I can see the following comments from you:
+ * Backport patches from 4.7.5 Closes: #862816
+ CVEs to be added once issued
+ - CVE-2017-XXX
+ Insufficient redirect validation in the HTTP class.
The changelog now reads:
* CVE-2017-9066 not fixed as the relevant code has changed dramatically
and there is no upstream patch for it.
Insufficient redirect validation in the HTTP class.
There was no upstream patch for it in the wordpress 4.1 stream. There didn't seem to be a way of making a patch for it either.
The patch is available here:
https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11
Do this mean that the package is vulnerable?
Wheezy is clearly vulnerable at least.
It means I am unsure. I'd like to know what you did to say it was clearly vulnerable. There is a request method, but it is radically different to wordpress 4.5
The patch referenced is for 4.5 and would not come close to working; for example the hooks construct seems to be missing or used very differently.
However, if you have a patch that works on wordpress 4.1, I'd be glad to see it!
- Craig