-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 02 May 2020 14:29:22 +1000 Source: wordpress Architecture: source Version: 5.0.4+dfsg1-1+deb10u2 Distribution: buster-security Urgency: medium Maintainer: Craig Small <csmall@debian.org> Changed-By: Craig Small <csmall@debian.org> Closes: 959391 Changes: wordpress (5.0.4+dfsg1-1+deb10u2) buster-security; urgency=medium . * Import of 5.4.1/5.0.9 security release Closes: #959391 - CVE-2020-11025 XSS vulnerability in the navigation section of Customizer allows JavaScript code to be executed. - CVE-2020-11026 uploaded files to Media section to lead to script execution - CVE-2020-11027 Password reset link does not expire - CVE-2020-11028 Private posts can be found through searching by date - CVE-2020-11029 XSS in stats() method in class-wp-object-cache - CVE-2020-11030 Special payload can execute scripts in block editor Checksums-Sha1: e4ef6d74ac410d3027b17572d4c19531ed05c6fc 2474 wordpress_5.0.4+dfsg1-1+deb10u2.dsc bd25181ce9c431e2c766889647333819d3fb404a 6857584 wordpress_5.0.4+dfsg1-1+deb10u2.debian.tar.xz ac6d357ad439dace5ba0e9e17c6ac16f220f91da 7315 wordpress_5.0.4+dfsg1-1+deb10u2_amd64.buildinfo Checksums-Sha256: b5fc29bf23b095efb9f9928c657009600871b5052d6ff2fa345bc551c82b9a96 2474 wordpress_5.0.4+dfsg1-1+deb10u2.dsc d64b5539595519f9b8b7e17de16424db4c0cc40f56b79fb3e4904189645064c6 6857584 wordpress_5.0.4+dfsg1-1+deb10u2.debian.tar.xz c155adff0b95bc48a681dff1fa8e7bba659f09992f65b69d23ae8715b4856f6f 7315 wordpress_5.0.4+dfsg1-1+deb10u2_amd64.buildinfo Files: 2a42745663ec1537592ec22c6a065f2a 2474 web optional wordpress_5.0.4+dfsg1-1+deb10u2.dsc 92e5f79bfdf214ac44165419cb9ddbc5 6857584 web optional wordpress_5.0.4+dfsg1-1+deb10u2.debian.tar.xz d6cdd9946482be14dd47131f15e8d7a1 7315 web optional wordpress_5.0.4+dfsg1-1+deb10u2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAl6wnLUACgkQAiFmwP88 hOPuDA/+N07Pff9iNRvpez+PfyCdFyJI2MBl+ZvVqbLlsDUOjmYHFQ8jXlHVH2a+ KhI0FI+dHvBmmrEUDFpfjevaAVY2dXZfd3J3OaL2CF+5v0KaNq5RMi6+mxph/Bf3 llv5TpYVBqIQIGsGZTt0H1r1BA6uQZnbStJGRjtWfpnKjunnmso2qlCuXt86bm/X 6gaMSAYNoo1yiFEl1cKu+LebfyxQ+ri4F+uqTyCnMPt5dX6BEA+vKfMeUonNfuDn 8FIyBAswSjTjQ11Ye2fZiroNWsIz75AfFVEdmAoTcd1UvNZ6ZmX1NuwWkGr7MSFK gnJwS8PZO8ithOXRrKxtFY42wLyb/dwHcHbGdeHMnIXiYf8LD4TXkh78Usa1TdCh whvq5toTCqEk3hW2H7XUWNOJ5t4Py1nb6QlcmGlfdNoxJ5hxPB+u2hS8mVNr+iGZ GzQFBpz/CO8YsFHziKwUx8F8JWCRYuWnqgWgz4thjiQVxhGwIcQRkrJ+0kKTNh/c d1LW+5svoq+/GjS75sMVkmJqc7svbBVOEg90bIAQC31haH02UbtmmO+Mraa0fhIP +DH9LFWyeiFkN4KyLVNE5zN/7MNVyjbtNkgg3jZ7beUsvnq0+pOtI4pm9dF9Tp3k GuA9Fx0h1DXpszFfFNPdBT2BbEiiu9bJ7NryE0tPPsSJTzGDIsc= =oNwT -----END PGP SIGNATURE-----