-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 31 Oct 2017 15:13:56 +0100 Source: wordpress Binary: wordpress wordpress-l10n Architecture: source all Version: 3.6.1+dfsg-1~deb7u17 Distribution: wheezy-security Urgency: high Maintainer: Giuseppe Iuculano <iuculano@debian.org> Changed-By: Markus Koschany <apo@debian.org> Description: wordpress - weblog manager wordpress-l10n - weblog manager - language files Changes: wordpress (3.6.1+dfsg-1~deb7u17) wheezy-security; urgency=high . * Non-maintainer upload by the LTS team. * Backport security fixes from 4.8.2. * CVE-2016-9263: When domain-based flashmediaelement.swf sandboxing is not used, allows remote attackers to conduct cross-domain Flash injection (XSF) attacks by leveraging code contained within the wp-includes/js/mediaelement/flashmediaelement.swf file. This issue was resolved by completely removing flashmediaelement.swf. * CVE-2017-14718: WordPress was susceptible to a Cross-Site Scripting attack in the link modal via a javascript: or data: URL. * CVE-2017-14719: WordPress was vulnerable to a directory traversal attack during unzip operations in the ZipArchive and PclZip components. * CVE-2017-14720: WordPress allowed a Cross-Site scripting attack in the template list view via a crafted template name. * CVE-2017-14721: WordPress allowed Cross-Site scripting in the plugin editor via a crafted plugin name. * CVE-2017-14722: WordPress allowed a Directory Traversal attack in the Customizer component via a crafted theme filename. * CVE-2017-14723: WordPress mishandled % characters and additional placeholder values in $wpdb->prepare, and thus did not properly address the possibility of plugins and themes enabling SQL injection attacks. * CVE-2017-14725: WordPress was susceptible to an open redirect attack in wp-admin/user-edit.php. * CVE-2017-14990: WordPress stores cleartext wp_signups.activation_key values (but stores the analogous wp_users.user_activation_key values as hashes), which might make it easier for remote attackers to hijack unactivated user accounts by leveraging database read access (such as access gained through an unspecified SQL injection vulnerability). Checksums-Sha1: 841ea3f7ee82299c35c19cd43677a6d5a2fd2ca0 2488 wordpress_3.6.1+dfsg-1~deb7u17.dsc 9993b964732b530d8f52181db90ee036708a2776 5279372 wordpress_3.6.1+dfsg-1~deb7u17.debian.tar.xz 8b412db73c039ecf7953f3bd4fd33835cec4f074 3959110 wordpress_3.6.1+dfsg-1~deb7u17_all.deb e6ec78d49e4f34a3bd6edf771e03587f1585024f 8871762 wordpress-l10n_3.6.1+dfsg-1~deb7u17_all.deb Checksums-Sha256: 58df783cc0e96ddc57aeeab25a8e089adf57297e7c881f31c7f2c0046170d906 2488 wordpress_3.6.1+dfsg-1~deb7u17.dsc 4427792e5fb04942c9d719f170baa2786d7cbe9b1bc8eb624a5fae4a423290d4 5279372 wordpress_3.6.1+dfsg-1~deb7u17.debian.tar.xz 52f5c9e349350d31157354373545be7a65c1ca4e62ed7d3d9b22c2a50616d001 3959110 wordpress_3.6.1+dfsg-1~deb7u17_all.deb 7f81c7bf5436dd9266a9607132165e39c1a5b91b36e9324fac21813c683ef3e2 8871762 wordpress-l10n_3.6.1+dfsg-1~deb7u17_all.deb Files: bcd80d029c57fe99e950e0d3a7aecd8a 2488 web optional wordpress_3.6.1+dfsg-1~deb7u17.dsc a844dbc470fb7b90f624f753d9636a53 5279372 web optional wordpress_3.6.1+dfsg-1~deb7u17.debian.tar.xz 8b5dd4d8ed9cd3794f1434aa84c23651 3959110 web optional wordpress_3.6.1+dfsg-1~deb7u17_all.deb 7cfbae96da6ed29eddecf4d377369857 8871762 localization optional wordpress-l10n_3.6.1+dfsg-1~deb7u17_all.deb -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAln4h0tfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkD/kP/RsBpX3DKx7Qf6dGjxntT7SfH61m0yAQva7Y ARKArWMKYRyt6/qItp963le/9WxPW9jlLVDSY0JSxsuzkNSjnR8+FJZT5/ST+lgG Qi75O/oGEaHDiW9MRoBmE3H84l28rU5hn0LFW7gD+b+LX443MHk32aWQxXZHZ6/g gxbdR2DsjUSdW/uPdF4tb75n6zYIKr8o5W9cocOFfN98tFj0UOBX/rWXhxAFEC64 dlVWGpUiQKvKiOKrh3WhD9UG8gvN967IR7sEFcQpbAf/geOiThbAhG+EOLZNhQgQ g8J/HHz6SwleKhMmSVF0ofR6qX84wyMtbaR8lNEqAJU4/bbzWA5w+CXaD4U9cNRl sEKc0EUBZQgw3rsOQazn0xJzAv4cBypW/64UGSwkFgZgGPT2UP8pNzreJsF/9fU9 I71e/3lbrvMAqUAukL92UAqDpYagiZDbVQsk7B9Zpcdr9X2fVMMa+m5mpYofUsDp 1VMOAx9UneV1QuVSdrbv6uvcJSaqRbwIop6xx7GZd6zLFVkimKZODOwfKXKjPPgH hiIZUTy2tChF1pKYcWg/BmjGQYJe3BbBI68WlTFuBkm1KC+skq5BnmNDBIZxwpqL CRLakrPbewmu2xIYfixLgFpxJ1EVBHlG3DmWSsF0hlPah12mExF9OHziIFjxfdXk B2eJYYLO =s5+d -----END PGP SIGNATURE-----