On Wed, 7 Jun. 2017, 06:33 Ola Lundqvist, <ola@inguza.com> wrote:I can see the following comments from you:
+ * Backport patches from 4.7.5 Closes: #862816
+ CVEs to be added once issued
+ - CVE-2017-XXX
+ Insufficient redirect validation in the HTTP class.The changelog now reads:* CVE-2017-9066 not fixed as the relevant code has changed dramaticallyand there is no upstream patch for it.Insufficient redirect validation in the HTTP class.There was no upstream patch for it in the wordpress 4.1 stream. There didn't seem to be a way of making a patch for it either.The patch is available here:
https://github.com/WordPress/WordPress/commit/ 76d77e927bb4d0f87c7262a50e28d8 4e01fd2b11 Do this mean that the package is vulnerable?
Wheezy is clearly vulnerable at least.It means I am unsure. I'd like to know what you did to say it was clearly vulnerable. There is a request method, but it is radically different to wordpress 4.5The patch referenced is for 4.5 and would not come close to working; for example the hooks construct seems to be missing or used very differently.However, if you have a patch that works on wordpress 4.1, I'd be glad to see it!- Craig
--Craig Small https://dropbear.xyz/ csmall at : enc.com.auDebian GNU/Linux https://www.debian.org/ csmall at : debian.orgMastodon: @smallsees@social.dropbear.xyz Twitter: @smallseesGPG fingerprint: 5D2F B320 B825 D939 04D2 0519 3938 F96B DF50 FEA5