[Git][security-tracker-team/security-tracker][master] Update status for CVE-2020-4046

Fri Jul 10 13:39:08 BST 2020


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
59fccc83 by Salvatore Bonaccorso at 2020-07-10T14:37:52+02:00
Update status for CVE-2020-4046

The issue was actually only introduced around 5.2 upstream, but were
marked as fixed in earlier DSAs and DLAs. Try to cleanup this status,
the websites need to be corrected in webmaster/webwml repositories as
followup.

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/DSA/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -3901,9 +3901,10 @@ CVE-2020-4048 (In affected versions of WordPress, due to an issue in wp_validate
 	NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-q6pw-gvf4-5fj5
 	NOTE: https://github.com/WordPress/wordpress-develop/commit/6ef777e9a022bee2a80fa671118e7e2657e52693
 CVE-2020-4046 (In affected versions of WordPress, users with low privileges (like con ...)
-	{DSA-4709-1 DLA-2269-1}
 	- wordpress 5.4.2+dfsg1-1 (bug #962685)
-	[stretch] - wordpress <not-affected> (Not affected, title HTML attribute parsing added later despite being marked as fixed in 4.1.31+dfsg-0+deb8u1?)
+	[buster] - wordpress <not-affected> (Vulnerable code introduced later)
+	[stretch] - wordpress <not-affected> (Vulnerable code introduced later)
+	[jessie] - wordpress <not-affected> (Vulnerable code introduced later)
 	NOTE: https://core.trac.wordpress.org/changeset/47947
 	NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-rpwf-hrh2-39jf
 CVE-2020-4047 (In affected versions of WordPress, authenticated users with upload per ...)


=====================================
data/DLA/list
=====================================
@@ -16,7 +16,7 @@
 	{CVE-2020-14060 CVE-2020-14061 CVE-2020-14062 CVE-2020-14195}
 	[jessie] - jackson-databind 2.4.2-2+deb8u15
 [01 Jul 2020] DLA-2269-1 wordpress - security update
-	{CVE-2020-4046 CVE-2020-4047 CVE-2020-4048 CVE-2020-4049 CVE-2020-4050}
+	{CVE-2020-4047 CVE-2020-4048 CVE-2020-4049 CVE-2020-4050}
 	[jessie] - wordpress 4.1.31+dfsg-0+deb8u1
 [30 Jun 2020] DLA-2268-2 mutt - regression update
 	{CVE-2020-14093 CVE-2020-14954}


=====================================
data/DSA/list
=====================================
@@ -43,7 +43,7 @@
 	{CVE-2020-9494}
 	[buster] - trafficserver 8.0.2+ds-1+deb10u3
 [23 Jun 2020] DSA-4709-1 wordpress - security update
-	{CVE-2020-4046 CVE-2020-4047 CVE-2020-4048 CVE-2020-4049 CVE-2020-4050}
+	{CVE-2020-4047 CVE-2020-4048 CVE-2020-4049 CVE-2020-4050}
 	[buster] - wordpress 5.0.10+dfsg1-0+deb10u1
 [21 Jun 2020] DSA-4708-1 neomutt - security update
 	{CVE-2020-14093 CVE-2020-14954}



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/59fccc83dfbef0f75cfe3787ca660c878b89aa7e

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/59fccc83dfbef0f75cfe3787ca660c878b89aa7e
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200710/2aca56c1/attachment-0001.html>
