wordpress - Debian Package Tracker

general

source: wordpress (main)
version: 6.3.1+dfsg1-1
maintainer: Craig Small (DMD)
arch: all
std-ver: 4.6.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 5.0.15+dfsg1-0+deb10u1
o-o-sec: 5.0.19+dfsg1-0+deb10u1
oldstable: 5.7.8+dfsg1-0+deb11u2
old-sec: 5.7.8+dfsg1-0+deb11u2
stable: 6.1.1+dfsg1-1
testing: 6.3.1+dfsg1-1
unstable: 6.3.1+dfsg1-1

versioned links

5.0.15+dfsg1-0+deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.0.19+dfsg1-0+deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.7.8+dfsg1-0+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.1.1+dfsg1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.3.1+dfsg1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

wordpress (8 bugs: 0, 3, 5, 0)
wordpress-l10n
wordpress-theme-twentytwentyone
wordpress-theme-twentytwentythree
wordpress-theme-twentytwentytwo

action needed

4 security issues in trixie high

There are 4 open security issues in trixie.

4 important issues:

CVE-2012-6707: WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress with obsolete PHP versions.
CVE-2019-8943: WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.
CVE-2022-3590: WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.
CVE-2018-14028: In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins.

Created: 2023-06-11 Last update: 2023-09-17 06:57

4 security issues in sid high

There are 4 open security issues in sid.

4 important issues:

CVE-2012-6707: WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress with obsolete PHP versions.
CVE-2019-8943: WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.
CVE-2022-3590: WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.
CVE-2018-14028: In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins.

Created: 2022-07-04 Last update: 2023-09-17 06:57

5 security issues in buster high

There are 5 open security issues in buster.

1 important issue:

CVE-2019-8943: WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.

4 issues postponed or untriaged:

CVE-2012-6707: (postponed; to be fixed through a stable update) WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress with obsolete PHP versions.
CVE-2022-3590: (postponed; to be fixed through a stable update) WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.
CVE-2018-14028: (postponed; to be fixed through a stable update) In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins.
CVE-2021-44223: (needs triaging) WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.

Created: 2022-07-04 Last update: 2023-09-17 06:57

6 security issues in bullseye high

There are 6 open security issues in bullseye.

1 important issue:

CVE-2019-8943: WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.

5 issues left for the package maintainer to handle:

CVE-2012-6707: (postponed; to be fixed through a stable update) WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress with obsolete PHP versions.
CVE-2022-3590: (needs triaging) WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.
CVE-2023-2745: (postponed; to be fixed through a stable update) WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack.
CVE-2018-14028: (postponed; to be fixed through a stable update) In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins.
CVE-2021-44223: (needs triaging) WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.

You can find information about how to handle these issues in the security team's documentation.

Created: 2022-07-04 Last update: 2023-09-17 06:57

6 security issues in bookworm high

There are 6 open security issues in bookworm.

1 important issue:

CVE-2019-8943: WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.

5 issues left for the package maintainer to handle:

CVE-2012-6707: (postponed; to be fixed through a stable update) WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress with obsolete PHP versions.
CVE-2022-3590: (needs triaging) WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.
CVE-2023-2745: (postponed; to be fixed through a stable update) WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack.
CVE-2018-14028: (postponed; to be fixed through a stable update) In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins.
TEMP-1036689-1CA7FB: (postponed; to be fixed through a stable update)

You can find information about how to handle these issues in the security team's documentation.

Created: 2022-07-04 Last update: 2023-09-17 06:57

Depends on packages which need a new maintainer normal

The packages that wordpress depends on which need a new maintainer are:

dh-linktree (#980413)
- Build-Depends: dh-linktree

Created: 2021-01-18 Last update: 2023-09-26 12:08

debian/patches: 9 patches to forward upstream low

Among the 9 debian patches available in version 6.3.1+dfsg1-1 of the package, we noticed the following issues:

9 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2023-09-12 18:59

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.2 instead of 4.6.1).

Created: 2022-12-17 Last update: 2023-09-12 18:26

news

[rss feed]

[2023-09-17] wordpress 6.3.1+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2023-09-12] Accepted wordpress 6.3.1+dfsg1-1 (source) into unstable (Craig Small)
[2023-08-15] wordpress 6.3+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2023-08-10] Accepted wordpress 6.3+dfsg1-1 (source) into unstable (Craig Small)
[2023-06-20] Accepted wordpress 5.0.19+dfsg1-0+deb10u1 (source) into oldoldstable (Markus Koschany)
[2023-06-13] wordpress 6.2.2+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2023-05-25] Accepted wordpress 6.2.2+dfsg1-1 (source) into unstable (Craig Small)
[2023-05-18] Accepted wordpress 6.2.1+dfsg1-1 (source) into unstable (Craig Small)
[2023-04-11] Accepted wordpress 6.2+dfsg1-1 (source) into unstable (Craig Small)
[2022-12-14] wordpress 6.1.1+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2022-12-09] Accepted wordpress 6.1.1+dfsg1-1 (source) into unstable (Craig Small)
[2022-11-19] Accepted wordpress 5.7.8+dfsg1-0+deb11u2 (source all) into proposed-updates (Debian FTP Masters) (signed by: Craig Small)
[2022-11-19] Accepted wordpress 5.7.8+dfsg1-0+deb11u1 (source all) into proposed-updates (Debian FTP Masters) (signed by: Craig Small)
[2022-11-17] Accepted wordpress 5.7.8+dfsg1-0+deb11u2 (source all) into stable-security (Debian FTP Masters) (signed by: Craig Small)
[2022-11-15] Accepted wordpress 5.7.8+dfsg1-0+deb11u1 (source all) into stable-security (Debian FTP Masters) (signed by: Craig Small)
[2022-11-14] Accepted wordpress 6.1+dfsg1-1 (source all) into unstable (Debian FTP Masters) (signed by: Craig Small)
[2022-10-28] wordpress 6.0.3+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2022-10-26] Accepted wordpress 5.0.18+dfsg1-0+deb10u1 (source) into oldstable (Markus Koschany)
[2022-10-24] Accepted wordpress 6.0.3+dfsg1-1 (source) into unstable (Craig Small)
[2022-10-10] Accepted wordpress 5.0.17+dfsg1-0+deb10u1 (source) into oldstable (Markus Koschany)
[2022-09-05] wordpress 6.0.2+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2022-09-04] Accepted wordpress 6.0.2+dfsg1-1 (source) into unstable (Craig Small)
[2022-06-07] wordpress 6.0+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2022-06-02] Accepted wordpress 6.0+dfsg1-1 (source) into unstable (Craig Small)
[2022-04-08] wordpress 5.9.2+dfsg1-2 MIGRATED to testing (Debian testing watch)
[2022-04-06] Accepted wordpress 5.9.2+dfsg1-2 (source) into unstable (Craig Small)
[2022-03-20] Accepted wordpress 4.7.23+dfsg-0+deb9u1 (source) into oldoldstable (Utkarsh Gupta)
[2022-03-12] Accepted wordpress 5.9.2+dfsg1-1 (source all) into unstable, unstable (Debian FTP Masters) (signed by: Craig Small)
[2022-02-05] Accepted wordpress 5.0.15+dfsg1-0+deb10u1 (source all) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Craig Small)
[2022-01-22] Accepted wordpress 5.7.5+dfsg1-0+deb11u1 (source all) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Craig Small)

bugs [bug history graph]

all: 13
RC: 0
I&N: 8
M&W: 5
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
l10n (-, 96)
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 6.2+dfsg1-1ubuntu1
8 bugs
patches for 6.2+dfsg1-1ubuntu1