Page Menu
Home
GRNET
Search
Configure Global Search
Log In
Paste
P12
wordpress 4.1+dfsg-1+deb8u12 changelog
Active
Public
Actions
Authored by
alexk
on Feb 2 2017, 3:23 PM.
Edit Paste
Archive Paste
View Raw File
Subscribe
Mute Notifications
Award Token
Flag For Later
Tags
None
Subscribers
None
wordpress (4.1+dfsg-1+deb8u12) jessie-security; urgency=high
* Backport patches from 4.7.1 Closes: #851310
- CVE-2016-10066
Potential Remote Command Execution (RCE) in PHPMailer
- CVE-2017-5488
Authenticated Cross-Site scripting (XSS) in update-core.php
- CVE-2017-5490
Stored Cross-Site Scripting (XSS) via Theme Name fallback
- CVE-2017-5491
Post via Email Checks mail.example.com by Default
- CVE-2017-5492
Accessibility Mode Cross-Site Request Forgery (CSRF)
- CVE-2017-5493
Cryptographically Weak Pseudo-Random Number Generator
- CVE-2017-5489
Cross-Site Request Forgery (CSRF) via Flash Upload
Changesets 39838 and 39857, thanks Seb <seb@debian.org>
* Backport patches from 4.7.2 Closes: #852767
- CVE-2017-5610
The user interface for assigning taxonomy terms in Press This is
shown to users who do not have permissions to use it.
Changeset 39976
- CVE-2017-5611
WP_Query is vulnerable to a SQL injection (SQLi)
Changeset 39962
- CVE-2017-5612
XSS in the posts list table
Changeset 39985
* Not vulnerable
- CVE-2017-5487
User Information Disclosure via REST API - API doesn't exist
-- Craig Small <csmall@debian.org> Sun, 29 Jan 2017 08:53:11 +1100
wordpress (4.1+dfsg-1+deb8u11) jessie-security; urgency=high
* Non-maintainer upload by the Security Team.
* debian/patches/CVE-2016-6635.patch:
- don't duplicate wp_encode_json() which has already been backported
upstream, just merge later changes, fix regression in the previous
upload. closes: #839190
* debian/languages: fix language with "\n" inconsistencies in msgid/msgstr.
-- Yves-Alexis Perez <corsac@debian.org> Sat, 01 Oct 2016 11:38:14 +0200
wordpress (4.1+dfsg-1+deb8u10) jessie-security; urgency=high
* Backport patches from 4.6.1/4.1.13 Closes: #837090
* CVE-2016-6896 and CVE-2016-6897 not vulnerable
* Changeset 38538 sanitize filename in media CVE-2016-7168
* Changeset 38524 sanitize filename upload upgrader CVE-2016-7169
* CVE-2016-4029:
WordPress before 4.5 does not consider octal and hexadecimal IP address
formats when determining an intranet address, which allows remote attackers
to bypass an intended SSRF protection mechanism via a crafted address.
* CVE-2016-6634:
Cross-site scripting (XSS) vulnerability in the network settings page in
WordPress before 4.5 allows remote attackers to inject arbitrary web script
or HTML via unspecified vectors.
* CVE-2016-6635:
Cross-site request forgery (CSRF) vulnerability in the
wp_ajax_wp_compression_test function in wp-admin/includes/ajax-actions.php
in WordPress before 4.5 allows remote attackers to hijack the
authentication of administrators for requests that change the script
compression option.
-- Craig Small <csmall@debian.org> Sat, 10 Sep 2016 08:07:11 +1000
Event Timeline
alexk
created this paste.
Feb 2 2017, 3:23 PM
alexk
created this object with visibility "Public (No Login Required)".
Log In to Comment