wordpress - Debian Package Tracker

general

source: wordpress (main)
version: 6.1.1+dfsg1-1
maintainer: Craig Small (DMD)
arch: all
std-ver: 4.6.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 4.7.5+dfsg-2+deb9u6
o-o-sec: 4.7.23+dfsg-0+deb9u1
oldstable: 5.0.15+dfsg1-0+deb10u1
old-sec: 5.0.18+dfsg1-0+deb10u1
stable: 5.7.5+dfsg1-0+deb11u1
stable-sec: 5.7.8+dfsg1-0+deb11u2
testing: 6.1.1+dfsg1-1
unstable: 6.1.1+dfsg1-1

versioned links

4.7.5+dfsg-2+deb9u6: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.7.23+dfsg-0+deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.0.15+dfsg1-0+deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.0.18+dfsg1-0+deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.7.5+dfsg1-0+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.7.8+dfsg1-0+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.1.1+dfsg1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

wordpress (8 bugs: 0, 3, 5, 0)
wordpress-l10n
wordpress-theme-twentytwentyone
wordpress-theme-twentytwentythree
wordpress-theme-twentytwentytwo

action needed

5 security issues in sid high

There are 5 open security issues in sid.

5 important issues:

CVE-2012-6707: WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress with obsolete PHP versions.
CVE-2019-8943: WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.
CVE-2022-3590: WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.
CVE-2018-14028: In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins.
CVE-2018-1000773: WordPress version 4.9.8 and earlier contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution due to an incomplete fix for CVE-2017-1000600. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be exploited however this has not been confirmed at this time.

Created: 2022-07-04 Last update: 2023-03-27 11:07

12 security issues in buster high

There are 12 open security issues in buster.

3 important issues:

CVE-2019-8943: WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.
CVE-2022-3590: WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.
CVE-2018-1000773: WordPress version 4.9.8 and earlier contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution due to an incomplete fix for CVE-2017-1000600. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be exploited however this has not been confirmed at this time.

9 issues postponed or untriaged:

CVE-2012-6707: (postponed; to be fixed through a stable update) WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress with obsolete PHP versions.
CVE-2018-14028: (postponed; to be fixed through a stable update) In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins.
CVE-2021-44223: (needs triaging) WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.
CVE-2022-43497: (postponed; to be fixed through a stable update) Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7.
CVE-2022-43500: (postponed; to be fixed through a stable update) Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7.
CVE-2022-43504: (postponed; to be fixed through a stable update) Improper authentication vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to obtain the email address of the user who posted a blog using the WordPress Post by Email Feature. The developer also provides new patched releases for all versions since 3.7.
TEMP-1007145-ABA7D9: (postponed; to be fixed through a stable update)
TEMP-1018863-297FEB: (postponed; to be fixed through a stable update)
TEMP-1022575-434581: (postponed; to be fixed through a stable update)

Created: 2022-07-04 Last update: 2023-03-27 11:07

6 security issues in bullseye high

There are 6 open security issues in bullseye.

2 important issues:

CVE-2019-8943: WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.
CVE-2018-1000773: WordPress version 4.9.8 and earlier contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution due to an incomplete fix for CVE-2017-1000600. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be exploited however this has not been confirmed at this time.

4 issues left for the package maintainer to handle:

CVE-2012-6707: (postponed; to be fixed through a stable update) WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress with obsolete PHP versions.
CVE-2022-3590: (needs triaging) WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.
CVE-2018-14028: (postponed; to be fixed through a stable update) In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins.
CVE-2021-44223: (needs triaging) WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.

You can find information about how to handle these issues in the security team's documentation.

Created: 2022-07-04 Last update: 2023-03-27 11:07

5 security issues in bookworm high

There are 5 open security issues in bookworm.

3 important issues:

CVE-2019-8943: WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.
CVE-2022-3590: WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.
CVE-2018-1000773: WordPress version 4.9.8 and earlier contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution due to an incomplete fix for CVE-2017-1000600. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be exploited however this has not been confirmed at this time.

2 issues postponed or untriaged:

CVE-2012-6707: (postponed; to be fixed through a stable update) WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress with obsolete PHP versions.
CVE-2018-14028: (postponed; to be fixed through a stable update) In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins.

Created: 2022-07-04 Last update: 2023-03-27 11:07

Depends on packages which need a new maintainer normal

The packages that wordpress depends on which need a new maintainer are:

dh-linktree (#980413)
- Build-Depends: dh-linktree

Created: 2021-01-18 Last update: 2023-03-28 08:07

lintian reports 1 warning normal

Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.

Created: 2022-11-15 Last update: 2022-11-15 06:40

debian/patches: 9 patches to forward upstream low

Among the 9 debian patches available in version 6.1.1+dfsg1-1 of the package, we noticed the following issues:

9 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2023-02-27 20:59

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.2 instead of 4.6.1).

Created: 2022-12-17 Last update: 2022-12-17 19:17

news

[rss feed]

[2022-12-14] wordpress 6.1.1+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2022-12-09] Accepted wordpress 6.1.1+dfsg1-1 (source) into unstable (Craig Small)
[2022-11-19] Accepted wordpress 5.7.8+dfsg1-0+deb11u2 (source all) into proposed-updates (Debian FTP Masters) (signed by: Craig Small)
[2022-11-19] Accepted wordpress 5.7.8+dfsg1-0+deb11u1 (source all) into proposed-updates (Debian FTP Masters) (signed by: Craig Small)
[2022-11-17] Accepted wordpress 5.7.8+dfsg1-0+deb11u2 (source all) into stable-security (Debian FTP Masters) (signed by: Craig Small)
[2022-11-15] Accepted wordpress 5.7.8+dfsg1-0+deb11u1 (source all) into stable-security (Debian FTP Masters) (signed by: Craig Small)
[2022-11-14] Accepted wordpress 6.1+dfsg1-1 (source all) into unstable (Debian FTP Masters) (signed by: Craig Small)
[2022-10-28] wordpress 6.0.3+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2022-10-26] Accepted wordpress 5.0.18+dfsg1-0+deb10u1 (source) into oldstable (Markus Koschany)
[2022-10-24] Accepted wordpress 6.0.3+dfsg1-1 (source) into unstable (Craig Small)
[2022-10-10] Accepted wordpress 5.0.17+dfsg1-0+deb10u1 (source) into oldstable (Markus Koschany)
[2022-09-05] wordpress 6.0.2+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2022-09-04] Accepted wordpress 6.0.2+dfsg1-1 (source) into unstable (Craig Small)
[2022-06-07] wordpress 6.0+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2022-06-02] Accepted wordpress 6.0+dfsg1-1 (source) into unstable (Craig Small)
[2022-04-08] wordpress 5.9.2+dfsg1-2 MIGRATED to testing (Debian testing watch)
[2022-04-06] Accepted wordpress 5.9.2+dfsg1-2 (source) into unstable (Craig Small)
[2022-03-20] Accepted wordpress 4.7.23+dfsg-0+deb9u1 (source) into oldoldstable (Utkarsh Gupta)
[2022-03-12] Accepted wordpress 5.9.2+dfsg1-1 (source all) into unstable, unstable (Debian FTP Masters) (signed by: Craig Small)
[2022-02-05] Accepted wordpress 5.0.15+dfsg1-0+deb10u1 (source all) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Craig Small)
[2022-01-22] Accepted wordpress 5.7.5+dfsg1-0+deb11u1 (source all) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Craig Small)
[2022-01-16] Accepted wordpress 4.7.22+dfsg-0+deb9u1 (source) into oldoldstable (Utkarsh Gupta)
[2022-01-11] Accepted wordpress 5.0.15+dfsg1-0+deb10u1 (source all) into oldstable->embargoed, oldstable (Debian FTP Masters) (signed by: Craig Small)
[2022-01-11] Accepted wordpress 5.7.5+dfsg1-0+deb11u1 (source all) into stable-security->embargoed, stable-security (Debian FTP Masters) (signed by: Craig Small)
[2022-01-09] wordpress 5.8.3+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2022-01-07] Accepted wordpress 5.8.3+dfsg1-1 (source) into unstable (Craig Small)
[2021-12-25] wordpress 5.8.2+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2021-12-20] Accepted wordpress 5.8.2+dfsg1-1 (source) into unstable (Craig Small)
[2021-10-16] Accepted wordpress 5.7.3+dfsg1-0+deb11u1 (source all) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Craig Small)
[2021-10-16] Accepted wordpress 5.0.14+dfsg1-0+deb10u1 (source all) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Craig Small)

bugs [bug history graph]

all: 13
RC: 0
I&N: 8
M&W: 5
F&P: 0
patch: 0

links

homepage
lintian (0, 1)
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
l10n (-, 96)
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 6.1.1+dfsg1-1ubuntu1
9 bugs
patches for 6.1.1+dfsg1-1ubuntu1