Debian Bug report logs - #713947
wordpress: Multiple security issues

version graph

Package: wordpress; Maintainer for wordpress is Craig Small <csmall@debian.org>; Source for wordpress is src:wordpress.

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Mon, 24 Jun 2013 06:39:02 UTC

Severity: grave

Tags: security

Fixed in versions wordpress/3.5.2+dfsg-1, wordpress/3.5.2+dfsg-1~deb7u1

Done: Raphaël Hertzog <hertzog@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#713947; Package wordpress. (Mon, 24 Jun 2013 06:39:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Giuseppe Iuculano <iuculano@debian.org>. (Mon, 24 Jun 2013 06:39:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: wordpress: Multiple security issues
Date: Mon, 24 Jun 2013 08:32:44 +0200
Package: wordpress
Severity: grave
Tags: security
Justification: user security hole

Wordpress 3.5.2 fixes multiple security issues. Quoting from http://codex.wordpress.org/Version_3.5.2:

Additionally: Version 3.5.2 fixes seven security issues:

* Server-Side Request Forgery (SSRF) via the HTTP API. CVE-2013-2199.
* Privilege Escalation: Contributors can publish posts, and users can reassign authorship. CVE-2013-2200.
* Cross-Site Scripting (XSS) in SWFUpload. CVE-2013-2205.
* Denial of Service (DoS) via Post Password Cookies. CVE-2013-2173.
* Content Spoofing via Flash Applet in TinyMCE Media Plugin. CVE-2013-2204.
* Cross-Site Scripting (XSS) when Uploading Media. CVE-2013-2201.
* Full Path Disclosure (FPD) during File Upload. CVE-2013-2203.

Additional security hardening includes:

* Cross-Site Scripting (XSS) (Low Severity) when Editing Media. CVE-2013-2201.
* Cross-Site Scripting (XSS) (Low Severity) when Installing/Updating Plugins/Themes. CVE-2013-2201.
* XML External Entity Injection (XXE) via oEmbed. CVE-2013-2202.

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#713947; Package wordpress. (Tue, 25 Jun 2013 14:09:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>. (Tue, 25 Jun 2013 14:09:04 GMT) Full text and rfc822 format available.

Message #10 received at 713947@bugs.debian.org (full text, mbox):

From: Raphael Hertzog <hertzog@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>, 713947@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#713947: wordpress: Multiple security issues
Date: Tue, 25 Jun 2013 16:06:58 +0200
[Message part 1 (text/plain, inline)]
On Mon, 24 Jun 2013, Moritz Muehlenhoff wrote:
> Wordpress 3.5.2 fixes multiple security issues. Quoting from http://codex.wordpress.org/Version_3.5.2:

An upload to unstable will quickly follow. Can I upload 3.5.2+dfsg-1 as
3.5.2+dfsg-1~wheezy1 to wheezy-security ?

As usual, it's easier to push a new upstream release (in particular since
it's a minor update in this case) than to backport all the security fixes
(there's no way I can do that).

Attached is the debdiff of 3.5.2+dfsg-1 compared to what's in stable:
$ diffstat </tmp/debdiff 
 debian/changelog                                          |   23 
 debian/control                                            |    6 
 readme.html                                               |    2 
 wp-admin/about.php                                        |    6 
 wp-admin/edit-form-advanced.php                           |   18 
 wp-admin/includes/class-wp-importer.php                   |    1 
 wp-admin/includes/class-wp-upgrader.php                   |   27 
 wp-admin/includes/file.php                                |   18 
 wp-admin/includes/media.php                               |    4 
 wp-admin/includes/post.php                                |   27 
 wp-admin/includes/schema.php                              |    2 
 wp-admin/includes/update-core.php                         |    2 
 wp-admin/includes/upgrade.php                             |   10 
 wp-admin/update.php                                       |   16 
 wp-content/plugins/akismet/.htaccess                      |    5 
 wp-content/plugins/akismet/admin.php                      |  456 ++++++++------
 wp-content/plugins/akismet/akismet.css                    |   12 
 wp-content/plugins/akismet/akismet.js                     |   12 
 wp-content/plugins/akismet/akismet.php                    |    4 
 wp-content/plugins/akismet/readme.txt                     |   11 
 wp-content/themes/twentyeleven/languages/twentyeleven.pot |    6 
 wp-content/themes/twentytwelve/languages/twentytwelve.pot |   10 
 wp-includes/class-feed.php                                |   12 
 wp-includes/class-http.php                                |   35 -
 wp-includes/class-oembed.php                              |   37 -
 wp-includes/class-phpass.php                              |    2 
 wp-includes/class-wp-admin-bar.php                        |    2 
 wp-includes/class-wp-xmlrpc-server.php                    |    3 
 wp-includes/comment.php                                   |   58 -
 wp-includes/deprecated.php                                |    2 
 wp-includes/formatting.php                                |    7 
 wp-includes/functions.php                                 |   20 
 wp-includes/http.php                                      |   61 +
 wp-includes/js/media-editor.js                            |    1 
 wp-includes/js/media-editor.min.js                        |    1 
 wp-includes/js/plupload/handlers.js                       |    7 
 wp-includes/js/plupload/handlers.min.js                   |    1 
 wp-includes/js/swfupload/handlers.js                      |    7 
 wp-includes/js/swfupload/handlers.min.js                  |    1 
 wp-includes/js/swfupload/swfupload-all.js                 |    8 
 wp-includes/js/tinymce/tiny_mce.js                        |    1 
 wp-includes/media-template.php                            |    8 
 wp-includes/pluggable.php                                 |    4 
 wp-includes/post-template.php                             |   13 
 wp-includes/post.php                                      |    5 
 wp-includes/rss.php                                       |    2 
 wp-includes/script-loader.php                             |    9 
 wp-includes/user.php                                      |    2 
 wp-includes/version.php                                   |    6 
 wp-includes/wp-db.php                                     |    3 
 wp-login.php                                              |    9 
 51 files changed, 588 insertions(+), 417 deletions(-)

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Liberate the French translation of the Debian Administrator's Handbook:
→ http://www.ulule.com/liberation-cahier-admin-debian/
[debdiff (text/plain, attachment)]

Reply sent to Raphaël Hertzog <hertzog@debian.org>:
You have taken responsibility. (Tue, 25 Jun 2013 15:51:19 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Tue, 25 Jun 2013 15:51:19 GMT) Full text and rfc822 format available.

Message #15 received at 713947-close@bugs.debian.org (full text, mbox):

From: Raphaël Hertzog <hertzog@debian.org>
To: 713947-close@bugs.debian.org
Subject: Bug#713947: fixed in wordpress 3.5.2+dfsg-1
Date: Tue, 25 Jun 2013 15:50:33 +0000
Source: wordpress
Source-Version: 3.5.2+dfsg-1

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 713947@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Raphaël Hertzog <hertzog@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 25 Jun 2013 15:52:07 +0200
Source: wordpress
Binary: wordpress wordpress-l10n
Architecture: source all
Version: 3.5.2+dfsg-1
Distribution: unstable
Urgency: low
Maintainer: Giuseppe Iuculano <iuculano@debian.org>
Changed-By: Raphaël Hertzog <hertzog@debian.org>
Description: 
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
Closes: 713947
Changes: 
 wordpress (3.5.2+dfsg-1) unstable; urgency=low
 .
   * New upstream release with many security fixes. Closes: #713947
     * Server-Side Request Forgery (SSRF) via the HTTP API. CVE-2013-2199.
     * Privilege Escalation: Contributors can publish posts, and users can
       reassign authorship. CVE-2013-2200.
     * Cross-Site Scripting (XSS) in SWFUpload. CVE-2013-2205.
     * Denial of Service (DoS) via Post Password Cookies. CVE-2013-2173.
     * Content Spoofing via Flash Applet in TinyMCE Media Plugin.
       CVE-2013-2204.
     * Cross-Site Scripting (XSS) when Uploading Media. CVE-2013-2201.
     * Full Path Disclosure (FPD) during File Upload. CVE-2013-2203.
   * Additional security hardening includes:
     * Cross-Site Scripting (XSS) (Low Severity) when Editing Media.
       CVE-2013-2201.
     * Cross-Site Scripting (XSS) (Low Severity) when Installing/Updating
       Plugins/Themes. CVE-2013-2201.
     * XML External Entity Injection (XXE) via oEmbed. CVE-2013-2202.
   * Update the Vcs-Git and Vcs-Browser URLs.
   * Update Standards-Version to 3.9.4.
Checksums-Sha1: 
 abe1dd7ea2c1d0a5961b2648eacd9ada77770b8f 2343 wordpress_3.5.2+dfsg-1.dsc
 0b0ed001dfaf4d9ea10d1cd6bf32c8755b1b098e 4261024 wordpress_3.5.2+dfsg.orig.tar.xz
 8f80c1fc8c0524ac0a6d15e7cd54cd1b6849c3cc 5258120 wordpress_3.5.2+dfsg-1.debian.tar.xz
 661e4b724139dcc44b2b31ef25ab7f62659d5331 4932866 wordpress_3.5.2+dfsg-1_all.deb
 9bf6af1c2b9e47ee80a0f35250c708cc110b7ea9 8818988 wordpress-l10n_3.5.2+dfsg-1_all.deb
Checksums-Sha256: 
 04bc9447d57be1dd7ddd5585120dd254ab631663b5f18a570a35cc8262282106 2343 wordpress_3.5.2+dfsg-1.dsc
 c4403b912ec5154aa2ff67e2b7afa5a4b67dca055e3421cc000212b73e6f1eb4 4261024 wordpress_3.5.2+dfsg.orig.tar.xz
 9e21d3dc6c5dee8bd8e7fe08cba440e34d80d06e1b66c6586ab68d8d680bd4af 5258120 wordpress_3.5.2+dfsg-1.debian.tar.xz
 48807ba99cc996dc3fe550ab99e594231d5b99e64cc140627e9186ea633b4f8d 4932866 wordpress_3.5.2+dfsg-1_all.deb
 8140a6f72b1f99e504db0c42c76141c6b0f89109a41c113836fa06fec36922b9 8818988 wordpress-l10n_3.5.2+dfsg-1_all.deb
Files: 
 404c215f8b82e5e528ec458d957afd28 2343 web optional wordpress_3.5.2+dfsg-1.dsc
 9dcb3e16668d19373ffdf9b0fe2657dd 4261024 web optional wordpress_3.5.2+dfsg.orig.tar.xz
 9639064ce0054cda67e0bec232bd6648 5258120 web optional wordpress_3.5.2+dfsg-1.debian.tar.xz
 44db80b3a87460fbcc8989799376a3e1 4932866 web optional wordpress_3.5.2+dfsg-1_all.deb
 ddd9746396ba0a65fac7a08cba3aa97f 8818988 localization optional wordpress-l10n_3.5.2+dfsg-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Signed by Raphael Hertzog

iQIcBAEBCAAGBQJRybRCAAoJEOYZBF3yrHKaUNUP/jSmImj06ock7ljScmfUN2su
EmSHEwdRVr1kRgdlKwXKShRoJV5LnerIcwe3jCK1X+UoOXZy+dinwQC8u8hog8RP
8pJAXdlaIZHG3pUu5dDj3NdwAEv4y3IoTo8v9sbQ9DhrmJ9FDloZX80U/iiatTdY
qEKEc6L8T0vuz0cdGKQLch+RoYB0jVQLXCqy3ZABsHX6IxQNVjuqZds5NixyZqrx
ONmmctAEpOeUJCW2SSVU8tqn7GmPgHXtMTi0YLwE2i9m0dCMWhJRQAv/FKyiApVK
EnuA6ASVOqAoQh9Ikm2h0Bc4pKpfggciWp8VgrmifDsTqAD/ZSPtWskH2pddOuq4
NZJTNImcBAJXOo6q7ha5cIhk10O89mUcFCkontSUD+MbRcidlXTvsJy7Re4ECvHL
nm7NFoLvUraa1cbbiBfIRFdqAt247bnvV3L4RDQWUx8/tgfFKQSKlroxWiRcXXzZ
Zknoz5UXL9bOAaz2xQu61CR9z4XU3lY9XYIdNeYGSac0RscJKxt+93l06gBTKOG2
xRKQQIAHRXgazUAO/gtxPqVy3fkOJxsxJN26r1Ihn1wk/68pYc6aD+rZATuz+Jmr
HifFPbZzgItw36NcXs49QsqYUAnifdH5g3LDFTx8vZH9KDd6aJ7kseXpLZWqegq2
rhkGrjYxeocyE61Zh7Pq
=dhFx
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#713947; Package wordpress. (Tue, 25 Jun 2013 16:39:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>. (Tue, 25 Jun 2013 16:39:07 GMT) Full text and rfc822 format available.

Message #20 received at 713947@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Raphael Hertzog <hertzog@debian.org>
Cc: 713947@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#713947: wordpress: Multiple security issues
Date: Tue, 25 Jun 2013 18:34:53 +0200
On Tue, Jun 25, 2013 at 04:06:58PM +0200, Raphael Hertzog wrote:
> On Mon, 24 Jun 2013, Moritz Muehlenhoff wrote:
> > Wordpress 3.5.2 fixes multiple security issues. Quoting from http://codex.wordpress.org/Version_3.5.2:
> 
> An upload to unstable will quickly follow. Can I upload 3.5.2+dfsg-1 as
> 3.5.2+dfsg-1~wheezy1 to wheezy-security ?

I won't be able to handle the DSA; but yes, please go ahead with the upload.
 
> As usual, it's easier to push a new upstream release (in particular since
> it's a minor update in this case) than to backport all the security fixes
> (there's no way I can do that).

For lenny we should announce it's end of life as we recently did in the
chromium and icewerasel DSAs. Agreed?

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#713947; Package wordpress. (Tue, 25 Jun 2013 17:57:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>. (Tue, 25 Jun 2013 17:57:04 GMT) Full text and rfc822 format available.

Message #25 received at 713947@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>, 713947@bugs.debian.org
Cc: Raphael Hertzog <hertzog@debian.org>, team@security.debian.org
Subject: Re: Bug#713947: wordpress: Multiple security issues
Date: Tue, 25 Jun 2013 19:55:51 +0200
[Message part 1 (text/plain, inline)]
On Tue, Jun 25, 2013 at 18:34:53 +0200, Moritz Muehlenhoff wrote:

> On Tue, Jun 25, 2013 at 04:06:58PM +0200, Raphael Hertzog wrote:
> > On Mon, 24 Jun 2013, Moritz Muehlenhoff wrote:
> > > Wordpress 3.5.2 fixes multiple security issues. Quoting from http://codex.wordpress.org/Version_3.5.2:
> > 
> > An upload to unstable will quickly follow. Can I upload 3.5.2+dfsg-1 as
> > 3.5.2+dfsg-1~wheezy1 to wheezy-security ?
> 
> I won't be able to handle the DSA; but yes, please go ahead with the upload.
>  
Please use 3.5.2+dfsg-1~deb7u1 as version number, though.

Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#713947; Package wordpress. (Tue, 25 Jun 2013 20:57:13 GMT) Full text and rfc822 format available.

Acknowledgement sent to Yves-Alexis Perez <corsac@debian.org>:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>. (Tue, 25 Jun 2013 20:57:13 GMT) Full text and rfc822 format available.

Message #30 received at 713947@bugs.debian.org (full text, mbox):

From: Yves-Alexis Perez <corsac@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: Raphael Hertzog <hertzog@debian.org>, 713947@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#713947: wordpress: Multiple security issues
Date: Tue, 25 Jun 2013 22:52:24 +0200
[Message part 1 (text/plain, inline)]
On mar., 2013-06-25 at 18:34 +0200, Moritz Muehlenhoff wrote:
> For lenny we should announce it's end of life as we recently did in the
> chromium and icewerasel DSAs. Agreed?

I think you mean Squeeze? As we already pushed new upstream releases to
Squeeze, it might make sense to keep going that way (I have a bit of
fear that every webapp ends up like that but eh).

Regards,
-- 
Yves-Alexis
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#713947; Package wordpress. (Tue, 25 Jun 2013 21:24:17 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>. (Tue, 25 Jun 2013 21:24:17 GMT) Full text and rfc822 format available.

Message #35 received at 713947@bugs.debian.org (full text, mbox):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: Yves-Alexis Perez <corsac@debian.org>
Cc: Raphael Hertzog <hertzog@debian.org>, 713947@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#713947: wordpress: Multiple security issues
Date: Tue, 25 Jun 2013 23:22:44 +0200
On Tue, Jun 25, 2013 at 10:52:24PM +0200, Yves-Alexis Perez wrote:
> On mar., 2013-06-25 at 18:34 +0200, Moritz Muehlenhoff wrote:
> > For lenny we should announce it's end of life as we recently did in the
> > chromium and icewerasel DSAs. Agreed?
> 
> I think you mean Squeeze? 

Yes.

> As we already pushed new upstream releases to
> Squeeze, it might make sense to keep going that way (I have a bit of
> fear that every webapp ends up like that but eh).

I suppose the leap between 3.3 and 3.5 would be too high, but I don't
really care about Wordpress.

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#713947; Package wordpress. (Tue, 25 Jun 2013 21:36:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Yves-Alexis Perez <corsac@debian.org>:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>. (Tue, 25 Jun 2013 21:36:06 GMT) Full text and rfc822 format available.

Message #40 received at 713947@bugs.debian.org (full text, mbox):

From: Yves-Alexis Perez <corsac@debian.org>
To: Moritz Mühlenhoff <jmm@inutil.org>
Cc: Raphael Hertzog <hertzog@debian.org>, 713947@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#713947: wordpress: Multiple security issues
Date: Tue, 25 Jun 2013 23:32:08 +0200
[Message part 1 (text/plain, inline)]
On mar., 2013-06-25 at 23:22 +0200, Moritz Mühlenhoff wrote:
> > As we already pushed new upstream releases to
> > Squeeze, it might make sense to keep going that way (I have a bit of
> > fear that every webapp ends up like that but eh).
> 
> I suppose the leap between 3.3 and 3.5 would be too high, but I don't
> really care about Wordpress.

Actually we went from 3.0 to 3.3 in Squeeze for the same reasons.
Raphael, what is your opinion on this?

Regards,
-- 
Yves-Alexis
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#713947; Package wordpress. (Tue, 25 Jun 2013 22:45:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>. (Tue, 25 Jun 2013 22:45:04 GMT) Full text and rfc822 format available.

Message #45 received at 713947@bugs.debian.org (full text, mbox):

From: Raphael Hertzog <hertzog@debian.org>
To: Yves-Alexis Perez <corsac@debian.org>
Cc: Moritz Mühlenhoff <jmm@inutil.org>, 713947@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#713947: wordpress: Multiple security issues
Date: Wed, 26 Jun 2013 00:41:06 +0200
On Tue, 25 Jun 2013, Yves-Alexis Perez wrote:
> On mar., 2013-06-25 at 23:22 +0200, Moritz Mühlenhoff wrote:
> > > As we already pushed new upstream releases to
> > > Squeeze, it might make sense to keep going that way (I have a bit of
> > > fear that every webapp ends up like that but eh).
> > 
> > I suppose the leap between 3.3 and 3.5 would be too high, but I don't
> > really care about Wordpress.
> 
> Actually we went from 3.0 to 3.3 in Squeeze for the same reasons.
> Raphael, what is your opinion on this?

I'm not opposed to uploading 3.5 to Squeeze, but you took care of that in
the past, do you feel like doing it again?

Because I can't really test wordpress in oldstable. My own server is
running wheezy (and is running the unstable package already).

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Liberate the French translation of the Debian Administrator's Handbook:
→ http://www.ulule.com/liberation-cahier-admin-debian/



Information forwarded to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#713947; Package wordpress. (Wed, 26 Jun 2013 05:39:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Yves-Alexis Perez <corsac@debian.org>:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>. (Wed, 26 Jun 2013 05:39:04 GMT) Full text and rfc822 format available.

Message #50 received at 713947@bugs.debian.org (full text, mbox):

From: Yves-Alexis Perez <corsac@debian.org>
To: Raphael Hertzog <hertzog@debian.org>
Cc: Moritz Mühlenhoff <jmm@inutil.org>, 713947@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#713947: wordpress: Multiple security issues
Date: Wed, 26 Jun 2013 07:36:38 +0200
[Message part 1 (text/plain, inline)]
On mer., 2013-06-26 at 00:41 +0200, Raphael Hertzog wrote:
> On Tue, 25 Jun 2013, Yves-Alexis Perez wrote:
> > On mar., 2013-06-25 at 23:22 +0200, Moritz Mühlenhoff wrote:
> > > > As we already pushed new upstream releases to
> > > > Squeeze, it might make sense to keep going that way (I have a bit of
> > > > fear that every webapp ends up like that but eh).
> > > 
> > > I suppose the leap between 3.3 and 3.5 would be too high, but I don't
> > > really care about Wordpress.
> > 
> > Actually we went from 3.0 to 3.3 in Squeeze for the same reasons.
> > Raphael, what is your opinion on this?
> 
> I'm not opposed to uploading 3.5 to Squeeze, but you took care of that in
> the past, do you feel like doing it again?
> 
> Because I can't really test wordpress in oldstable. My own server is
> running wheezy (and is running the unstable package already).

I'm currently running the unstable package on a mixed squeeze/wheezy
install and it seems to work just fine. I think it should be ok here.
I'll prepare an upload and a DSA text indicating that it's not possible
to backport individual security patches so we do the full new version.

Regards,
-- 
Yves-Alexis
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#713947; Package wordpress. (Thu, 27 Jun 2013 20:51:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>. (Thu, 27 Jun 2013 20:51:04 GMT) Full text and rfc822 format available.

Message #55 received at 713947@bugs.debian.org (full text, mbox):

From: Raphael Hertzog <hertzog@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>, 713947@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#713947: wordpress: Multiple security issues
Date: Thu, 27 Jun 2013 22:49:57 +0200
Hi,

On Tue, 25 Jun 2013, Moritz Muehlenhoff wrote:
> On Tue, Jun 25, 2013 at 04:06:58PM +0200, Raphael Hertzog wrote:
> > An upload to unstable will quickly follow. Can I upload 3.5.2+dfsg-1 as
> > 3.5.2+dfsg-1~wheezy1 to wheezy-security ?
> 
> I won't be able to handle the DSA; but yes, please go ahead with the upload.

Uploaded as 3.5.2+dfsg-1~deb7u1, thanks.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Liberate the French translation of the Debian Administrator's Handbook:
→ http://www.ulule.com/liberation-cahier-admin-debian/



Added tag(s) pending. Request was from Yves-Alexis Perez <corsac@debian.org> to control@bugs.debian.org. (Sat, 29 Jun 2013 11:51:08 GMT) Full text and rfc822 format available.

Message sent on to Moritz Muehlenhoff <jmm@inutil.org>:
Bug#713947. (Sat, 29 Jun 2013 11:51:12 GMT) Full text and rfc822 format available.

Message #60 received at 713947-submitter@bugs.debian.org (full text, mbox):

From: Yves-Alexis Perez <corsac@debian.org>
To: 713947-submitter@bugs.debian.org
Subject: Bug#713947 marked as pending
Date: Sat, 29 Jun 2013 11:49:04 +0000
tag 713947 pending
thanks

Hello,

Bug #713947 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://git.debian.org/?p=collab-maint/wordpress.git;a=commitdiff;h=f41b795

---
commit f41b79577b0ac1e8af11660426d01e8a8c734597
Merge: cebb6cc ff40fa7
Author: Yves-Alexis Perez <corsac@debian.org>
Date:   Fri Jun 28 21:47:28 2013 +0200

    Merge tag 'debian/3.5.2+dfsg-1' into squeeze
    
    wordpress Debian release 3.5.2+dfsg-1
    
    Conflicts:
    	debian/changelog
    	debian/control
    	debian/wordpress.linktrees

diff --cc debian/changelog
index 36156cb,0880d7b..5fd03c4
--- a/debian/changelog
+++ b/debian/changelog
@@@ -1,33 -1,237 +1,268 @@@
+ wordpress (3.5.2+dfsg-1) unstable; urgency=low
+ 
+   * New upstream release with many security fixes. Closes: #713947
+     * Server-Side Request Forgery (SSRF) via the HTTP API. CVE-2013-2199.
+     * Privilege Escalation: Contributors can publish posts, and users can
+       reassign authorship. CVE-2013-2200.
+     * Cross-Site Scripting (XSS) in SWFUpload. CVE-2013-2205.
+     * Denial of Service (DoS) via Post Password Cookies. CVE-2013-2173.
+     * Content Spoofing via Flash Applet in TinyMCE Media Plugin.
+       CVE-2013-2204.
+     * Cross-Site Scripting (XSS) when Uploading Media. CVE-2013-2201.
+     * Full Path Disclosure (FPD) during File Upload. CVE-2013-2203.
+   * Additional security hardening includes:
+     * Cross-Site Scripting (XSS) (Low Severity) when Editing Media.
+       CVE-2013-2201.
+     * Cross-Site Scripting (XSS) (Low Severity) when Installing/Updating
+       Plugins/Themes. CVE-2013-2201.
+     * XML External Entity Injection (XXE) via oEmbed. CVE-2013-2202.
+   * Update the Vcs-Git and Vcs-Browser URLs.
+   * Update Standards-Version to 3.9.4.
+ 
+  -- Raphaël Hertzog <hertzog@debian.org>  Tue, 25 Jun 2013 15:52:07 +0200
+ 
+ wordpress (3.5.1+dfsg-2) unstable; urgency=low
+ 
+   * Only replace tinymce files by symlinks if the content is exactly the same.
+     Closes: #700289
+   * Update debian/get-upstream-i18n to include supplementary PO files
+     and use a more efficient method to update them. Closes: #697208
+ 
+  -- Raphaël Hertzog <hertzog@debian.org>  Mon, 11 Feb 2013 13:56:18 +0100
+ 
+ wordpress (3.5.1+dfsg-1) unstable; urgency=low
+ 
+   * New upstream maintenance and security release. Closes: #698916
+ 
+  -- Raphaël Hertzog <hertzog@debian.org>  Mon, 28 Jan 2013 17:15:27 +0100
+ 
+ wordpress (3.5+dfsg-1) unstable; urgency=low
+ 
+   * New upstream release.
+   * Fix sample apache.conf so that Alias directives are in the proper order
+     (from the most specific to the less specific). Closes: #693122
+     Thanks to Jérôme Marant for the report.
+   * Update debian/missing-sources/ with latest upstream changes.
+   * Update all translations.
+   * Try to deduplicate (i.e. replace with symlinks) backbone.js and
+     underscore.js too.
+   * Drop debian/patches/006rss_language.patch, the rss_language option
+     is no longer used.
+   * Update/refresh all other patches on top of the new release.
+   * Update lintian overrides and debian/wordpress.linktrees to match the
+     latest changes concerning javascript libraries shipped by WordPress.
+   * Document the loss of the twentyten theme.
+ 
+  -- Raphaël Hertzog <hertzog@debian.org>  Fri, 21 Dec 2012 14:17:50 +0100
+ 
+ wordpress (3.4.2+dfsg-1) unstable; urgency=low
+ 
+   * New upstream security & bugfix release. 
+   * Also setup languages symlink in setup-mysql. Closes: #684628
+     Thanks to Jun NOGATA <nogajun@gmail.com> for the analysis.
+   * Add new patch 011support-symlinks-for-plugins.patch grabbed
+     in the upstream ticket to allow plugin directories to be
+     symlinks (which is required for the Debian package since
+     we put symlinks in /var/lib/wordpress/wp-content/plugins/).
+     Closes: #686228
+ 
+  -- Raphaël Hertzog <hertzog@debian.org>  Wed, 12 Sep 2012 14:52:14 +0200
+ 
+ wordpress (3.4.1+dfsg-1) unstable; urgency=high
+ 
+   * New upstream security & bugfix release. Closes: #680721
+     Fixes CVE-2012-3383, CVE-2012-3384, CVE-2012-3385.
+ 
+  -- Raphaël Hertzog <hertzog@debian.org>  Tue, 03 Jul 2012 08:36:08 +0200
+ 
+ wordpress (3.4+dfsg-3) unstable; urgency=low
+ 
+   * [f7a1c09] Drop useless postrm.
+   * [d92219b] Add a prerm script calling wp-setup --purge-wp-content on
+     remove. Closes: #678842
+   * [2fbf903] Allow wp-setup to symlink files as well as directories.
+   * [cef928f] Let wp-setup also manage
+     /var/lib/wordpress/wp-content/languages/.
+   * [ac86408] Densify output of wp-setup.
+ 
+  -- Raphaël Hertzog <hertzog@debian.org>  Tue, 26 Jun 2012 10:47:25 +0200
+ 
+ wordpress (3.4+dfsg-2) unstable; urgency=low
+ 
+   * [2e63535] Merge unused debian/NEWS into debian/wordpress.NEWS so that
+     users are correctly informed of the latest changes.
+   * [e3b7b1c] Improve preinst to also move the
+     /usr/share/wordpress/wp-content/uploads directory to its new location in
+     /var/lib/wordpress/wp-content/. The package never created this directory
+     but many users probably created it and we need to do this to let dpkg
+     install the symlink that we put into place.
+   * [5c0a29b] Add a trigger that watches /usr/share/wordpress/wp-content.
+     When activated, it will execute wp-setup --sync-wp-content
+     which updates /var/lib/wordpress/wp-content/ with symlinks
+     to plugins/themes that have been added and it drops symlinks
+     to plugins/themes which have disappeared. (Closes: #677889)
+ 
+  -- Raphaël Hertzog <hertzog@debian.org>  Thu, 21 Jun 2012 20:44:53 +0200
+ 
+ wordpress (3.4+dfsg-1) unstable; urgency=low
+ 
+   * New upstream release. Closes: #677534
+ 
+   [ Raphaël Hertzog ]
+   * [a1c0409] Refresh and update all patches to correctly apply on version
+     3.4.
+   * [3804496] Update debian/missing-sources/ to match the current versions of
+     embedded javascript and flash files.
+   * [185b051] Drop the old "default" theme (and its French translation)
+   * [966ce6c] Grab latest translations
+   * [1983326] Update Standards-Version to 3.9.3 (no change).
+   * [29c48b6] Increase debhelper compat level to 9.
+   * [73e16d0] Replace debian/dh_linktree by the packaged version.
+   * [359b660] Update debian/wordpress.linktrees to match latest developments.
+   * [645b650] Let setup-mysql lowercase the FQDN since the configuration
+     scheme expects this. Thanks to Chris Butler <chrisb@debian.org> for the
+     report (Closes: #658395)
+   * [5433e90] Fix setup-mysql to avoid creating /srv/www with restricted
+     permissions (Closes: #616400)
+   * [dd2ef1d] Move back wp-config.php to /usr/share/wordpress/ since it's only
+     a dispatcher to the real configuration file (Closes: #592502)
+   * [b602372] Improve wp-config.php so that WordPress works behind an https
+     reverse-proxy.
+   * [ba0b729] Entirely update and rewrite README.debian. (Closes: #575985,
+     #639980)
+   * [683a908] Update wp-config.php to not redefine constants which have
+     already been set.  Thanks to Richard van den Berg <richard@vdberg.org> for
+     the report. (Closes: #613283)
+   * [315eb68] Let wordpress-l10n depend on the same version than wordpress.
+     (Closes: #623557)
+   * [a6d0b9f] Default configuration now sets WP_CONTENT_DIR to
+     /var/lib/wordpress/wp-content. And the package provides this new directory
+     appropriately setup with write rights to www-data on blogs.dir and
+     uploads. themes and plugins are root-owned directories with symlinks
+     pointing back to the default themes and plugins. (Closes: #675469)
+   * [4db98c6] Update setup-mysql to use WP_CONTENT_DIR (and no longer use
+     $upload_dir). (Closes: #658508)
+   * [a1970da] Extend debian/wordpress.linktrees to cover swfobject.js.
+   * [8d46dab] Use dpkg-maintscript-helper to drop obsolete
+     /etc/wordpress/wp-config.php
+ 
+   [ Martin Bagge / brother ]
+   * [56d0a34] Improve the setup script to be able to use a remote MySQL
+     server.
+ 
+  -- Raphaël Hertzog <hertzog@debian.org>  Sat, 16 Jun 2012 01:19:20 +0200
+ 
 +wordpress (3.3.2+dfsg-1~squeeze1) stable-security; urgency=low
 +
 +  * Import wordpress from Wheezy to fix all the security issues present in
 +    Squeeze. This fixes:
 +    - CVE-2011-3122, CVE-2011-3125, CVE-2011-3126, CVE-2011-3127,
 +      CVE-2011-3128, CVE-2011-3129, CVE-2011-3130 (multiple unspecified
 +      vulnerabilities) which were allocated from
 +      the Wordpress 3.1.3 / 3.2 beta2 release announcement
 +    - CVE-2011-4956 (missing input sanitization) and CVE-2011-4957 (missing
 +      URL length check in make_clickable() function) allocated from Wordpress
 +      3.1.1 release announcement.
 +    - CVE-2012-2399 (unspecified vulnerability in
 +      wp-includes/js/swfupload/swfupload.swf), CVE-2012-2400 (unspecified
 +      vulnerability in wp-includes/js/swfobject.js), CVE-2012-2401 (Same-Origin
 +      Policy bypass in Plupload plugin), CVE-2012-2402 (access restriction
 +      bypass by authenticated site administrators), CVE-2012-2403 (Wordpress
 +      supports clickable links inside attributes, making it easier to conduct
 +      XSS attacks) CVE-2012-2404 (Wordpress supports offsite redirects,
 +      making it easier to conduct XSS attacks), which were allocated from the
 +      3.3.2 release announcement.                               closes: #670124
 +  * debian/wordpress.linktrees:
 +    - don't symlink TinyMCE, it's too old in Squeeze.
 +    - don't deduplicate jquery, same thing.
 +    - don't deduplicate jquery-form, doesn't exist in Squeeze.
 +  * debian/control:
 +    - drop build-dep on tinymce, libjs-jquery and libjs-jquery-form, we'll use 
 +      the embedded versions.
 +
 + -- Yves-Alexis Perez <corsac@debian.org>  Thu, 10 May 2012 23:00:46 +0200
 +
+ wordpress (3.3.2+dfsg-1) unstable; urgency=high
+ 
+   * New upstream security release. Closes: #670124
+   * Use the embedded copy of SimplePie until #669054 is resolved.
+ 
+  -- Raphaël Hertzog <hertzog@debian.org>  Tue, 24 Apr 2012 00:31:42 +0200
+ 
+ wordpress (3.3.1+dfsg-1) unstable; urgency=low
+ 
+   * New upstream security release. Fixes CVE-2012-0287.
+ 
+  -- Raphaël Hertzog <hertzog@debian.org>  Wed, 04 Jan 2012 10:15:05 +0100
+ 
+ wordpress (3.3+dfsg-1) unstable; urgency=low
+ 
+   * New upstream release. Closes: #652041
+   * [4deb832] Add all the missing sources in debian/missing-sources/.
+     (Closes: #646729)
+   * [913eba5] Refresh all patches.
+   * [ae61778] Use xz compression for the debian tarball to save some space.
+ 
+  -- Raphaël Hertzog <hertzog@debian.org>  Tue, 20 Dec 2011 01:01:50 +0100
+ 
+ wordpress (3.2.1+dfsg-3) unstable; urgency=medium
+ 
+   * Upload with urgency medium to speed up a bit the transition to testing
+     since the testing version is broken.
+   * [72d01a3] Improve dh_linktree.
+     It is now able to generate dependencies and to have different behaviour
+     for each file to replace. Modify wordpress.linktrees to ensure we have
+     the very same JQuery files but blindly replaces all the other files.
+     Drop the explicit dependencies in favor of the autogenerated dependencies.
+     As a side-effect this fixes installation of widgets which was broken
+     by the mismatch of some JQuery ui files.
+   * [bbce711] Add lintian overrides for warnings about the embedded copy of JQuery.
+     We do a reasonable effort to replace it if it matches.
+ 
+  -- Raphaël Hertzog <hertzog@debian.org>  Thu, 27 Oct 2011 16:01:49 +0200
+ 
+ wordpress (3.2.1+dfsg-2) unstable; urgency=low
+ 
+   * [af74ce2] Add a preinst to drop symlinks to directories for tinymce
+     and cropper. The new dh_linktree only symlinks files and hierarchies are
+     duplicated. So we have to drop symlinks to directories in the preinst,
+     otherwise dpkg installs the new symlinks in the tinymce/cropper
+     directories instead of in the wordpress ones.
+     Also drop the upgrade code in the postinst converting the same directories
+     into symlinks... (Closes: #639733)
+   * [0b51c4f] Invite users affected by #639733 to reinstall
+     tinymce/libjs-cropper.
+   * [55af033] Fix invalid test in postinst (upgrade → configure)
+     "upgrade" is not a valid parameter in the postinst. Instead
+     we get "configure".
+ 
+  -- Raphaël Hertzog <hertzog@debian.org>  Sat, 22 Oct 2011 17:01:25 +0200
+ 
+ wordpress (3.2.1+dfsg-1) unstable; urgency=low
+ 
+   [ Paul Tagliamonte ]
+   * [c5e4b2c] Added a get-orig-source target to recreate the DFSG-clean
+     tarball. It drops all the sourceless flash files. Closes: #625773
+ 
+   [ Raphaël Hertzog ]
+   * [d1035bd] Imported Upstream version 3.2.1+dfsg
+   * [b968405] Update and refresh all patches.
+   * [10ab97c] Drop manifest.patch because the description in its header
+     doesn't make any sense.
+   * [87537db] Update dependencies as per new upstream requirements.
+   * [0c534ec] Update packaging to avoid using even more embedded PHP/JS
+     libraries.
+   * [ec5c11e] Use a new dh_linktree to replace embedded PHP/JS libraries.
+   * [8690719] Add lintian override for embedded-php-library streams.php since
+     it's a false positive.
+   * [83c15bc] Upgrade Standards-Version to 3.9.2 (no changes needed).
+   * [938fb15] Update internationalization files.
+   * [6ac0357] Install class-smtp.php and class-phpmailer.php so that they can
+     be replaced by dh_linktree.
+ 
+  -- Raphaël Hertzog <hertzog@debian.org>  Mon, 08 Aug 2011 23:06:20 +0200
++>>>>>>> d5bfbc7f92e09879d1a1b7cd899fdbf69167272a
+ 
  wordpress (3.0.5+dfsg-1) unstable; urgency=medium
  
    * [077b77b] Imported Upstream version 3.0.5+dfsg



Information forwarded to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#713947; Package wordpress. (Wed, 03 Jul 2013 08:27:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Dreik <slask@pauldreik.se>:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>. (Wed, 03 Jul 2013 08:27:04 GMT) Full text and rfc822 format available.

Message #65 received at 713947@bugs.debian.org (full text, mbox):

From: Paul Dreik <slask@pauldreik.se>
To: 713947@bugs.debian.org
Subject: updated broke squeeze installation
Date: Wed, 03 Jul 2013 10:25:20 +0200
Hi,
I run wordpress on squeeze and it unfortunately stopped working with
this update. Reading the changelog I expected having to fix possible
theme problems, but did not expect that it stopped working without any
ouput at all.

I now get blank output when I read the site in a web browser. The
(apache) server logs are also blank, even at (apache) log level debug.

I then tried to enable debug in wordpress with define('WP_DEBUG', true);
at the top of /etc/wordpress/config-(sitename).php. That gives me the
following output both in the apache log and web page output:

Notice: add_option was called with an argument that
is <strong>deprecated</strong>
 since version 2.3 with no alternative available. in
/usr/share/wordpress/wp-includes/functions.php on line 2927
(repeated three times)

Notice: Undefined index: HTTP_X_FORWARDED_PROTO in
/usr/share/wordpress/wp-config.php on line 56

I tried to search for these errors but gave up quickly, as they do not
seem to be very important to explain what is wrong.

Can you please give me some advice on how to trouble shoot? I suspect
there are more squeeze wordpress users out there and it would be nice to
identify what is wrong and fix it.


paul



Information forwarded to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#713947; Package wordpress. (Wed, 03 Jul 2013 21:03:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Yves-Alexis Perez <corsac@debian.org>:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>. (Wed, 03 Jul 2013 21:03:08 GMT) Full text and rfc822 format available.

Message #70 received at 713947@bugs.debian.org (full text, mbox):

From: Yves-Alexis Perez <corsac@debian.org>
To: Paul Dreik <slask@pauldreik.se>
Cc: 713947@bugs.debian.org
Subject: Re: updated broke squeeze installation
Date: Wed, 03 Jul 2013 22:58:42 +0200
[Message part 1 (text/plain, inline)]
On mer., 2013-07-03 at 10:25 +0200, Paul Dreik wrote:
> Notice: add_option was called with an argument that
> is <strong>deprecated</strong>
>  since version 2.3 with no alternative available. in
> /usr/share/wordpress/wp-includes/functions.php on line 2927
> (repeated three times)

My guess would be a plugin/theme not compatible with recent (post 2.3)
wordpress. Do you have something like that installed?
> 
> Notice: Undefined index: HTTP_X_FORWARDED_PROTO in
> /usr/share/wordpress/wp-config.php on line 56

For this one I'm not so sure, but double checking the previous item
should at least help.

Regards,
-- 
Yves-Alexis
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#713947; Package wordpress. (Thu, 04 Jul 2013 10:57:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Dreik <slask@pauldreik.se>:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>. (Thu, 04 Jul 2013 10:57:04 GMT) Full text and rfc822 format available.

Message #75 received at 713947@bugs.debian.org (full text, mbox):

From: Paul Dreik <slask@pauldreik.se>
To: Yves-Alexis Perez <corsac@debian.org>
Cc: 713947@bugs.debian.org
Subject: Re: updated broke squeeze installation
Date: Thu, 04 Jul 2013 12:51:43 +0200
[Message part 1 (text/plain, inline)]
2013-07-03 22:58, Yves-Alexis Perez skrev:
> On mer., 2013-07-03 at 10:25 +0200, Paul Dreik wrote:
>> Notice: add_option was called with an argument that
>> is <strong>deprecated</strong>
>>  since version 2.3 with no alternative available. in
>> /usr/share/wordpress/wp-includes/functions.php on line 2927
>> (repeated three times)
> 
> My guess would be a plugin/theme not compatible with recent (post 2.3)
> wordpress. Do you have something like that installed?
No plugins but a theme that was modified from the earlier Debian
version. I am not sure that was the problem. I now have the site up
again. This is how I did it:
I switched to an unmodified upstream release (3.5.2, same as the current
Debian squeeze version). The same problem as earlier persisted. I turned
on mysql debugging and it looked like wordpress tried to prepare or try
to update the databases. I then tried logging in through $URL/wp-admin/
and I finally got some output. It told me it needed to upgrade the
database, which I was able to do without problems. Then things started
working as expected, and the story could have been over.
However, I prefer to run the debian package rather than upstream sources
(to get security updates etc. although I may have second thoughts about
that right now....). Therefore I switched back to the debian packages
version using a separate configuration in apache. As part of the earlier
trouble shooting, I had removed the themes folder. So now when I used
the Debian version, on the database that had been updated by the
upstream package, the page showed up, although without a theme. (This
was not the case earlier, so the removed themes folder was NOT the
solution.)
So, it seems like upgrading to a new version requires logging in to the
admin section to get it working properly. I assume this is also thye
case for the debian packaged version. I think it is really unfriendly of
wordpress to not give any output at all in this situation, not even when
enabling debugging. Maybe most people update through the web interface
rather than the distributions package updates and never get such problems.

According to the documentation at
http://codex.wordpress.org/Updating_WordPress#Step_2:_Update_your_installation
updating the database through the web interface is the right thing to
do. I do not think it would hurt to mention it among the other news
displayed when updating the package. People run debian stable for a
reason, and security updates that bump the version should in my opinion
be careful about breaking existing installations. I hope I contributed
instead of only complaining by troubleshooting and reporting my findings.

>>
>> Notice: Undefined index: HTTP_X_FORWARDED_PROTO in
>> /usr/share/wordpress/wp-config.php on line 56
> 
> For this one I'm not so sure, but double checking the previous item
> should at least help.

This problem is unrelated to the problems I had and persists also in the
new version (upstream or not). It is solved by the attached patch.

thanks for your work with packaging wordpress!
paul


[undefined-index.diff (text/x-patch, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#713947; Package wordpress. (Thu, 04 Jul 2013 14:06:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Yves-Alexis Perez <corsac@debian.org>:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>. (Thu, 04 Jul 2013 14:06:04 GMT) Full text and rfc822 format available.

Message #80 received at 713947@bugs.debian.org (full text, mbox):

From: Yves-Alexis Perez <corsac@debian.org>
To: Paul Dreik <slask@pauldreik.se>
Cc: 713947@bugs.debian.org
Subject: Re: updated broke squeeze installation
Date: Thu, 04 Jul 2013 16:03:30 +0200
On jeu., 2013-07-04 at 12:51 +0200, Paul Dreik wrote:
> 2013-07-03 22:58, Yves-Alexis Perez skrev:
> > On mer., 2013-07-03 at 10:25 +0200, Paul Dreik wrote:
> >> Notice: add_option was called with an argument that
> >> is <strong>deprecated</strong>
> >>  since version 2.3 with no alternative available. in
> >> /usr/share/wordpress/wp-includes/functions.php on line 2927
> >> (repeated three times)
> > 
> > My guess would be a plugin/theme not compatible with recent (post 2.3)
> > wordpress. Do you have something like that installed?

> So, it seems like upgrading to a new version requires logging in to the
> admin section to get it working properly.

Yes. The DSA text might not be clear enough about that, but it's the
exact same procedure you would have to follow if you updated to a new
Debian version, or if you updated using Wordpress tarballs.

>  I assume this is also thye
> case for the debian packaged version. I think it is really unfriendly of
> wordpress to not give any output at all in this situation, not even when
> enabling debugging.

I kind of agree here.

>  Maybe most people update through the web interface
> rather than the distributions package updates and never get such problems.


> 
> According to the documentation at
> http://codex.wordpress.org/Updating_WordPress#Step_2:_Update_your_installation
> updating the database through the web interface is the right thing to
> do. I do not think it would hurt to mention it among the other news
> displayed when updating the package.

Yes, I think we'll try to add something like that in the next DSA text
and in the NEWS.Debian file. It's might be kind of obvious for people
updating wordpress at every upstream release, but that's the kind of
thing people forget, especially if we skip updates in Debian.

>  People run debian stable for a
> reason, and security updates that bump the version should in my opinion
> be careful about breaking existing installations. I hope I contributed
> instead of only complaining by troubleshooting and reporting my findings.

The procedure to update to a complete new upstream version in a stable
Debian release is anything but trouble free. We try to avoid that kind
of thing, but here we don't have much choice, identifying each and every
vulnerability fixed in a new release is too time consuming (when even
possible) and backporting the fixes is just not possible considering the
resources we have. That means end-users have to take care when
upgrading. We try to warn them in the DSA text but there's always room
for improvement.

Regards,
-- 
Yves-Alexis




Information forwarded to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#713947; Package wordpress. (Fri, 05 Jul 2013 07:03:18 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>. (Fri, 05 Jul 2013 07:03:18 GMT) Full text and rfc822 format available.

Message #85 received at 713947@bugs.debian.org (full text, mbox):

From: Raphael Hertzog <hertzog@debian.org>
To: Paul Dreik <slask@pauldreik.se>, 713947@bugs.debian.org
Cc: Yves-Alexis Perez <corsac@debian.org>
Subject: Re: Bug#713947: updated broke squeeze installation
Date: Fri, 5 Jul 2013 09:00:30 +0200
On Thu, 04 Jul 2013, Paul Dreik wrote:
> do. I do not think it would hurt to mention it among the other news
> displayed when updating the package. People run debian stable for a
> reason, and security updates that bump the version should in my opinion
> be careful about breaking existing installations. I hope I contributed
> instead of only complaining by troubleshooting and reporting my findings.

I added a paragraph in README.Debian explaining this (commited in the git
repo).

> >> Notice: Undefined index: HTTP_X_FORWARDED_PROTO in
> >> /usr/share/wordpress/wp-config.php on line 56
> > 
> > For this one I'm not so sure, but double checking the previous item
> > should at least help.
> 
> This problem is unrelated to the problems I had and persists also in the
> new version (upstream or not). It is solved by the attached patch.

Thanks, applied in the git repository.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Discover the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/



Reply sent to Raphaël Hertzog <hertzog@debian.org>:
You have taken responsibility. (Thu, 01 Aug 2013 19:51:11 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Thu, 01 Aug 2013 19:51:11 GMT) Full text and rfc822 format available.

Message #90 received at 713947-close@bugs.debian.org (full text, mbox):

From: Raphaël Hertzog <hertzog@debian.org>
To: 713947-close@bugs.debian.org
Subject: Bug#713947: fixed in wordpress 3.5.2+dfsg-1~deb7u1
Date: Thu, 01 Aug 2013 19:47:05 +0000
Source: wordpress
Source-Version: 3.5.2+dfsg-1~deb7u1

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 713947@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Raphaël Hertzog <hertzog@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 25 Jun 2013 15:52:07 +0200
Source: wordpress
Binary: wordpress wordpress-l10n
Architecture: source all
Version: 3.5.2+dfsg-1~deb7u1
Distribution: wheezy-security
Urgency: low
Maintainer: Giuseppe Iuculano <iuculano@debian.org>
Changed-By: Raphaël Hertzog <hertzog@debian.org>
Description: 
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
Closes: 713947
Changes: 
 wordpress (3.5.2+dfsg-1~deb7u1) wheezy-security; urgency=low
 .
   * New upstream release with many security fixes. Closes: #713947
     * Server-Side Request Forgery (SSRF) via the HTTP API. CVE-2013-2199.
     * Privilege Escalation: Contributors can publish posts, and users can
       reassign authorship. CVE-2013-2200.
     * Cross-Site Scripting (XSS) in SWFUpload. CVE-2013-2205.
     * Denial of Service (DoS) via Post Password Cookies. CVE-2013-2173.
     * Content Spoofing via Flash Applet in TinyMCE Media Plugin.
       CVE-2013-2204.
     * Cross-Site Scripting (XSS) when Uploading Media. CVE-2013-2201.
     * Full Path Disclosure (FPD) during File Upload. CVE-2013-2203.
   * Additional security hardening includes:
     * Cross-Site Scripting (XSS) (Low Severity) when Editing Media.
       CVE-2013-2201.
     * Cross-Site Scripting (XSS) (Low Severity) when Installing/Updating
       Plugins/Themes. CVE-2013-2201.
     * XML External Entity Injection (XXE) via oEmbed. CVE-2013-2202.
   * Update the Vcs-Git and Vcs-Browser URLs.
   * Update Standards-Version to 3.9.4.
Checksums-Sha1: 
 328c43661b04793cd8c1b74cc99b73277f1c81db 2371 wordpress_3.5.2+dfsg-1~deb7u1.dsc
 0b0ed001dfaf4d9ea10d1cd6bf32c8755b1b098e 4261024 wordpress_3.5.2+dfsg.orig.tar.xz
 6380169163222142f4bda8c7b340b4bfa4093399 5258236 wordpress_3.5.2+dfsg-1~deb7u1.debian.tar.xz
 26e327106c0f1f79baa19d0579f3e6d640fc3ffc 4932942 wordpress_3.5.2+dfsg-1~deb7u1_all.deb
 12a3db6aa0dbd8962b2b9e308f222a5d9d26e031 8818752 wordpress-l10n_3.5.2+dfsg-1~deb7u1_all.deb
Checksums-Sha256: 
 1063ceb235db70cd311ddcdabe441bf8ddaea2022af4c7c01014c6b6a67a97f3 2371 wordpress_3.5.2+dfsg-1~deb7u1.dsc
 c4403b912ec5154aa2ff67e2b7afa5a4b67dca055e3421cc000212b73e6f1eb4 4261024 wordpress_3.5.2+dfsg.orig.tar.xz
 ee56f142aad5df8b110101730fe7ecf87a45c1d7b76e4ae53a6ace2851ada5d2 5258236 wordpress_3.5.2+dfsg-1~deb7u1.debian.tar.xz
 7e88a1568ad12f4aaecc9946709cf1a123ad9fc8cb0aae5cb8a46682d5ddb18b 4932942 wordpress_3.5.2+dfsg-1~deb7u1_all.deb
 761c762994e70be95e2ec5c02276265efeda066b88764253971802e407790734 8818752 wordpress-l10n_3.5.2+dfsg-1~deb7u1_all.deb
Files: 
 3aefef9e0595b6f0d04b480b6b744648 2371 web optional wordpress_3.5.2+dfsg-1~deb7u1.dsc
 9dcb3e16668d19373ffdf9b0fe2657dd 4261024 web optional wordpress_3.5.2+dfsg.orig.tar.xz
 8af1e30f2698f80abc2c4a0401453ce9 5258236 web optional wordpress_3.5.2+dfsg-1~deb7u1.debian.tar.xz
 85f78662d8cb6e58a3077684fae35ccc 4932942 web optional wordpress_3.5.2+dfsg-1~deb7u1_all.deb
 c62c1573b0da00eb2ae3499015d73882 8818752 localization optional wordpress-l10n_3.5.2+dfsg-1~deb7u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Signed by Raphael Hertzog

iQIcBAEBCAAGBQJRzKQ7AAoJEOYZBF3yrHKazGcQAJjM7B1IdLVMebDXA79ewQvF
SV0X+Htbh6gCOI06rlCOxdeXFmgGRMx5nRbxD4I6z7pSDx+/E/cBIVU15vPB5Bt5
sAxNEQMT580kfmSTzif9tcy2OqeZxlDQFgP/Pwtw7P230/b/lt/gijUetoBAQN1g
cWpslcxiO+f9aexKIDKB6yN5z5ouW5R0ATnSsrL6ObHuQ5FPLXWksSbD8Has56An
lPGDdlvCsUhTY3tvwYerdebS6u/2vuJTt+j84KxtVRHGB1EHo3Buy0sT0+Eh1LPc
zpwG8vEuKnHALGGfE8mpBKuK0qXm4D3LdLjTYak8omnymDBzoDTOrK1H4w1dj6J7
XUGcCb8q4p+rN2EYRsGvAGv6cU+NpIsOp11HN1tcpTVJlOXLKbbVOK3WnS+yRhDm
3fIeGKWh40vLerQau/mYAyZs2jRhSHuBYuBwCXC0AJSaDXlbdfVGKWZbjOwVbELZ
2Yl0hPolFgh/RoXodKQliWlF/B5zavTY/0WBiMi19RvzvEm6DJ/ixjFppOKpoh8E
4svx7u+kjDXwFkyBdad6w62w5R97kQ0YM536WDe7hH0f2ZoEIzgETSurSDULUEJ2
jv6IA+paejPTgdhnl+VxGrY0NaXgB461xFwHJfAmEtDC82VpSSjYu+zLbI6Ktw9U
W7PVVmTDdVUYBvDzbgNU
=R5oh
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 13 Oct 2013 07:31:26 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 07:53:56 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.