-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 11 Sep 2020 15:46:13 +0200 Source: wordpress Binary: wordpress wordpress-l10n wordpress-theme-twentysixteen wordpress-theme-twentyfifteen wordpress-theme-twentyseventeen Architecture: source Version: 4.7.18+dfsg-1+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Craig Small <csmall@debian.org> Changed-By: Sylvain Beucler <beuc@debian.org> Description: wordpress - weblog manager wordpress-l10n - weblog manager - language files wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files wordpress-theme-twentyseventeen - weblog manager - twentyseventeen theme files wordpress-theme-twentysixteen - weblog manager - twentysixteen theme files Changes: wordpress (4.7.18+dfsg-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the LTS Security Team. * New upstream release for stable 4.7 branch. * CVE-2020-4047: authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way. This can lead to script execution in the context of a higher privileged user when the file is viewed by them. * CVE-2020-4048: due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect when clicked. * CVE-2020-4049: when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page. * CVE-2020-4050: misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plugin that would misuse the filter. Once installed, it can be leveraged by low privileged users. * Fix CVE-2020-4050 regression. * CVE-2019-17670: WordPress has a Server Side Request Forgery (SSRF) vulnerability because Windows paths are mishandled during certain validation of relative URLs. * Editor: Ensure latest comments can only be viewed from public posts (WordPress says this is not a security issue). * Fix user activation protected against CVE 2017-14990 (broken in 4.7.5+dfsg-2+deb9u5). Checksums-Sha1: 692908a7e762cc6603e963cf2888ac540d014b29 2229 wordpress_4.7.18+dfsg-1+deb9u1.dsc d6880802f5d13ccb16238dd773a80f9f5117299e 6250864 wordpress_4.7.18+dfsg.orig.tar.xz a79961fbca8855a9b5c78a78c605da6525cbd520 6783080 wordpress_4.7.18+dfsg-1+deb9u1.debian.tar.xz 0951c6d0341ed3fe0063aa9ba11792c09e08e269 7475 wordpress_4.7.18+dfsg-1+deb9u1_amd64.buildinfo Checksums-Sha256: 8558f2bfb4fe03f183dbab7e03289ac935d94c99d6909b477ad9aaddfdaf5a9c 2229 wordpress_4.7.18+dfsg-1+deb9u1.dsc f316f7154d946c34cd94b7330724ab89b93aa7bb9c49075d55352666f64260dd 6250864 wordpress_4.7.18+dfsg.orig.tar.xz ac0b0954c90157af0eae5b3712754e547feedec70f94a515ea2295c1fc7ed678 6783080 wordpress_4.7.18+dfsg-1+deb9u1.debian.tar.xz 2048453a74c705a6f80aa1f3fc27846d69a35a79663425d427b54eff52c3a67c 7475 wordpress_4.7.18+dfsg-1+deb9u1_amd64.buildinfo Files: fb3bed4297d5bfe4f461056e6012807d 2229 web optional wordpress_4.7.18+dfsg-1+deb9u1.dsc 3d2d2d28bf524c8244007025a09f434f 6250864 web optional wordpress_4.7.18+dfsg.orig.tar.xz 3722bfe9ec17e976771639df1d8aa6d6 6783080 web optional wordpress_4.7.18+dfsg-1+deb9u1.debian.tar.xz c4fcab7176d2ed4ac7f6819daefaa113 7475 web optional wordpress_4.7.18+dfsg-1+deb9u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAl9bgeMACgkQj/HLbo2J BZ8JkAf/RvFanEFq21ZI6+flP/KKivHnjKrLLC1SIY7m8MzBqLsCTy3OBRMIJEXt 4mWCENGdIGDci0Zq1uU8KOILBAoJzKdSBOF/YKP/swC7R+VxhXBjUBeTijgLfFs3 C+BUdKhLM1T/dxALPFmTDxBepOOix+EiNBhzvxXCtlmODP8sryWgudpy2Zu7R/F8 5pa0l6DUQeZzFFUxGXw50BME7lZAvdF9YpxJvJc/pGHYIGQITeoy7QUGMWD0RoXl S/AauycPdKYZLqkJIup71/JxzcgSJgYaA/4I13ytFOPhaRdVwfMXytb4MboC5+bd cSKruBGHAZ9zzlSJ0TN3VqkzHmBKog== =8z9p -----END PGP SIGNATURE-----