--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Hi
Please unblock package wordpress
It fixes #862053, CVE-2017-8295, which was addressed already in the
DSA for jessie (and would otherwise be a regression).
Changelog entry:
>wordpress (4.7.5+dfsg-2) unstable; urgency=medium
>
> * Don't trust SERVER_NAME variable for emails
> CVE-2017-8295 Closes: #862053
>
> -- Craig Small <csmall@debian.org> Mon, 05 Jun 2017 21:45:59 +1000
unblock wordpress/4.7.5+dfsg-2
I'm attaching the full debdiff against the current version in testing.
Note it as well adjust the older changelog entry to add the CVE
identiiers.
Regards,
Salvatore
diff -Nru wordpress-4.7.5+dfsg/debian/changelog wordpress-4.7.5+dfsg/debian/changelog
--- wordpress-4.7.5+dfsg/debian/changelog 2017-05-17 14:28:18.000000000 +0200
+++ wordpress-4.7.5+dfsg/debian/changelog 2017-06-05 13:45:59.000000000 +0200
@@ -1,20 +1,26 @@
+wordpress (4.7.5+dfsg-2) unstable; urgency=medium
+
+ * Don't trust SERVER_NAME variable for emails
+ CVE-2017-8295 Closes: #862053
+
+ -- Craig Small <csmall@debian.org> Mon, 05 Jun 2017 21:45:59 +1000
+
wordpress (4.7.5+dfsg-1) unstable; urgency=high
* New upstream release fixes 6 security issues Closes: #862816
- CVEs to be added once issued
- - CVE-2017-XXX
+ - CVE-2017-9066
Insufficient redirect validation in the HTTP class.
- - CVE-2017-XXX
+ - CVE-2017-9062
Improper handling of post meta data values in the XML-RPC API.
- - CVE-2017-XXX
+ - CVE-2017-9065
Lack of capability checks for post meta data in the XML-RPC API.
- - CVE-2017-XXX
+ - CVE-2017-9064
A Cross Site Request Forgery (CRSF) vulnerability was discovered
in the filesystem credentials dialog.
- - CVE-2017-XXX
+ - CVE-2017-9061
A cross-site scripting (XSS) vulnerability was discovered when
attempting to upload very large files.
- - CVE-2017-XXX
+ - CVE-2017-9063
A cross-site scripting (XSS) vulnerability was discovered related
to the Customizer.
diff -Nru wordpress-4.7.5+dfsg/debian/patches/CVE-2017-8295 wordpress-4.7.5+dfsg/debian/patches/CVE-2017-8295
--- wordpress-4.7.5+dfsg/debian/patches/CVE-2017-8295 1970-01-01 01:00:00.000000000 +0100
+++ wordpress-4.7.5+dfsg/debian/patches/CVE-2017-8295 2017-06-05 13:45:59.000000000 +0200
@@ -0,0 +1,36 @@
+Description: Don't use SERVER_NAME for emails
+ WordPress uses the SERVER_NAME variable to generate the from address for
+ password resets. This variable can be set by the hostname sent by the
+ client, which means it can be spoofed.
+
+ This patch fixes CVE-2017-8295
+Author: Maarten de Boer
+Origin: upstream, https://core.trac.wordpress.org/attachment/ticket/25239/CVE-2017-8295.patch
+Bug: https://core.trac.wordpress.org/ticket/25239
+Bug-Debian: https://bugs.debian.org/862053
+Reviewed-by: Craig Small <csmall@debian.org>
+--- a/wp-includes/pluggable.php
++++ b/wp-includes/pluggable.php
+@@ -323,11 +323,8 @@
+
+ if ( !isset( $from_email ) ) {
+ // Get the site domain and get rid of www.
+- $sitename = strtolower( $_SERVER['SERVER_NAME'] );
+- if ( substr( $sitename, 0, 4 ) == 'www.' ) {
+- $sitename = substr( $sitename, 4 );
+- }
+-
++ $sitename = parse_url( network_home_url(), PHP_URL_HOST );
++
+ $from_email = 'wordpress@' . $sitename;
+ }
+
+@@ -1491,7 +1488,7 @@
+ $notify_message .= sprintf( __( 'Spam it: %s' ), admin_url( "comment.php?action=spam&c={$comment->comment_ID}#wpbody-content" ) ) . "\r\n";
+ }
+
+- $wp_email = 'wordpress@' . preg_replace('#^www\.#', '', strtolower($_SERVER['SERVER_NAME']));
++ $wp_email = 'wordpress@' . parse_url(network_home_url(), PHP_URL_HOST);
+
+ if ( '' == $comment->comment_author ) {
+ $from = "From: \"$blogname\" <$wp_email>";
diff -Nru wordpress-4.7.5+dfsg/debian/patches/series wordpress-4.7.5+dfsg/debian/patches/series
--- wordpress-4.7.5+dfsg/debian/patches/series 2017-05-17 14:28:18.000000000 +0200
+++ wordpress-4.7.5+dfsg/debian/patches/series 2017-06-05 13:45:59.000000000 +0200
@@ -3,3 +3,4 @@
003installer.patch
010disabling_update_note.patch
#011support-symlinks-for-plugins.patch
+CVE-2017-8295
--- End Message ---