wordpress (4.1+dfsg-1+deb8u12) jessie-security; urgency=high

  *  Backport patches from 4.7.1 Closes: #851310
     - CVE-2016-10066
       Potential Remote Command Execution (RCE) in PHPMailer
     - CVE-2017-5488
       Authenticated Cross-Site scripting (XSS) in update-core.php
     - CVE-2017-5490
       Stored Cross-Site Scripting (XSS) via Theme Name fallback
     - CVE-2017-5491
       Post via Email Checks mail.example.com by Default
     - CVE-2017-5492
       Accessibility Mode Cross-Site Request Forgery (CSRF)
     - CVE-2017-5493
       Cryptographically Weak Pseudo-Random Number Generator
     - CVE-2017-5489
       Cross-Site Request Forgery (CSRF) via Flash Upload
       Changesets 39838 and 39857, thanks Seb <seb@debian.org>
  * Backport patches from 4.7.2 Closes: #852767
     - CVE-2017-5610
       The user interface for assigning taxonomy terms in Press This is
       shown to users who do not have permissions to use it.
       Changeset 39976
     - CVE-2017-5611
       WP_Query is vulnerable to a SQL injection (SQLi)
       Changeset 39962
     - CVE-2017-5612
       XSS in the posts list table
       Changeset 39985
  * Not vulnerable
     - CVE-2017-5487
       User Information Disclosure via REST API - API doesn't exist

 -- Craig Small <csmall@debian.org>  Sun, 29 Jan 2017 08:53:11 +1100

wordpress (4.1+dfsg-1+deb8u11) jessie-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * debian/patches/CVE-2016-6635.patch:
    - don't duplicate wp_encode_json() which has already been backported
      upstream, just merge later changes, fix regression in the previous
      upload.                                                   closes: #839190
  * debian/languages: fix language with "\n" inconsistencies in msgid/msgstr.

 -- Yves-Alexis Perez <corsac@debian.org>  Sat, 01 Oct 2016 11:38:14 +0200

wordpress (4.1+dfsg-1+deb8u10) jessie-security; urgency=high

  * Backport patches from 4.6.1/4.1.13 Closes: #837090
  * CVE-2016-6896 and CVE-2016-6897 not vulnerable
  * Changeset 38538 sanitize filename in media CVE-2016-7168
  * Changeset 38524 sanitize filename upload upgrader  CVE-2016-7169
  * CVE-2016-4029:
    WordPress before 4.5 does not consider octal and hexadecimal IP address
    formats when determining an intranet address, which allows remote attackers
    to bypass an intended SSRF protection mechanism via a crafted address.
  * CVE-2016-6634:
    Cross-site scripting (XSS) vulnerability in the network settings page in
    WordPress before 4.5 allows remote attackers to inject arbitrary web script
    or HTML via unspecified vectors.
  * CVE-2016-6635:
    Cross-site request forgery (CSRF) vulnerability in the
    wp_ajax_wp_compression_test function in wp-admin/includes/ajax-actions.php
    in WordPress before 4.5 allows remote attackers to hijack the
    authentication of administrators for requests that change the script
    compression option.



 -- Craig Small <csmall@debian.org>  Sat, 10 Sep 2016 08:07:11 +1000