Bug#839190:
hello dearest
Bug#839190: marked as done (wordpress 4.1+dfsg-1+deb8u10 regression)
Your message dated Mon, 03 Oct 2016 19:17:08 + with message-id <e1br8jc-at...@franck.debian.org> and subject line Bug#839190: fixed in wordpress 4.1+dfsg-1+deb8u11 has caused the Debian Bug report #839190, regarding wordpress 4.1+dfsg-1+deb8u10 regression to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 839190: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=839190 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: wordpress Version: 4.1+dfsg-1+deb8u10 Severity: grave Justification: renders package unusable Dear Maintainer, I've just applied a normal update to jessie, and wordpress 4.1+dfsg-1+deb8u10 (security fix) exhibits a regression, which causes all wordpress sites to fail with the following error in the web server error log: Thu Sep 29 23:56:10 2016 - PHP Fatal error: Cannot redeclare wp_json_encode() \ (previously declared in /usr/share/wordpress/wp-includes/functions.php:2649) \ in /usr/share/wordpress/wp-includes/functions.php on line 2818 Downgrading to 4.1+dfsg-1+deb8u9 restores expected behaviour. Cheers, Phil. -- System Information: Debian Release: 8.6 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages wordpress depends on: ii ca-certificates 20141019+deb8u1 ii libjs-cropper1.2.2-1 ii libjs-mediaelement 2.15.1+dfsg-1 ii libphp-phpmailer 5.2.9+dfsg-2+deb8u1 ii mysql-client-5.5 [mysql-client] 5.5.52-0+deb8u1 ii nginx-full [httpd] 1.6.2-5+deb8u2+b1 ii php-getid3 1.9.8-3 ii php5 5.6.24+dfsg-0+deb8u1 ii php5-gd 5.6.24+dfsg-0+deb8u1 ii php5-mysql 5.6.24+dfsg-0+deb8u1 ii wordpress-theme-twentyfifteen4.1+dfsg-1+deb8u10 Versions of packages wordpress recommends: ii wordpress-l10n 4.1+dfsg-1+deb8u10 Versions of packages wordpress suggests: ii mysql-server 5.5.52-0+deb8u1 --- End Message --- --- Begin Message --- Source: wordpress Source-Version: 4.1+dfsg-1+deb8u11 We believe that the bug you reported is fixed in the latest version of wordpress, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 839...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Yves-Alexis Perez <cor...@debian.org> (supplier of updated wordpress package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 01 Oct 2016 11:38:14 +0200 Source: wordpress Binary: wordpress wordpress-l10n wordpress-theme-twentyfifteen wordpress-theme-twentyfourteen wordpress-theme-twentythirteen Architecture: source all Version: 4.1+dfsg-1+deb8u11 Distribution: jessie-security Urgency: high Maintainer: Craig Small <csm...@debian.org> Changed-By: Yves-Alexis Perez <cor...@debian.org> Description: wordpress - weblog manager wordpress-l10n - weblog manager - language files wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files wordpress-theme-twentyfourteen - weblog manager - twentyfourteen theme files wordpress-theme-twentythirteen - weblog manager - twentythirteen theme files Closes: 839190 Changes: wordpress (4.1+dfsg-1+deb8u11) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * debian/patches/CVE-2016-6635.patch: - don't duplicate wp_encode_json() which has already been backported upstream, just merge later changes, fix regression in the previous upload. closes: #839190 * debian/languages: fix language with "\n" inconsistencies in msgid/msgstr. Checksums-Sha1: 760d8f442093f2980779e6cc14e6fdd8d486dfb8 2173 wordpress_4.1+dfsg-1+deb8u11.dsc 017ed5af867e0028c790544842801944fb2cb069 6031528 wordpress_4.1+dfsg-1+deb8u11.debian.tar.xz d8742e21b7b20ef883ed9a7023e490e8a067e8a8 3170566 wordpress_4.1+dfsg-1+deb8u11_all.deb ba9e2249497765
Bug#839190: closing 839190
close 839190 4.1+dfsg-1+deb8u11 thanks
Processed: Bug#839190 marked as pending
Processing commands for cont...@bugs.debian.org: > tag 839190 pending Bug #839190 [wordpress] wordpress 4.1+dfsg-1+deb8u10 regression Ignoring request to alter tags of bug #839190 to the same tags previously set > thanks Stopping processing here. Please contact me if you need assistance. -- 839190: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=839190 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#839190: marked as pending
tag 839190 pending thanks Hello, Bug #839190 reported by you has been fixed in the Git repository. You can see the changelog below, and you can check the diff of the fix at: http://git.debian.org/?p=collab-maint/wordpress.git;a=commitdiff;h=517f657 --- commit 517f65760c1d1a9b9aacc92fdbb382afdb074ba1 Author: Yves-Alexis Perez <cor...@debian.org> Date: Fri Sep 30 09:46:15 2016 +0200 Fix regression in previous upload * Non-maintainer upload by the Security Team. * debian/patches/CVE-2016-6635.patch: - don't duplicate wp_encode_json() which has already been backported upstream, just merge later changes, fix regression in the previous upload. diff --git a/debian/changelog b/debian/changelog index ad90ddc..3c7cc96 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +wordpress (4.1+dfsg-1+deb8u11) UNRELEASED; urgency=high + + * Non-maintainer upload by the Security Team. + * debian/patches/CVE-2016-6635.patch: +- don't duplicate wp_encode_json() which has already been backported + upstream, just merge later changes, fix regression in the previous + upload. closes: #839190 + + -- Yves-Alexis Perez <cor...@debian.org> Fri, 30 Sep 2016 09:45:14 +0200 + wordpress (4.1+dfsg-1+deb8u10) jessie-security; urgency=high * Backport patches from 4.6.1/4.1.13 Closes: #837090
Bug#839190: wordpress 4.1+dfsg-1+deb8u10 regression
On 30/09/16 09:20, Yves-Alexis Perez wrote: control: tag -1 patch pending Hi, thanks for the report, we're aware of the regression. Can you try the attached patch against functions.php and report back, as soon as possible? Regards, Hi, Applied as follows: # cd / # patch -p1
Bug#839190: [SECURITY] [DSA 3681-1] wordpress security update
On Fri, 30 Sep 2016 10:29:41 +0200 Yves-Alexis Perezwrote: As for the more general trend, it might also be because the landscape is more and more complex and time consuming, and there's never enough people to help on this. Yes, I can imagine that (for more than a decade, I got away with relying on Debian's high standards and not having a test server at all, although I probably should have). Thanks for the quick turnaround and all the work over the years, I really appreciate that. Merci. Best regards, Laurențiu
Bug#839190: [SECURITY] [DSA 3681-1] wordpress security update
Thanks guys! Adam On Fri, Sep 30, 2016 at 1:29 AM, Yves-Alexis Perezwrote: > On ven., 2016-09-30 at 10:26 +0200, Laurentiu Pancescu wrote: > > > > Your patch seems to work. The Ansible playbook completes successfully > > (it's pretty extensive, from the database creation to importing old > > posts and media, configuring users and several plugins programmatically > > with wp-cli, so I'm pretty confident there are no other issues) and > > browsing the site and logging in as admin and accessing different > > settings works without any warnings or errors. > > Thanks for the report, I'll push a regression update asap > > > > As a side note, I started using Debian with 2.2r3, and have the > > impression that problematic security updates became more frequent in the > > last few years. Are DSAs typically tested before being released? It > > wouldn't be realistic to expect the security team to have tests for each > > of the tens of thousands of packages that Debian carries, but the > > package maintainer should have a working installation with stable or > > oldstable for testing patches before release? Could also be just my > > selective memory, though... :) > > Unfortunately, on this one, there was some miscoordination between Craig > (who > prepared the upload) and me (who released it and sent the DSA), and in the > end > the package itself wasn't indeed tested as it should. > > As for the more general trend, it might also be because the landscape is > more > and more complex and time consuming, and there's never enough people to > help > on this. > > Regards, > -- > Yves-Alexis
Bug#839190: wordpress 4.1+dfsg-1+deb8u10 regression
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Fri, Sep 30, 2016 at 04:50:03PM +0200, Stefano Zacchiroli wrote: > On Fri, Sep 30, 2016 at 10:20:30AM +0200, Yves-Alexis Perez wrote: > > thanks for the report, we're aware of the regression. Can you try the > > attached > > patch against functions.php and report back, as soon as possible? > > I've tried the patch, and it fixed the regression for me. Thanks for the report. I have a package nearly ready for upload but I'm waiting some bits from Craig to fix a build failure which I'm not sure why happens here. Stay tuned. Regards, - -- Yves-Alexis Perez -BEGIN PGP SIGNATURE- iQEcBAEBCgAGBQJX7n2tAAoJEG3bU/KmdcCl92QH/1tBzdXrTzrtH2TFfK1+zxBo B8N5bAAgRIytkLlPilsiXWvq3aUmDZlSC3l75DkEWvK7qO6IMwDWBjWiBwIS2ODz 0aePrfoVNCUI1NjyiloGk5zyPOk1w5Qmsm2Yz2LmLJJmnl/9hC0zA6cnKWc0loE+ XGyMC9zedCy8kF3itY7V7kztGNcyu3RDjLc7/cWN6rLJcbKeb2N4gXaKgvRC/sjA 3Is+tW6MG+jObUMNaF7W4Y6s5QOH+a5GukYt4VrwCkfn3NLgdM3gQ0dmDhkJzt9h Z79LbUJhxqCbF+LkKD7yFglsJff64lO/bNUeSeQoIvscp9B0RoLtTvROq0V4Tdk= =1Ymt -END PGP SIGNATURE-
Bug#839190: wordpress 4.1+dfsg-1+deb8u10 regression
On Fri, Sep 30, 2016 at 10:20:30AM +0200, Yves-Alexis Perez wrote: > thanks for the report, we're aware of the regression. Can you try the attached > patch against functions.php and report back, as soon as possible? I've tried the patch, and it fixed the regression for me. Cheers. -- Stefano Zacchiroli . z...@upsilon.cc . upsilon.cc/zack . . o . . . o . o Computer Science Professor . CTO Software Heritage . . . . . o . . . o o Former Debian Project Leader . OSI Board Director . . . o o o . . . o . « the first rule of tautology club is the first rule of tautology club »
Bug#839190: [SECURITY] [DSA 3681-1] wordpress security update
On ven., 2016-09-30 at 10:26 +0200, Laurentiu Pancescu wrote: > > Your patch seems to work. The Ansible playbook completes successfully > (it's pretty extensive, from the database creation to importing old > posts and media, configuring users and several plugins programmatically > with wp-cli, so I'm pretty confident there are no other issues) and > browsing the site and logging in as admin and accessing different > settings works without any warnings or errors. Thanks for the report, I'll push a regression update asap > > As a side note, I started using Debian with 2.2r3, and have the > impression that problematic security updates became more frequent in the > last few years. Are DSAs typically tested before being released? It > wouldn't be realistic to expect the security team to have tests for each > of the tens of thousands of packages that Debian carries, but the > package maintainer should have a working installation with stable or > oldstable for testing patches before release? Could also be just my > selective memory, though... :) Unfortunately, on this one, there was some miscoordination between Craig (who prepared the upload) and me (who released it and sent the DSA), and in the end the package itself wasn't indeed tested as it should. As for the more general trend, it might also be because the landscape is more and more complex and time consuming, and there's never enough people to help on this. Regards, -- Yves-Alexis signature.asc Description: This is a digitally signed message part
Bug#839190: wordpress 4.1+dfsg-1+deb8u10 regression
control: tag -1 patch pending Hi, thanks for the report, we're aware of the regression. Can you try the attached patch against functions.php and report back, as soon as possible? Regards, -- Yves-Alexis Perez - Debian Security --- /usr/share/wordpress/wp-includes/functions.php.old 2016-09-30 09:25:52.577170437 +0200 +++ /usr/share/wordpress/wp-includes/functions.php 2016-09-30 09:27:12.659872469 +0200 @@ -2644,142 +2644,6 @@ * @param int $options Optional. Options to be passed to json_encode(). Default 0. * @param int $depth Optional. Maximum depth to walk through $data. Must be * greater than 0. Default 512. - * @return bool|string The JSON encoded string, or false if it cannot be encoded. - */ -function wp_json_encode( $data, $options = 0, $depth = 512 ) { - /* - * json_encode() has had extra params added over the years. - * $options was added in 5.3, and $depth in 5.5. - * We need to make sure we call it with the correct arguments. - */ - if ( version_compare( PHP_VERSION, '5.5', '>=' ) ) { - $args = array( $data, $options, $depth ); - } elseif ( version_compare( PHP_VERSION, '5.3', '>=' ) ) { - $args = array( $data, $options ); - } else { - $args = array( $data ); - } - - $json = call_user_func_array( 'json_encode', $args ); - - // If json_encode() was successful, no need to do more sanity checking. - // ... unless we're in an old version of PHP, and json_encode() returned - // a string containing 'null'. Then we need to do more sanity checking. - if ( false !== $json && ( version_compare( PHP_VERSION, '5.5', '>=' ) || false === strpos( $json, 'null' ) ) ) { - return $json; - } - - try { - $args[0] = _wp_json_sanity_check( $data, $depth ); - } catch ( Exception $e ) { - return false; - } - - return call_user_func_array( 'json_encode', $args ); -} - -/** - * Perform sanity checks on data that shall be encoded to JSON. - * - * @see wp_json_encode() - * - * @since 4.1.0 - * @access private - * @internal - * - * @param mixed $data Variable (usually an array or object) to encode as JSON. - * @param int $depth Maximum depth to walk through $data. Must be greater than 0. - * @return mixed The sanitized data that shall be encoded to JSON. - */ -function _wp_json_sanity_check( $data, $depth ) { - if ( $depth < 0 ) { - throw new Exception( 'Reached depth limit' ); - } - - if ( is_array( $data ) ) { - $output = array(); - foreach ( $data as $id => $el ) { - // Don't forget to sanitize the ID! - if ( is_string( $id ) ) { -$clean_id = _wp_json_convert_string( $id ); - } else { -$clean_id = $id; - } - - // Check the element type, so that we're only recursing if we really have to. - if ( is_array( $el ) || is_object( $el ) ) { -$output[ $clean_id ] = _wp_json_sanity_check( $el, $depth - 1 ); - } elseif ( is_string( $el ) ) { -$output[ $clean_id ] = _wp_json_convert_string( $el ); - } else { -$output[ $clean_id ] = $el; - } - } - } elseif ( is_object( $data ) ) { - $output = new stdClass; - foreach ( $data as $id => $el ) { - if ( is_string( $id ) ) { -$clean_id = _wp_json_convert_string( $id ); - } else { -$clean_id = $id; - } - - if ( is_array( $el ) || is_object( $el ) ) { -$output->$clean_id = _wp_json_sanity_check( $el, $depth - 1 ); - } elseif ( is_string( $el ) ) { -$output->$clean_id = _wp_json_convert_string( $el ); - } else { -$output->$clean_id = $el; - } - } - } elseif ( is_string( $data ) ) { - return _wp_json_convert_string( $data ); - } else { - return $data; - } - - return $output; -} - -/** - * Convert a string to UTF-8, so that it can be safely encoded to JSON. - * - * @see _wp_json_sanity_check() - * - * @since 4.1.0 - * @access private - * @internal - * - * @param string $string The string which is to be converted. - * @return string The checked string. - */ -function _wp_json_convert_string( $string ) { - static $use_mb = null; - if ( is_null( $use_mb ) ) { - $use_mb = function_exists( 'mb_convert_encoding' ); - } - - if ( $use_mb ) { - $encoding = mb_detect_encoding( $string, mb_detect_order(), true ); - if ( $encoding ) { - return mb_convert_encoding( $string, 'UTF-8', $encoding ); - } else { - return mb_convert_encoding( $string, 'UTF-8', 'UTF-8' ); - } - } else { - return wp_check_invalid_utf8( $string, true ); - } -} - -/** - * Encode a variable into JSON, with some sanity checks. - * - * @since 4.1.0 - * - * @param mixed $dataVariable (usually an array or object) to encode as JSON. - * @param int $options Optional. Options to be passed to json_encode(). Default 0. - * @param int $depth Optional. Maximum depth to walk through $data. Must be - * greater than 0. Default 512. * @return string|false The JSON encoded string, or false if it cannot be encoded. */ function wp_json_encode( $data, $options = 0, $depth = 512 ) { @@ -2867,39 +2731,6 @@ } } -/** - * Convert a string to UTF-8, so that it can be safely
Bug#839190: wordpress 4.1+dfsg-1+deb8u10 regression
Package: wordpress Version: 4.1+dfsg-1+deb8u10 Severity: grave Justification: renders package unusable Dear Maintainer, I've just applied a normal update to jessie, and wordpress 4.1+dfsg-1+deb8u10 (security fix) exhibits a regression, which causes all wordpress sites to fail with the following error in the web server error log: Thu Sep 29 23:56:10 2016 - PHP Fatal error: Cannot redeclare wp_json_encode() \ (previously declared in /usr/share/wordpress/wp-includes/functions.php:2649) \ in /usr/share/wordpress/wp-includes/functions.php on line 2818 Downgrading to 4.1+dfsg-1+deb8u9 restores expected behaviour. Cheers, Phil. -- System Information: Debian Release: 8.6 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages wordpress depends on: ii ca-certificates 20141019+deb8u1 ii libjs-cropper1.2.2-1 ii libjs-mediaelement 2.15.1+dfsg-1 ii libphp-phpmailer 5.2.9+dfsg-2+deb8u1 ii mysql-client-5.5 [mysql-client] 5.5.52-0+deb8u1 ii nginx-full [httpd] 1.6.2-5+deb8u2+b1 ii php-getid3 1.9.8-3 ii php5 5.6.24+dfsg-0+deb8u1 ii php5-gd 5.6.24+dfsg-0+deb8u1 ii php5-mysql 5.6.24+dfsg-0+deb8u1 ii wordpress-theme-twentyfifteen4.1+dfsg-1+deb8u10 Versions of packages wordpress recommends: ii wordpress-l10n 4.1+dfsg-1+deb8u10 Versions of packages wordpress suggests: ii mysql-server 5.5.52-0+deb8u1