51f282f36b1c143136...cd20d4983d4d2d9c5e8463d89bd1c9e1b9928b50
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/88028fdad75aa51bddad4a51f282f36b1c143136...cd20d4983d4d2d9c5e8463d89bd1c9e1b9928b50
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
