[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 5 commits: CVE-2012-6707, wordpress: Follow Jessie and Co. Can be postponed.

Tue Jan 30 17:53:18 UTC 2018

Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
1ef171d1 by Markus Koschany at 2018-01-30T18:26:00+01:00
CVE-2012-6707,wordpress: Follow Jessie and Co. Can be postponed.

- - - - -
9e1cc5d7 by Markus Koschany at 2018-01-30T18:51:14+01:00
Merge branch 'master' of salsa.debian.org:security-tracker-team/security-tracker

- - - - -
577c17e5 by Markus Koschany at 2018-01-30T18:52:02+01:00
CVE-2018-5776,wordpress. Flash media files were removed previously.

- - - - -
fa569d03 by Markus Koschany at 2018-01-30T18:52:44+01:00
Remove wordpress from dla-needed.txt

- - - - -
c3ed204e by Markus Koschany at 2018-01-30T18:53:05+01:00
Merge branch 'master' of salsa.debian.org:security-tracker-team/security-tracker

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================

--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1610,6 +1610,7 @@ CVE-2018-5776 (WordPress before 4.9.2 has XSS in the Flash fallback files in ...
 	- wordpress 4.9.2+dfsg-1 (bug #887596)
 	[stretch] - wordpress <not-affected> (Vulnerable files have been removed before)
 	[jessie] - wordpress <not-affected> (Vulnerable files have been removed before)
+	[wheezy] - wordpress <not-affected> (Vulnerable files have been removed before)
 	NOTE: For jessie and stretch version the files silverlightmediaelement.xap and
 	NOTE: flashmediaelement.swf have been removed with the 4.1+dfsg-1 version.
 	NOTE: sid in version 4.9.1+dfsg-1 did as well *not* have the files but track here the
@@ -20918,6 +20919,7 @@ CVE-2012-6707 (WordPress through 4.8.2 uses a weak MD5-based password hashing ..
 	- wordpress <unfixed> (bug #880868)
 	[stretch] - wordpress <postponed> (Minor issue, can be revisited with upstream has picked a new hashing solution)
 	[jessie] - wordpress <postponed> (Minor issue, can be revisited with upstream has picked a new hashing solution)
+	[wheezy] - wordpress <postponed> (Minor issue, can be revisited with upstream has picked a new hashing solution)
 	NOTE: https://core.trac.wordpress.org/ticket/21022
 	NOTE: Proposed patch (but not merged): https://core.trac.wordpress.org/attachment/ticket/21022/21022.3.diff
 	NOTE: Cf. https://core.trac.wordpress.org/ticket/21022#comment:80 and following.


=====================================
data/dla-needed.txt
=====================================
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -61,12 +61,5 @@ openjdk-7 (Emilio Pozuelo)
 --
 p7zip
 --
-wordpress
-  NOTE: CVE-2012-6707: Fix requires migrating users from MD5 -> bcrypt. (lamby)
-  NOTE: This needs an upstream fix first, to ensure we don't implement a
-  NOTE: solution that is incompatable with other distributions. (Brian)
-  NOTE: 2018-08-09: Upstream bug opened 6 years ago and no chages to upstream
-  NOTE: bug in 7 weeks.
---
 xen
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/bb9d200e14fa0c2091ce355735ba2afc2266231a...c3ed204ef455168784d8e5341d88f6179d8acac4

---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/bb9d200e14fa0c2091ce355735ba2afc2266231a...c3ed204ef455168784d8e5341d88f6179d8acac4
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20180130/b504dcfd/attachment.html>
