Bug#924546: wordpress for buster (was: Re: Bug#924546: wordpress: Comments may create a XSS)
Hi, I'll see what the release team say. I have everything prepared for a backport, just need the respective OK. - Craig
Bug#924546: wordpress for buster (was: Re: Bug#924546: wordpress: Comments may create a XSS)
Hi Craig, On Thu, Mar 14, 2019 at 09:20:05PM +1100, Craig Small wrote: > Source: wordpress > Version: 5.0.3+dfsg1-1 > Severity: important > Tags: security > > This release also includes a pair of security fixes that handle how > comments are filtered and then stored in the database. With a > maliciously crafted comment, a WordPress post was vulnerable to > cross-site scripting. > > WordPress versions 5.1 and earlier are affected by these bugs, which > are fixed in version 5.1.1. Updated versions of WordPress 5.0 and > earlier are also available for any users who have not yet updated to > 5.1. Given we are in freeze, the fix cannot enter now buster withouth having an ack from release team. Can you check if it would be feasible to make this upload enter buster? Regards, Salvatore
Bug#924546: wordpress: Comments may create a XSS
Control: retitle -1 wordpress: CVE-2019-9787: Comments may create a XSS On Thu, Mar 14, 2019 at 09:20:05PM +1100, Craig Small wrote: > Source: wordpress > Version: 5.0.3+dfsg1-1 > Severity: important > Tags: security > > This release also includes a pair of security fixes that handle how > comments are filtered and then stored in the database. With a > maliciously crafted comment, a WordPress post was vulnerable to > cross-site scripting. > > WordPress versions 5.1 and earlier are affected by these bugs, which > are fixed in version 5.1.1. Updated versions of WordPress 5.0 and > earlier are also available for any users who have not yet updated to > 5.1. CVE-2019-9787 has been assigned for this issue. Regards, Salvatore
Bug#924546: wordpress: Comments may create a XSS
Hi Craig, On Thu, Mar 14, 2019 at 09:20:05PM +1100, Craig Small wrote: > Source: wordpress > Version: 5.0.3+dfsg1-1 > Severity: important > Tags: security > > This release also includes a pair of security fixes that handle how > comments are filtered and then stored in the database. With a > maliciously crafted comment, a WordPress post was vulnerable to > cross-site scripting. > > WordPress versions 5.1 and earlier are affected by these bugs, which > are fixed in version 5.1.1. Updated versions of WordPress 5.0 and > earlier are also available for any users who have not yet updated to > 5.1. Can you request a CVE for the XSS issue? Or respectively for the issues fixed in that release? Regards, Salvatore
Bug#924546: wordpress: Comments may create a XSS
Source: wordpress Version: 5.0.3+dfsg1-1 Severity: important Tags: security This release also includes a pair of security fixes that handle how comments are filtered and then stored in the database. With a maliciously crafted comment, a WordPress post was vulnerable to cross-site scripting. WordPress versions 5.1 and earlier are affected by these bugs, which are fixed in version 5.1.1. Updated versions of WordPress 5.0 and earlier are also available for any users who have not yet updated to 5.1. -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-2-amd64 (SMP w/6 CPU cores) Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8), LANGUAGE=en_AU:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled