Re: [SECURITY] [DLA 3756-1] wordpress security update
Im just going to state this and let yall figure it out. Security Exploits / CVE? Look no matter what OS, or SOFTWARE you run on your electronics hardware. At the end of the day, Electronics has a fatal flaw. And cannot be secured. That flaw has been known about since Electronics was invented / discovered. And any notion of " Security " of electronics, or software operating on electronics. Is a delusional thought. -StealthMode On Sun, Mar 10, 2024 at 3:19 PM Markus Koschany wrote: > - > Debian LTS Advisory DLA-3756-1debian-lts@lists.debian.org > https://www.debian.org/lts/security/ Markus Koschany > March 10, 2024https://wiki.debian.org/LTS > - > > Package: wordpress > Version: 5.0.21+dfsg1-0+deb10u1 > CVE ID : not yet available > > Two security vulnerabilities have been discovered in Wordpress, a > popular content management framework, a PHP File Upload bypass via the > plugin > installer and a possible remote code execution vulnerability which > requires > an attacker to control all the properties of a deserialized object. No CVE > have > been assigned for these problems yet. > > > https://wordpress.org/news/2024/01/wordpress-6-4-3-maintenance-and-security-release/ > > For Debian 10 buster, this problem has been fixed in version > 5.0.21+dfsg1-0+deb10u1. > > We recommend that you upgrade your wordpress packages. > > For the detailed security status of wordpress please refer to > its security tracker page at: > https://security-tracker.debian.org/tracker/wordpress > > Further information about Debian LTS security advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://wiki.debian.org/LTS >
Wordpress security update
Hi Craig, I'm about to release the next Wheezy security update for Wordpress. I noticed that you didn't update the minified Javascript files for Jessie. I have simply used yui-compressor to convert the regular *.js files into the minified version because apparently *.js and *.min.js files are all installed into the wordpress package, so I can't rule out for sure that the minified version is not used in the end. Was this just an oversight or do you think the update of the minified version is not needed? I also saw the patch for CVE-2017-8295. It seems to me that upstream have not decided yet which path they want to go. The patch looks sane though. What's your opinion? Regards, Markus signature.asc Description: OpenPGP digital signature
Re: Wordpress security update
On Mar/15, Craig Small wrote: > I saw the rejection of the old package so uploaded it and the new second > package got rejected so something is unhappy about all of this. Yes, the policy queue also need to be cleared. It's OK now, please upload. Cheers, --Seb
Re: Wordpress security update
I saw the rejection of the old package so uploaded it and the new second package got rejected so something is unhappy about all of this. - Craig On Thu, Mar 16, 2017 at 6:23 AM Craig Small wrote: > Great stuff, > I have rebuilt them with the two missing functions, just need the ok to > upload. > > - Craig > > > On Wed, Mar 15, 2017 at 10:01 PM Sébastien Delafond > wrote: > > On Mar/15, Craig Small wrote: > > Damn, you're right. I missed that. Upstream missed it too! I'll need > > to add those to the security package too. > > I'll take care of removing the current package on security-master, so > you don't have to bump the version again. I'll let you know once it's OK > to re-upload. > > Cheers, > > --Seb > > -- > Craig Small (@smallsees) http://dropbear.xyz/ csmall at : enc.com.au > Debian GNU/Linux http://www.debian.org/ csmall at : debian.org > GPG fingerprint:5D2F B320 B825 D939 04D2 0519 3938 F96B DF50 FEA5 > > -- Craig Small (@smallsees) http://dropbear.xyz/ csmall at : enc.com.au Debian GNU/Linux http://www.debian.org/ csmall at : debian.org GPG fingerprint:5D2F B320 B825 D939 04D2 0519 3938 F96B DF50 FEA5
Re: Wordpress security update
Great stuff, I have rebuilt them with the two missing functions, just need the ok to upload. - Craig On Wed, Mar 15, 2017 at 10:01 PM Sébastien Delafond wrote: > On Mar/15, Craig Small wrote: > > Damn, you're right. I missed that. Upstream missed it too! I'll need > > to add those to the security package too. > > I'll take care of removing the current package on security-master, so > you don't have to bump the version again. I'll let you know once it's OK > to re-upload. > > Cheers, > > --Seb > -- Craig Small (@smallsees) http://dropbear.xyz/ csmall at : enc.com.au Debian GNU/Linux http://www.debian.org/ csmall at : debian.org GPG fingerprint:5D2F B320 B825 D939 04D2 0519 3938 F96B DF50 FEA5
Re: Wordpress security update
On Mar/15, Craig Small wrote: > Damn, you're right. I missed that. Upstream missed it too! I'll need > to add those to the security package too. I'll take care of removing the current package on security-master, so you don't have to bump the version again. I'll let you know once it's OK to re-upload. Cheers, --Seb
Re: Wordpress security update
On Tue, Mar 14, 2017 at 8:44 PM Markus Koschany wrote: > By the way I think your patch cs40155_media_metadata, CVE-2017-6814, > requires a backport of two more functions: wp_kses_post_deep and map_deep. > Damn, you're right. I missed that. Upstream missed it too! I'll need to add those to the security package too. - Craig -- Craig Small (@smallsees) http://dropbear.xyz/ csmall at : enc.com.au Debian GNU/Linux http://www.debian.org/ csmall at : debian.org GPG fingerprint:5D2F B320 B825 D939 04D2 0519 3938 F96B DF50 FEA5
Re: Wordpress security update
On Mar/14, Markus Koschany wrote: > > So my whole rationale for adding this one in and going against what > > WPScan said is purely 40176 is in the 4.1 branch of the upstreams > > svn. Looking at the relevant file it does look like it does things > > and not dead or unreachable code, so I think 4.1 is vulnerable, but > > PHP code is horrible to debug for that sort of thing. > > Thanks for the explanation. That makes sense. I've updated the tracker accordingly. Cheers, --Seb
Re: Wordpress security update
Am 14.03.2017 um 10:09 schrieb Craig Small: > Hi Markus, > I nearly missed this one. If you go to WPScan[1] which is a great > resource it says it is versions 4.7.0-4.7.2 only which implies that > jessie is not impacted. > > However, I also go look at the 4.1 changesets on the upstream[2] as they > have done all the hard work (mainly) of backporting the patches to > jessie or at least a generic 4.1 wordpress. Within that you will see > changeset 40176[3] which is the 4.1 verison of 40169 which is the > changeset for this patch in the 4.7 branch. > > So my whole rationale for adding this one in and going against what > WPScan said is purely 40176 is in the 4.1 branch of the upstreams svn. > Looking at the relevant file it does look like it does things and not > dead or unreachable code, so I think 4.1 is vulnerable, but PHP code is > horrible to debug for that sort of thing. Thanks for the explanation. That makes sense. By the way I think your patch cs40155_media_metadata, CVE-2017-6814, requires a backport of two more functions: wp_kses_post_deep and map_deep. Markus signature.asc Description: OpenPGP digital signature
Re: Wordpress security update
Hi Markus, I nearly missed this one. If you go to WPScan[1] which is a great resource it says it is versions 4.7.0-4.7.2 only which implies that jessie is not impacted. However, I also go look at the 4.1 changesets on the upstream[2] as they have done all the hard work (mainly) of backporting the patches to jessie or at least a generic 4.1 wordpress. Within that you will see changeset 40176[3] which is the 4.1 verison of 40169 which is the changeset for this patch in the 4.7 branch. So my whole rationale for adding this one in and going against what WPScan said is purely 40176 is in the 4.1 branch of the upstreams svn. Looking at the relevant file it does look like it does things and not dead or unreachable code, so I think 4.1 is vulnerable, but PHP code is horrible to debug for that sort of thing. - Craig 1: https://wpvulndb.com/ 2: https://core.trac.wordpress.org/log/branches/4.1 3: https://core.trac.wordpress.org/changeset/40176/branches/4.1 > -- Craig Small (@smallsees) http://dropbear.xyz/ csmall at : enc.com.au Debian GNU/Linux http://www.debian.org/ csmall at : debian.org GPG fingerprint:5D2F B320 B825 D939 04D2 0519 3938 F96B DF50 FEA5
Wordpress security update
Hello Craig, hello security team I am currently working on a security update of Wordpress for Wheezy. Craig I noticed your Git commit for Jessie [1]. You fixed CVE-2017-6816 (cs40176_plugin_delete) although the security team marked this one as for both Wheezy and Jessie. However I tend to agree with you that they are affected. @security team: Why did you choose to mark CVE-2017-6816 as not affected? @Craig: How did you get the information about affected versions in your initial bug report which might explain this decision? [2] Regards, Markus [1] https://anonscm.debian.org/git/collab-maint/wordpress.git/commit/?h=jessie&id=825b4377310c6b64ffc9707def7393cbbebcb8eb [2] https://bugs.debian.org/857026 signature.asc Description: OpenPGP digital signature
Re: Wordpress security update
On 18.09.2016 00:15, Craig Small wrote: > Hi Markus, > I certainly did find them useful as 4029, 6634 and 6635 was on my next > TODO list and you've done them for me! > Good catch on the JsonSerialisable interface, I was wondering how you > noticed it was missing? Just good eye or ran it through something? Hi, I'm glad you find them useful. I'm always suspicious when it comes to PHP and backporting of patches. :) In this case I simply noticed that the json function was missing in Wheezy. Otherwise I use define( 'WP_DEBUG', true ); in /etc/wordpress/config-*.php which helps a lot. Markus signature.asc Description: OpenPGP digital signature
Re: Wordpress security update
Hi Markus, I certainly did find them useful as 4029, 6634 and 6635 was on my next TODO list and you've done them for me! Good catch on the JsonSerialisable interface, I was wondering how you noticed it was missing? Just good eye or ran it through something? - Craig On Sat, Sep 17, 2016 at 8:37 PM Markus Koschany wrote: > Hello Craig, > > I have just committed my preliminary work for the next Wordpress update > in Wheezy. [1] I had to backport some additional changes and functions > from newer versions but perhaps you will find the patches useful for > Jessie too. > > Regards, > > Markus > > > [1] > > https://anonscm.debian.org/git/collab-maint/wordpress.git/commit/?h=wheezy&id=7fe7ca3f0a81da4ada0feed82c3ce72d0105ef02 > >
Wordpress security update
Hello Craig, I have just committed my preliminary work for the next Wordpress update in Wheezy. [1] I had to backport some additional changes and functions from newer versions but perhaps you will find the patches useful for Jessie too. Regards, Markus [1] https://anonscm.debian.org/git/collab-maint/wordpress.git/commit/?h=wheezy&id=7fe7ca3f0a81da4ada0feed82c3ce72d0105ef02 signature.asc Description: OpenPGP digital signature