Debian Bug report logs - #670124
wordpress: Security fixes in version 3.3.2

version graph

Package: wordpress; Maintainer for wordpress is Craig Small <csmall@debian.org>; Source for wordpress is src:wordpress.

Reported by: Henri Salo <henri@nerv.fi>

Date: Mon, 23 Apr 2012 07:57:02 UTC

Severity: important

Tags: security

Found in version wordpress/3.3.1+dfsg-1

Fixed in version wordpress/3.3.2+dfsg-1

Done: Raphaël Hertzog <hertzog@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#670124; Package wordpress. (Mon, 23 Apr 2012 07:57:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Giuseppe Iuculano <iuculano@debian.org>. (Mon, 23 Apr 2012 07:57:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Henri Salo <henri@nerv.fi>
To: submit@bugs.debian.org
Subject: wordpress: Security fixes in version 3.3.2
Date: Mon, 23 Apr 2012 10:55:43 +0300
Package: wordpress
Version: 3.3.1+dfsg-1
Severity: important
Tags: security

Page http://codex.wordpress.org/Version_3.3.2 says:

Three external libraries included in WordPress received security updates:

Plupload (version 1.5.4), which WordPress uses for uploading media.
SWFUpload, which WordPress previously used for uploading media, and may still be in use by plugins.
SWFObject, which WordPress previously used to embed Flash content, and may still be in use by plugins and themes.

WordPress 3.3.2 also addresses:

Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances.
Cross-site scripting vulnerability when making URLs clickable.
Cross-site scripting vulnerabilities in redirects after posting comments in older browsers, and when filtering URLs.

A full log of the changes made for 3.3.2 can be found at http://core.trac.wordpress.org/changeset?new=20554%40branches%2F3.3&old=20087%40branches%2F3.3

-- System Information:
Debian Release: 6.0.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages wordpress depends on:
ii  apache2                2.2.16-6+squeeze7 Apache HTTP Server metapackage
ii  apache2-mpm-prefork [h 2.2.16-6+squeeze7 Apache HTTP Server - traditional n
ii  libapache2-mod-php5    5.3.3-7+squeeze8  server-side, HTML-embedded scripti
pn  libjs-cropper          <none>            (no description available)
ii  libjs-jquery           1.4.2-2           JavaScript library for dynamic web
pn  libjs-prototype        <none>            (no description available)
pn  libjs-scriptaculous    <none>            (no description available)
pn  libphp-phpmailer       <none>            (no description available)
pn  libphp-snoopy          <none>            (no description available)
pn  mysql-client           <none>            (no description available)
pn  php-gettext            <none>            (no description available)
ii  php5                   5.3.3-7+squeeze8  server-side, HTML-embedded scripti
ii  php5-gd                5.3.3-7+squeeze8  GD module for php5
ii  php5-mysql             5.3.3-7+squeeze8  MySQL module for php5
pn  tinymce                <none>            (no description available)

Versions of packages wordpress recommends:
pn  wordpress-l10n                <none>     (no description available)

Versions of packages wordpress suggests:
pn  mysql-server                  <none>     (no description available)




Reply sent to Raphaël Hertzog <hertzog@debian.org>:
You have taken responsibility. (Mon, 23 Apr 2012 23:21:07 GMT) Full text and rfc822 format available.

Notification sent to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer. (Mon, 23 Apr 2012 23:21:07 GMT) Full text and rfc822 format available.

Message #10 received at 670124-close@bugs.debian.org (full text, mbox):

From: Raphaël Hertzog <hertzog@debian.org>
To: 670124-close@bugs.debian.org
Subject: Bug#670124: fixed in wordpress 3.3.2+dfsg-1
Date: Mon, 23 Apr 2012 23:18:36 +0000
Source: wordpress
Source-Version: 3.3.2+dfsg-1

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive:

wordpress-l10n_3.3.2+dfsg-1_all.deb
  to main/w/wordpress/wordpress-l10n_3.3.2+dfsg-1_all.deb
wordpress_3.3.2+dfsg-1.debian.tar.xz
  to main/w/wordpress/wordpress_3.3.2+dfsg-1.debian.tar.xz
wordpress_3.3.2+dfsg-1.dsc
  to main/w/wordpress/wordpress_3.3.2+dfsg-1.dsc
wordpress_3.3.2+dfsg-1_all.deb
  to main/w/wordpress/wordpress_3.3.2+dfsg-1_all.deb
wordpress_3.3.2+dfsg.orig.tar.gz
  to main/w/wordpress/wordpress_3.3.2+dfsg.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 670124@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Raphaël Hertzog <hertzog@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 24 Apr 2012 00:31:42 +0200
Source: wordpress
Binary: wordpress wordpress-l10n
Architecture: source all
Version: 3.3.2+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Giuseppe Iuculano <iuculano@debian.org>
Changed-By: Raphaël Hertzog <hertzog@debian.org>
Description: 
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
Closes: 670124
Changes: 
 wordpress (3.3.2+dfsg-1) unstable; urgency=high
 .
   * New upstream security release. Closes: #670124
   * Use the embedded copy of SimplePie until #669054 is resolved.
Checksums-Sha1: 
 dfe2bd11ae070419fa2a3076fb246ec80d5033a1 2271 wordpress_3.3.2+dfsg-1.dsc
 d325c755b07bce3392a25d765f3b871388abaa49 3895574 wordpress_3.3.2+dfsg.orig.tar.gz
 20ba91d353b2bd06ab1d62615c999a10312ac7a5 14083412 wordpress_3.3.2+dfsg-1.debian.tar.xz
 de6fc0804ddf54f73484e7b2ae3c07ca1ac95e9b 3691810 wordpress_3.3.2+dfsg-1_all.deb
 4bcc876687075cc4313cbb5e1e740c57da67b9bc 6536884 wordpress-l10n_3.3.2+dfsg-1_all.deb
Checksums-Sha256: 
 954d50d97afa5e175c6d4fd9c94c0c934f83080254db004c015bb6439377ba48 2271 wordpress_3.3.2+dfsg-1.dsc
 c857c2a0f18bd91812449c118ac34a72d533eb26259e8fed400582b3c6dee50c 3895574 wordpress_3.3.2+dfsg.orig.tar.gz
 f4bb585f9f2db8418c18464ea1362447923c33e1eeab016b4f5ab2f2c95222a0 14083412 wordpress_3.3.2+dfsg-1.debian.tar.xz
 390e1c779e085a0f9e69fda336eeeddaddce3f490b2df6e6404e5ff48fd8dd97 3691810 wordpress_3.3.2+dfsg-1_all.deb
 be84fa06e54f31ffed583ee70b2f1a3aacd9cacfb63466d899e4867b3495ede8 6536884 wordpress-l10n_3.3.2+dfsg-1_all.deb
Files: 
 de3b2e6ad2d6f0bf621d41b5c0129bf0 2271 web optional wordpress_3.3.2+dfsg-1.dsc
 864d30098b681a1d0d9c56b5b36ac2f0 3895574 web optional wordpress_3.3.2+dfsg.orig.tar.gz
 ffb564bf8f92e3d93a869ac80459a8ed 14083412 web optional wordpress_3.3.2+dfsg-1.debian.tar.xz
 f4c363ba1ba18bfa5a5ee5079ef2cb64 3691810 web optional wordpress_3.3.2+dfsg-1_all.deb
 bb058493001a6a25010fd220d3cb193b 6536884 localization optional wordpress-l10n_3.3.2+dfsg-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Signed by Raphael Hertzog

iQIcBAEBCAAGBQJPldnrAAoJEOYZBF3yrHKa9GgQALsDpA/1Wyw19tPw2TRHOe6z
ZKZArJIEo9HuIZuKcA1+QHlBWLzJAUqawVkp+Ta2NNOLMmWd45DbkTz0MMCos6KZ
51xSFLBMjwfV/GEHOD9CXPEV5jJt6wOkE9FSAfOjfmXKf5hMcawMMKi1fG+ETrTl
DrP70RswKym/v/EmiNJzDEwnpMi5bbMCLPHsYAQjheqqzvy9SbgBBkPyEixOirtJ
42DAcRfyPhncuxXXnYNRuDdVNlTUYegSl1WUaHRtWxPsyZ7QQF46yc6D7lyoQdhT
lMuoZIn4O6CVXRHLMS2P8uoKsa6B9wdp2fOsYn75Tfarc0X/pRdaPQLc1Bpcapff
cxi0WAsArv8fHFwT0hSTyGCCjFiRdxtXMklHro0g0BOG3qkOpa4/SCB7Wtd2VGZi
aiTXnSW5knxSjTayCU32PYkqQd19TWof06tflhwrx2fWVPYs7c85WIYa7QiJ6h4f
h5lhIBgeEdSW1bf1LlqOJpZNe4KvbX3eNMz3++a+FTK6hwiNsJi6y7aZNhaErQH/
Mjuiq9TAczztUwrUCHfvgnabcEdFC7uRSE0rnt3qhqDA2gHiALmFQhXlX/5pck5B
2bzNBT8L03ufYH1O/lVVVsgp4hS1acbLmXYtP6Pj2S8QN8AW4r3MYpUpZBjR60QD
JypO4oikpJtnLdNVDqFz
=PSt3
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 24 May 2012 07:35:32 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 11:46:10 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.