Bug#881088: Wordpress on wheezy
I have investigated the issue and found out that it is not just about the missing brace, an additional database upgrade would also be required to fix CVE-2017-14990 in Wheezy. The signup_id column does not exist before version 3.7. In addition further code changes would be necessary. I believe this would be too intrusive in this case because CVE-2017-14990 is merely a new hardening feature for multisite installations. I will revert the patch for CVE-2017-14990 for now. I am sorry for any inconvenience this may have caused. Regards, Markus signature.asc Description: OpenPGP digital signature
Bug#881088: Wordpress on wheezy
Am 12.11.2017 um 11:16 schrieb Craig Small: [...] > Hi Marcus, are you able to fix wheezy? I assume it was the LTS team that > did this one as it doesn't appear in the Jessie patch list. Thank you for contacting me about this bug. I will issue a regression update for Wheezy asap. Regards, Markus signature.asc Description: OpenPGP digital signature
Bug#881088: Wordpress on wheezy
On Wed, 8 Nov 2017 at 03:03 Mckinnell, Jameswrote: > Initial report of failure to access the Wordpress site - Apache showing Error > 500 > Apache error.log shows: > [Wed Nov 01 10:32:53 2017] [error] [client xx.xx.xx.xx] PHP Parse error: > syntax error, unexpected end of file in > /usr/share/wordpress/wp-includes/ms-functions.php on line 2016 > > Hi Jim, The error is in the bottom of Debian patch CVE-2017-14990 produced by, I believe the LTS team. In the patch header it mentions Marcus as the author who I have CC'ed into this bug report. Your analysis is correct about the braces, at the near-end of that patch you see. - if ( empty( $signup ) ) + if ( ! $wp_hasher->CheckPassword( $key, $signup->activation_key ) ) { You can see that the removed line has no brace, while the added line has one. I don't believe the add_action line is a mistake as its not added in by that patch. It is a syntax error because the function is loaded in before this file is parsed. It's one of those awfulness about PHP that makes debugging so much fun. I use the lint command (php -l myfile.php) to check the patches but even that is not 100% unfortunately. Hi Marcus, are you able to fix wheezy? I assume it was the LTS team that did this one as it doesn't appear in the Jessie patch list. - Craig -- Craig Small https://dropbear.xyz/ csmall at : enc.com.au Debian GNU/Linuxhttps://www.debian.org/ csmall at : debian.org Mastodon: @smalls...@social.dropbear.xyz Twitter: @smallsees GPG fingerprint: 5D2F B320 B825 D939 04D2 0519 3938 F96B DF50 FEA5
Bug#881088: Wordpress on wheezy
Package: wordpress Version: 3.6.1+dfsg-1~deb7u18 Initial report of failure to access the Wordpress site - Apache showing Error 500 Apache error.log shows: [Wed Nov 01 10:32:53 2017] [error] [client xx.xx.xx.xx] PHP Parse error: syntax error, unexpected end of file in /usr/share/wordpress/wp-includes/ms-functions.php on line 2016 Did the following: downloaded and unpacked the package: # cd /var/tmp # apt-get download wordpress=3.6.1+dfsg-1~deb7u18 # dpkg-deb -x wordpress_3.6.1+dfsg-1~deb7u18_all.deb . verified syntax error: # php usr/share/wordpress/wp-includes/ms-functions.php PHP Parse error: syntax error, unexpected end of file in /var/tmp/usr/share/wordpress/wp-includes/ms-functions.php on line 2016 counted braces: # fgrep { usr/share/wordpress/wp-includes/ms-functions.php | wc 13810007226 # fgrep } usr/share/wordpress/wp-includes/ms-functions.php | wc 137 2791728 laboriously found mismatch and made correction: # cp -p ms-functions.php ms-functions.php_20171107 # vi ms-functions.php # diff ms-functions.php_20171107 ms-functions.php 845c845 < if ( ! $wp_hasher->CheckPassword( $key, $signup->activation_key ) ) { - > if ( ! $wp_hasher->CheckPassword( $key, $signup->activation_key ) ) 1756c1756 < add_action('update_option_blog_public', 'update_blog_public', 10, 2); - > // add_action('update_option_blog_public', 'update_blog_public', 10, 2); The first change removes the syntax error (and hopefully preserves what was intended) but leaves an oddity... Note that there is also a spurious(?) source line not enclosed in any function - is it supposed to be there? I doubt it! Regards Jim McKinnell To view the terms under which this email is distributed, please go to:- http://disclaimer.leedsbeckett.ac.uk/disclaimer/disclaimer.html