[Git][security-tracker-team/security-tracker][master] 3 commits: wordpress,6.0.2,5.0.17: Link to upstream fix

Mon Oct 10 14:22:20 BST 2022


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
9df40ceb by Markus Koschany at 2022-10-10T15:17:01+02:00
wordpress,6.0.2,5.0.17: Link to upstream fix

This changeset addresses at least one security issue mentioned in upstream's
security advisory. Not sure if upstream will request more CVE or if the
temporary CVE covers all three security vulnerabilities.

- - - - -
c633bbc5 by Markus Koschany at 2022-10-10T15:21:03+02:00
CVE-2019-17670,wordpress: remove no-dsa tag for upcoming release

- - - - -
24bdaa92 by Markus Koschany at 2022-10-10T15:22:08+02:00
Reserve DLA-3141-1 for wordpress

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -8533,6 +8533,7 @@ CVE-2022-XXXX [wordpress 6.0.2]
 	- wordpress 6.0.2+dfsg1-1 (bug #1018863)
 	[bullseye] - wordpress <no-dsa> (Minor issue)
 	NOTE: https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/
+	NOTE: https://core.trac.wordpress.org/changeset/53973
 CVE-2022-39079
 	RESERVED
 CVE-2022-39078
@@ -216959,7 +216960,6 @@ CVE-2019-17671 (In WordPress before 5.2.4, unauthenticated viewing of certain co
 CVE-2019-17670 (WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulner ...)
 	{DLA-2371-1 DLA-1980-1}
 	- wordpress 5.2.4+dfsg1-1 (bug #942459)
-	[buster] - wordpress <no-dsa> (Minor issue)
 	NOTE: https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
 	NOTE: https://core.trac.wordpress.org/changeset/46472
 	NOTE: https://github.com/WordPress/WordPress/commit/9db44754b9e4044690a6c32fd74b9d5fe26b07b2


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[10 Oct 2022] DLA-3141-1 wordpress - security update
+	{CVE-2019-17670}
+	[buster] - wordpress 5.0.17+dfsg1-0+deb10u1
 [07 Oct 2022] DLA-3140-1 libpgjava - security update
 	{CVE-2022-31197}
 	[buster] - libpgjava 42.2.5-2+deb10u2


=====================================
data/dla-needed.txt
=====================================
@@ -225,10 +225,6 @@ wireshark
 wkhtmltopdf
   NOTE: 20220904: Programming language: C++.
 --
-wordpress (Markus Koschany)
-  NOTE: 20220911: Programming language: PHP
-  NOTE: 20220911: Further investigation needed to see what parts of 6.0.2 update that applies to buster.
---
 zabbix
   NOTE: 20220911: At least CVE-2022-23134 was fixed in stretch so it should be fixed in buster too.
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/84134c5ebbcc3d5b6bc92073354c07d11ce1c0d9...24bdaa923ea3a7356af971467f5bdc1edb5000a6

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/84134c5ebbcc3d5b6bc92073354c07d11ce1c0d9...24bdaa923ea3a7356af971467f5bdc1edb5000a6
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221010/069b8e8d/attachment-0001.htm>
