-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 21 Dec 2017 20:18:20 +0100 Source: wordpress Binary: wordpress wordpress-l10n Architecture: source all Version: 3.6.1+dfsg-1~deb7u20 Distribution: wheezy-security Urgency: high Maintainer: Giuseppe Iuculano <iuculano@debian.org> Changed-By: Markus Koschany <apo@debian.org> Description: wordpress - weblog manager wordpress-l10n - weblog manager - language files Changes: wordpress (3.6.1+dfsg-1~deb7u20) wheezy-security; urgency=high . * Non-maintainer upload by the LTS team. * Backport security fixes from 4.9.1. * CVE-2017-17091: wp-admin/user-new.php in WordPress before 4.9.1 sets the newbloguser key to a string that can be directly derived from the user ID, which allows remote attackers to bypass intended access restrictions by entering this string. * CVE-2017-17092: wp-includes/functions.php in WordPress before 4.9.1 does not require the unfiltered_html capability for upload of .js files, which might allow remote attackers to conduct XSS attacks via a crafted file. * CVE-2017-17093: wp-includes/general-template.php in WordPress before 4.9.1 does not properly restrict the lang attribute of an HTML element, which might allow attackers to conduct XSS attacks via the language setting of a site. * CVE-2017-17094: wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to conduct XSS attacks via a crafted URL. Checksums-Sha1: e24f2208871cab81d3e1b969930a5f6e94054455 2488 wordpress_3.6.1+dfsg-1~deb7u20.dsc 95bb1d67c97081fd36f5449fc51c6be77af68315 5282284 wordpress_3.6.1+dfsg-1~deb7u20.debian.tar.xz 9cd58477793a841c74a636994e1048e47aefd1e7 3960758 wordpress_3.6.1+dfsg-1~deb7u20_all.deb 5211935e71ab204a4779d244e8abfdc9b7f6c4af 8871982 wordpress-l10n_3.6.1+dfsg-1~deb7u20_all.deb Checksums-Sha256: f84194ff111a249f7e9a0c6b8262651585c6a26d31375b5aaf1c51fa45f35428 2488 wordpress_3.6.1+dfsg-1~deb7u20.dsc 0263172ae6a11d89dbd2037a9ebe8dc078f5f536a96d4a5b0537a04cd8a87cd4 5282284 wordpress_3.6.1+dfsg-1~deb7u20.debian.tar.xz 8c0e1341b059d24182e9b7cfaaec64f3c3596b056d959fb3d647b7da8bf5d41e 3960758 wordpress_3.6.1+dfsg-1~deb7u20_all.deb e5b5c6763a0e3780c02e30827f0b1c815a561cef8970e130e5aa5af3f3829496 8871982 wordpress-l10n_3.6.1+dfsg-1~deb7u20_all.deb Files: 3c01e233d91545e44afe56f83382de56 2488 web optional wordpress_3.6.1+dfsg-1~deb7u20.dsc f5861dd5ce7ef3a6778ab3c4720e0003 5282284 web optional wordpress_3.6.1+dfsg-1~deb7u20.debian.tar.xz c841b43a3943df7bdb23225f78e60d44 3960758 web optional wordpress_3.6.1+dfsg-1~deb7u20_all.deb cb37bbd2adeb0fe73b9d54fa7f623e31 8871982 localization optional wordpress-l10n_3.6.1+dfsg-1~deb7u20_all.deb -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlo8DOZfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkQAgP/RAy13/D6ToYQy+b/bjW9XJNqOe4xuq5p55e IXNUCIR5He/anlJOJ08M9wxtjLglxvR54XgPPbaI+8rqEdrom7O02VWEv5tfG0dE bsQ4TkOzvr11s7uoiXXAUshQd02zUjXchfT2WkWGrSPjFn1cIot72HUElD8b8UP/ o3pZacepk1ipjETkmEKFLAtoVfryUVksH7SWlNbdV6UEG6CKrd1LXgk9c+BUzoQW fVKPwQ38O/EVThe2Bu1jdAd+YK2LW13pM+T2jugcho27v4Bb/HJpoGJJmiRG4LsT UU7JdfVxI7cnC1VtfHyo3EvOVFGYUl147engxw59bLHqzEgfFbBdwlGTeZIwRonu HYi5X3ne1S6Tv+/uIrWdBSCUbvNDKdSKTUXktIzUzmsj2JFHzGwsmhpuFOWmYB8X cRwvbON1Qu3QtYz2TiP1YyEZpm7ALrubrOPcRcy9nkuG1G1ZRGJvxSpr2YPOZZSG ZnHhRPyFAXQSne8AvLHJGB9Qx7UZjGn5Fizbv1iA6x+X2MuajMSgAoLFr+rfEnmn yeQeIL/ZKV/YPh//1j/SbuM6A+bN7dsYd+j+x8Zwu0kv5Ss8gPbjFtwwgfgxLX7O U7lDVIcdq5bi2Z2sG6X5C38sMhYOscAQgLwwHanUCNuEJQqfew9+KYy46ilDknJV Tj+/NqMp =u76J -----END PGP SIGNATURE-----