Bug#876274: wordpress: 9 security bugs in wordpress 4.8.1 and earlier

2017-09-25 Thread Craig Small 
On Tue, 26 Sep. 2017, 11:03 Ángel  wrote:

> What about the versions on wheezy/jessie/stretch? Should they be handled
> on this bug, get a new one for each, or will they simply be handled
> without one by the security team, now they have CVEs¹?
>
Stretch security release I am waiting for security team to approve the
upload.

Rodrigo has made a backport for Jessie. I'll try to upload it in the next
24 hours.

That's all the other versions I know of.

 - Craig
-- 
Craig Small https://dropbear.xyz/ csmall at : enc.com.au
Debian GNU/Linuxhttps://www.debian.org/   csmall at : debian.org
Mastodon: @smalls...@social.dropbear.xyz Twitter: @smallsees
GPG fingerprint:  5D2F B320 B825 D939 04D2  0519 3938 F96B DF50 FEA5

Bug#876274: wordpress: 9 security bugs in wordpress 4.8.1 and earlier

2017-09-25 Thread Ángel 
Rodrigo Campos wrote:
> It's already on sid and a backport is ready, will ask for BSA and craig will
> upload when the BSA is assigned.

What about the versions on wheezy/jessie/stretch? Should they be handled
on this bug, get a new one for each, or will they simply be handled
without one by the security team, now they have CVEs¹?


¹ These issues got assigned CVE-2017-14718 to CVE-2017-14726


Thanks!

Bug#876274: wordpress: 9 security bugs in wordpress 4.8.1 and earlier

2017-09-22 Thread Rodrigo Campos 
On Thu, Sep 21, 2017 at 04:26:53PM +0100, Rodrigo Campos wrote:
> On Thu, Sep 21, 2017 at 09:54:49AM +0200, Ángel wrote:
> > Salvatore wrote:
> > > have you identified already the issue -> fixing commit mappings?
> > 
> > For version 4.8.1 [buster, sid], upstream fixed them on 4.8.2
> > https://codex.wordpress.org/Version_4.8.2
> 
> And for jessie backports I'll update as soon as it is on sid :-)

It's already on sid and a backport is ready, will ask for BSA and craig will
upload when the BSA is assigned.



Thanks!
Rodrigo

Bug#876274: wordpress: 9 security bugs in wordpress 4.8.1 and earlier

2017-09-21 Thread Rodrigo Campos 
On Thu, Sep 21, 2017 at 09:54:49AM +0200, Ángel wrote:
> Salvatore wrote:
> > have you identified already the issue -> fixing commit mappings?
> 
> For version 4.8.1 [buster, sid], upstream fixed them on 4.8.2
> https://codex.wordpress.org/Version_4.8.2

And for jessie backports I'll update as soon as it is on sid :-)

Bug#876274: wordpress: 9 security bugs in wordpress 4.8.1 and earlier

2017-09-21 Thread Ángel 
Salvatore wrote:
> have you identified already the issue -> fixing commit mappings?

For version 4.8.1 [buster, sid], upstream fixed them on 4.8.2
https://codex.wordpress.org/Version_4.8.2

For version 4.7.5 [stretch], upstream fixed them on 4.7.6
https://codex.wordpress.org/Version_4.7.6

For version 4.1 [jessie], upstream fixed them on 4.1.19
https://codex.wordpress.org/Version_4.1.19

For version 3.6.1 [wheezy], upstream didn't release a fix.


4.7.6 and 4.1.19 seem to be security fixes only. WordPress 4.8.2 also
contains six maintenance fixes to the 4.8 release series (but that would
go to sid, so it's ok).

There is a slightly misleading commit message on one of them whose
description says it's bumping to the wrong version, but other than that
-thankfully- it looks quite clear which issue is fixing each of the
backported commits

Bug#876274: wordpress: 9 security bugs in wordpress 4.8.1 and earlier

2017-09-20 Thread Craig Small 
On Thu, 21 Sep. 2017, 07:15 Salvatore Bonaccorso  wrote:

> Are you going to request CVEs for those?
>
> have you identified already the issue -> fixing commit mappings?
>
Hi Salvatore,

Already started talking with Kurt from DWF about the CVE. I am hoping there
will be a new improved setup for the next round of bugs.

Not started the mappings yet but it's on my list. The WPvuln guy has mapped
only the first SQLi.

  - Craig
-- 
Craig Small https://dropbear.xyz/ csmall at : enc.com.au
Debian GNU/Linuxhttps://www.debian.org/   csmall at : debian.org
Mastodon: @smalls...@social.dropbear.xyz Twitter: @smallsees
GPG fingerprint:  5D2F B320 B825 D939 04D2  0519 3938 F96B DF50 FEA5

Bug#876274: wordpress: 9 security bugs in wordpress 4.8.1 and earlier

2017-09-20 Thread Salvatore Bonaccorso 
Hi Craig,

On Wed, Sep 20, 2017 at 10:20:16PM +1000, Craig Small wrote:
> Source: wordpress
> Version: 4.8.1+dfsg-1
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Wordpress 4.8.2 is out which fixes 9 security issues[1]

Are you going to request CVEs for those?

have you identified already the issue -> fixing commit mappings?

Regards,
Salvatore

Bug#876274: wordpress: 9 security bugs in wordpress 4.8.1 and earlier

2017-09-20 Thread Craig Small 
Source: wordpress
Version: 4.8.1+dfsg-1
Severity: grave
Tags: security
Justification: user security hole

Wordpress 4.8.2 is out which fixes 9 security issues[1]

$wpdb->prepare() can create unexpected and unsafe queries leading to
potential SQL injection (SQLi). WordPress core is not directly
vulnerable to this issue, but we’ve added hardening to prevent plugins
and themes from accidentally causing a vulnerability. Reported by Slavco
A cross-site scripting (XSS) vulnerability was discovered in the oEmbed
discovery. Reported by xknown of the WordPress Security Team.
A cross-site scripting (XSS) vulnerability was discovered in the visual
editor. Reported by Rodolfo Assis (@brutelogic) of Sucuri Security.
A path traversal vulnerability was discovered in the file unzipping
code. Reported by Alex Chapman (noxrnet).
A cross-site scripting (XSS) vulnerability was discovered in the plugin
editor. Reported by 陈瑞琦 (Chen Ruiqi).
An open redirect was discovered on the user and term edit screens.
Reported by Yasin Soliman (ysx).
A path traversal vulnerability was discovered in the customizer.
Reported by Weston Ruter of the WordPress Security Team.
A cross-site scripting (XSS) vulnerability was discovered in template
names. Reported by Luka (sikic).
A cross-site scripting (XSS) vulnerability was discovered in the link
modal. Reported by Anas Roubi (qasuar).



1: 
https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/


-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.12.0-1-amd64 (SMP w/6 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)