[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#864247: marked as done (unblock: wordpress/4.7.5+dfsg-2)

Your message dated Mon, 05 Jun 2017 17:58:24 +0000
with message-id <E1dHwGm-0005oM-TU@respighi.debian.org>
and subject line unblock wordpress
has caused the Debian Bug report #864247,
regarding unblock: wordpress/4.7.5+dfsg-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
864247: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864247
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi

Please unblock package wordpress

It fixes #862053, CVE-2017-8295, which was addressed already in the
DSA for jessie (and would otherwise be a regression).

Changelog entry:

>wordpress (4.7.5+dfsg-2) unstable; urgency=medium
>
>  * Don't trust SERVER_NAME variable for emails
>    CVE-2017-8295 Closes: #862053
>
> -- Craig Small <csmall@debian.org>  Mon, 05 Jun 2017 21:45:59 +1000

unblock wordpress/4.7.5+dfsg-2

I'm attaching the full debdiff against the current version in testing.
Note it as well adjust the older changelog entry to add the CVE
identiiers.

Regards,
Salvatore

diff -Nru wordpress-4.7.5+dfsg/debian/changelog wordpress-4.7.5+dfsg/debian/changelog
--- wordpress-4.7.5+dfsg/debian/changelog	2017-05-17 14:28:18.000000000 +0200
+++ wordpress-4.7.5+dfsg/debian/changelog	2017-06-05 13:45:59.000000000 +0200
@@ -1,20 +1,26 @@
+wordpress (4.7.5+dfsg-2) unstable; urgency=medium
+
+  * Don't trust SERVER_NAME variable for emails
+    CVE-2017-8295 Closes: #862053
+
+ -- Craig Small <csmall@debian.org>  Mon, 05 Jun 2017 21:45:59 +1000
+
 wordpress (4.7.5+dfsg-1) unstable; urgency=high
 
   * New upstream release fixes 6 security issues Closes: #862816
-    CVEs to be added once issued
-    - CVE-2017-XXX
+    - CVE-2017-9066
       Insufficient redirect validation in the HTTP class.
-    - CVE-2017-XXX
+    - CVE-2017-9062
       Improper handling of post meta data values in the XML-RPC API.
-    - CVE-2017-XXX
+    - CVE-2017-9065
       Lack of capability checks for post meta data in the XML-RPC API.
-    - CVE-2017-XXX
+    - CVE-2017-9064
       A Cross Site Request Forgery (CRSF) vulnerability was discovered
       in the filesystem credentials dialog.
-    - CVE-2017-XXX
+    - CVE-2017-9061
       A cross-site scripting (XSS) vulnerability was discovered when
       attempting to upload very large files.
-    - CVE-2017-XXX
+    - CVE-2017-9063
       A cross-site scripting (XSS) vulnerability was discovered related
       to the Customizer.
 
diff -Nru wordpress-4.7.5+dfsg/debian/patches/CVE-2017-8295 wordpress-4.7.5+dfsg/debian/patches/CVE-2017-8295
--- wordpress-4.7.5+dfsg/debian/patches/CVE-2017-8295	1970-01-01 01:00:00.000000000 +0100
+++ wordpress-4.7.5+dfsg/debian/patches/CVE-2017-8295	2017-06-05 13:45:59.000000000 +0200
@@ -0,0 +1,36 @@
+Description: Don't use SERVER_NAME for emails
+ WordPress uses the SERVER_NAME variable to generate the from address for
+ password resets. This variable can be set by the hostname sent by the
+ client, which means it can be spoofed.
+
+ This patch fixes CVE-2017-8295
+Author: Maarten de Boer
+Origin: upstream, https://core.trac.wordpress.org/attachment/ticket/25239/CVE-2017-8295.patch
+Bug: https://core.trac.wordpress.org/ticket/25239
+Bug-Debian: https://bugs.debian.org/862053
+Reviewed-by: Craig Small <csmall@debian.org>
+--- a/wp-includes/pluggable.php
++++ b/wp-includes/pluggable.php
+@@ -323,11 +323,8 @@
+ 
+ 	if ( !isset( $from_email ) ) {
+ 		// Get the site domain and get rid of www.
+-		$sitename = strtolower( $_SERVER['SERVER_NAME'] );
+-		if ( substr( $sitename, 0, 4 ) == 'www.' ) {
+-			$sitename = substr( $sitename, 4 );
+-		}
+-
++		$sitename = parse_url( network_home_url(), PHP_URL_HOST );
++		
+ 		$from_email = 'wordpress@' . $sitename;
+ 	}
+ 
+@@ -1491,7 +1488,7 @@
+ 		$notify_message .= sprintf( __( 'Spam it: %s' ), admin_url( "comment.php?action=spam&c={$comment->comment_ID}#wpbody-content" ) ) . "\r\n";
+ 	}
+ 
+-	$wp_email = 'wordpress@' . preg_replace('#^www\.#', '', strtolower($_SERVER['SERVER_NAME']));
++	$wp_email = 'wordpress@' . parse_url(network_home_url(), PHP_URL_HOST);
+ 
+ 	if ( '' == $comment->comment_author ) {
+ 		$from = "From: \"$blogname\" <$wp_email>";
diff -Nru wordpress-4.7.5+dfsg/debian/patches/series wordpress-4.7.5+dfsg/debian/patches/series
--- wordpress-4.7.5+dfsg/debian/patches/series	2017-05-17 14:28:18.000000000 +0200
+++ wordpress-4.7.5+dfsg/debian/patches/series	2017-06-05 13:45:59.000000000 +0200
@@ -3,3 +3,4 @@
 003installer.patch
 010disabling_update_note.patch
 #011support-symlinks-for-plugins.patch
+CVE-2017-8295

--- End Message ---
--- Begin Message --- 
Unblocked wordpress.

--- End Message ---
Reply to: