-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 02 May 2020 15:23:57 +1000 Source: wordpress Binary: wordpress wordpress-l10n wordpress-theme-twentysixteen wordpress-theme-twentyfifteen wordpress-theme-twentyseventeen Architecture: source Version: 4.7.5+dfsg-2+deb9u6 Distribution: stretch-security Urgency: high Maintainer: Craig Small <csmall@debian.org> Changed-By: Craig Small <csmall@debian.org> Description: wordpress - weblog manager wordpress-l10n - weblog manager - language files wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files wordpress-theme-twentyseventeen - weblog manager - twentyseventeen theme files wordpress-theme-twentysixteen - weblog manager - twentysixteen theme files Closes: 924546 939543 942459 946905 959391 Changes: wordpress (4.7.5+dfsg-2+deb9u6) stretch-security; urgency=high . * Importing Wordpress 4.7.17/5.4.1 updates Closes: #959391 - CVE-2020-11025 XSS vulnerability in the navigation section of Customizer allows JavaScript code to be executed. - CVE-2020-11026 uploaded files to Media section to lead to script execution - CVE-2020-11027 Password reset link does not expire - CVE-2020-11028 Private posts can be found through searching by date - CVE-2020-11029 XSS in stats() method in class-wp-object-cache Not vulnerable: - CVE-2020-11030 (feature introduced 5.0) Special payload can execute scripts in block editor * Importing Wordpress 4.7.16/5.3.1 updates Closes: #946905 - CVE-2019-20043 an unprivileged user could make a post sticky via the REST API. - CVE-2019-20041 hardening wp_kses_bad_protocol() to ensure that it is aware of the named colon attribute. Not vulnerable: - CVE-2019-20042 (function introduced 5.1.0) cross-site scripting (XSS) could be stored in well-crafted links - CVE-2019-16780 and CVE-2019-16781 (feature introduced 5.0) stored XSS vulnerability using block editor content. * Importing Wordpress 4.7.15/5.2.4 updates Closes: #942459 - CVE-2019-17674 Stored XSS in the Customizer - CVE-2019-17671 Viewing unauthenticated posts - CVE-2019-17672 Stored XSS to inject javascript into style tags - CVE-2019-17673 Poisoning JSON GET requests - CVE-2019-17669 SSRF in URL vaidation - CVE-2019-17675 Referer validation in admin screens * Importing Wordpress 4.7.14/5.2.3 updates Closes: #939543 - CVE-2019-16223 XSS in post previews - CVE-2019-16218 XSS in stored comments - CVE-2019-16220 Open redirect due to validation and sanitization - CVE-2019-16217 XSS in media uploads - CVE-2019-16219 XSS in shortcode previews - CVE-2019-16221 XSS in dashboard - CVE-2019-16222 XSS in URL sanitization * Security patches from 5.1.1/4.7.13 * Fixes XSS security hole in comments CVE-2019-9787 Closes: #924546 Checksums-Sha1: e578da770e89b37231e62beaf21167cd1a3bbcbb 2567 wordpress_4.7.5+dfsg-2+deb9u6.dsc dc36d0ebb054c9f215d8e5430d4ecb94c87ec34a 6834780 wordpress_4.7.5+dfsg-2+deb9u6.debian.tar.xz c1bd39b032c5edb941434e9a2e07150fe3f8fa59 7841 wordpress_4.7.5+dfsg-2+deb9u6_amd64.buildinfo Checksums-Sha256: ebf02bb97a238345edfa259e3a6197941efe70ba9ce53b21965317745277b414 2567 wordpress_4.7.5+dfsg-2+deb9u6.dsc b21523640b8854944f8239634d5695c7c9398421dd7a00b448c3ed43c42e78a1 6834780 wordpress_4.7.5+dfsg-2+deb9u6.debian.tar.xz afd3d9c96318763227ace066cba187fefd84e77b089a57cd1370efe3a9d20123 7841 wordpress_4.7.5+dfsg-2+deb9u6_amd64.buildinfo Files: 9d886fa75fef2d75da4aa64866487a65 2567 web optional wordpress_4.7.5+dfsg-2+deb9u6.dsc b01623c5fb1b5d2af3c1e46f434a57e1 6834780 web optional wordpress_4.7.5+dfsg-2+deb9u6.debian.tar.xz 3cef192f52b7480ba154fc29fd25710e 7841 web optional wordpress_4.7.5+dfsg-2+deb9u6_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAl6v7PwACgkQAiFmwP88 hONH9w/6A6Sj7vsemRIIE8Sj7bORELmy9ppoydgQ7TsGu29jHPJ/3c0i6RSU8Srb qXZNpj9yiQa7eF0AXfaFtr2mc1BL1KlmO5oXDjZq0/4+c/IQRC7ayijdFSLrqtbA skAuV3MCB79UWm6HP/6tmIOyhfAD+DRxEAPdBBYXoqqu+ePD3mlhS48bXCHQstR0 lAP204zmLr72/8lJaD5uM4Q8NGe7YsDY8TvZyakAfP0s4tOO4UegueKS1WSbQJ3s N7ou+uhP/9SrCmRCoevpW2nN2EIkW156VgnFHm2YF475ixmoszm53jEPxSU5Czs/ iTvflMN12IaZvN4JlFlsBeTSIIfVb/bFi7/8U0O74CF2nAvz9C7hfKhMCdWcmRf/ qJAMbuyxr/W9sCqUNjQ2/NTzWtwYIk/VYaAdO3PaVCrF/fGGISoMcB/GKO+wR3Yw 7+BnNDbB0vZbiKy7S+mCcVA8C0+kP2HUht4d0GykEyjz84BIxn1hLFv4n4UCr26w ++KWtV1MbPGW6JnAFt42KcNnXXUVpXULuZ9F1cWy7sEM3of7WoLZHpGRl1WE7hfP V/rcTGhDQtVqmK9RMSMRqIpGMx+UUzcfX04M5QlIFiOE+cw9eb6ES+eEx8oAvc+A 18WexQFUZckZKs0COpcEfejxLY4VCZ3/4eeaOD81yfdNMmK22uY= =wL1N -----END PGP SIGNATURE-----