#862816 and CVE-2017-9066

To: Craig Small <csmall@debian.org>
Cc: Debian LTS <debian-lts@lists.debian.org>
Subject: #862816 and CVE-2017-9066
From: Ola Lundqvist <ola@inguza.com>
Date: Tue, 6 Jun 2017 22:33:41 +0200
Message-id: <[🔎] CABY6=0moO3RoF5YdGULJYH4wAFG=CKA67SkoVYsS94WK_BwRSQ@mail.gmail.com>

Hi Craig

I can see the following comments from you:
+  * Backport patches from 4.7.5 Closes: #862816
+   CVEs to be added once issued
+   - CVE-2017-XXX
+     Insufficient redirect validation in the HTTP class.
+     (may not be vulnerable, no patch found)

The patch is available here:
https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11

Do this mean that the package is vulnerable?

Wheezy is clearly vulnerable at least.

Best regards

// Ola


-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------

Reply to:

Follow-Ups:
- Re: #862816 and CVE-2017-9066
  - From: Craig Small <csmall@debian.org>

Prev by Date: Wheezy update of samba?
Next by Date: Wheezy update of wordpress?
Previous by thread: Re: Wheezy update of samba?
Next by thread: Re: #862816 and CVE-2017-9066
Index(es):
- Date
- Thread