[Git][security-tracker-team/security-tracker][master] CVE-2019-20043, CVE-2019-20042, CVE-2019-20041, CVE-2019-17674, CVE-2019-17672, CVE...

Sylvain Beucler beuc at debian.org
Mon Jan 13 22:17:48 GMT 2020 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
77db4577 by Sylvain Beucler at 2020-01-13T23:17:24+01:00
CVE-2019-20043,CVE-2019-20042,CVE-2019-20041,CVE-2019-17674,CVE-2019-17672,CVE-2019-16781,CVE-2019-16780/wordpress: jessie triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -8142,12 +8142,15 @@ CVE-2019-19834
 CVE-2019-20043 (In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.ph ...)
 	{DSA-4599-1}
 	- wordpress 5.3.2+dfsg1-1 (bug #946905)
+	[jessie] - wordpress <not-affected> (Vulnerable REST API introduced in 4.4)
 	NOTE: https://core.trac.wordpress.org/changeset/46893/trunk
 	NOTE: https://github.com/WordPress/wordpress-develop/commit/1d1d5be7aa94608c04516cac4238e8c22b93c1d9
 	NOTE: https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
 CVE-2019-20042 (In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the function  ...)
 	{DSA-4599-1}
 	- wordpress 5.3.2+dfsg1-1 (bug #946905)
+	[stretch] - wordpress <not-affected> (Vulnerable function introduced in 5.1)
+	[jessie] - wordpress <not-affected> (Vulnerable function introduced in 5.1)
 	NOTE: https://core.trac.wordpress.org/changeset/46894/trunk
 	NOTE: https://github.com/WordPress/wordpress-develop/commit/1f7f3f1f59567e2504f0fbebd51ccf004b3ccb1d
 	NOTE: https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
@@ -8159,12 +8162,16 @@ CVE-2019-20041 (wp_kses_bad_protocol in wp-includes/kses.php in WordPress before
 CVE-2019-16781 (In WordPress before 5.3.1, authenticated users with lower privileges ( ...)
 	{DSA-4599-1}
 	- wordpress 5.3.2+dfsg1-1 (bug #946905)
+	[stretch] - wordpress <not-affected> (Vulnerable Block feature introduce in 5.0)
+	[jessie] - wordpress <not-affected> (Vulnerable Block feature introduce in 5.0)
 	NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pg4x-64rh-3c9v
 	NOTE: https://hackerone.com/reports/731301
 	NOTE: https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
 CVE-2019-16780 (WordPress users with lower privileges (like contributors) can inject J ...)
 	{DSA-4599-1}
 	- wordpress 5.3.2+dfsg1-1 (bug #946905)
+	[stretch] - wordpress <not-affected> (Vulnerable Block feature introduce in 5.0)
+	[jessie] - wordpress <not-affected> (Vulnerable Block feature introduce in 5.0)
 	NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-x3wp-h3qx-9w94
 	NOTE: https://github.com/WordPress/wordpress-develop/commit/505dd6a20b6fc3d06130018c1caeff764248c29e
 	NOTE: https://hackerone.com/reports/738644
@@ -20640,8 +20647,11 @@ CVE-2019-17675 (WordPress before 5.2.4 does not properly consider type confusion
 CVE-2019-17674 (WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripti ...)
 	{DSA-4599-1}
 	- wordpress 5.2.4+dfsg1-1 (bug #942459)
+	[jessie] - wordpress <postponed> (officially fixed in 4.1.28 but no related fix was identified)
 	NOTE: https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
 	NOTE: https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
+	NOTE: https://wordpress.org/support/wordpress-version/version-4.1.28/
+	NOTE: https://github.com/WordPress/WordPress/commit/d1e2b35359df9644f255b7b54a568b56a2c490d7 (4.1.28)
 CVE-2019-17673 (WordPress before 5.2.4 is vulnerable to poisoning of the cache of JSON ...)
 	{DSA-4599-1}
 	- wordpress 5.2.4+dfsg1-1 (bug #942459)
@@ -20653,8 +20663,11 @@ CVE-2019-17673 (WordPress before 5.2.4 is vulnerable to poisoning of the cache o
 CVE-2019-17672 (WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject  ...)
 	{DSA-4599-1}
 	- wordpress 5.2.4+dfsg1-1 (bug #942459)
+	[jessie] - wordpress <postponed> (officially fixed in 4.1.28 but no related fix was identified)
 	NOTE: https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
 	NOTE: https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
+	NOTE: https://wordpress.org/support/wordpress-version/version-4.1.28/
+	NOTE: https://github.com/WordPress/WordPress/commit/d1e2b35359df9644f255b7b54a568b56a2c490d7 (4.1.28)
 CVE-2019-17671 (In WordPress before 5.2.4, unauthenticated viewing of certain content  ...)
 	{DSA-4599-1 DLA-1980-1}
 	- wordpress 5.2.4+dfsg1-1 (bug #942459)
@@ -86919,7 +86932,7 @@ CVE-2018-14029 (CSRF vulnerability in admin/user/edit in Creatiwity wityCMS 0.6.
 CVE-2018-14028 (In WordPress 4.9.7, plugins uploaded via the admin area are not verifi ...)
 	- wordpress <unfixed> (bug #906565)
 	[stretch] - wordpress <no-dsa> (Minor issue)
-	[jessie] - wordpress <postponed> (can be fixed with a later update)
+	[jessie] - wordpress <postponed> (no sanctioned patch)
 	NOTE: https://core.trac.wordpress.org/ticket/44710
 	NOTE: https://rastating.github.io/unrestricted-file-upload-via-plugin-uploader-in-wordpress/
 CVE-2018-14027 (Digisol Wireless Wifi Home Router HR-3300 allows XSS via the userid or ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/77db4577ccf7bb5f034934a458caaa799c499d06

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/77db4577ccf7bb5f034934a458caaa799c499d06
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200113/84a3ad4c/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list