[Git][security-tracker-team/security-tracker][master] Reserve DLA-4358-1 for wordpress

Sun Nov 2 21:53:00 GMT 2025


Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker


Commits:
5f166b41 by Utkarsh Gupta at 2025-11-02T22:50:16+01:00
Reserve DLA-4358-1 for wordpress

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -150348,7 +150348,6 @@ CVE-2024-6308 (A vulnerability was found in itsourcecode Simple Online Hotel Res
 	NOT-FOR-US: itsourcecode Simple Online Hotel Reservation System
 CVE-2024-6307 (WordPress Core is vulnerable to Stored Cross-Site Scripting via the HT ...)
 	- wordpress 6.5.5+dfsg1-1 (bug #1074486)
-	[bullseye] - wordpress <not-affected> (The vulnerable code was introduced later)
 	NOTE: https://wordpress.org/news/2024/06/wordpress-6-5-5/
 	NOTE: https://core.trac.wordpress.org/changeset/58473
 	NOTE: https://core.trac.wordpress.org/changeset/58472
@@ -150457,7 +150456,6 @@ CVE-2024-32111 (Improper Limitation of a Pathname to a Restricted Directory ('Pa
 	NOTE: https://wordpress.org/news/2024/06/wordpress-6-5-5/
 CVE-2024-31111 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...)
 	- wordpress 6.5.5+dfsg1-1 (bug #1074486)
-	[bullseye] - wordpress <not-affected> (The vulnerable code was introduced later)
 	NOTE: https://wordpress.org/news/2024/06/wordpress-6-5-5/
 CVE-2024-28832 (Stored XSS in the Crash Report page in Checkmk before versions 2.3.0p7 ...)
 	- check-mk <removed>


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[02 Nov 2025] DLA-4358-1 wordpress - security update
+	{CVE-2024-6307 CVE-2024-31111 CVE-2025-58246 CVE-2025-58674}
+	[bullseye] - wordpress 5.7.14+dfsg1-0+deb11u1
 [01 Nov 2025] DLA-4357-1 ruby-rack - security update
 	{CVE-2025-32441 CVE-2025-46727 CVE-2025-59830 CVE-2025-61770 CVE-2025-61771 CVE-2025-61772 CVE-2025-61780 CVE-2025-61919}
 	[bullseye] - ruby-rack 2.1.4-3+deb11u4


=====================================
data/dla-needed.txt
=====================================
@@ -337,17 +337,6 @@ wolfssl
   NOTE: 20250825: I attempted backporting the fixes, but the code diverged significantly.
   NOTE: 20250825: Backporting is difficult withing prior knowledge of the codebase. (paride)
 --
-wordpress (Utkarsh)
-  NOTE: 20250804: Added by Front-Desk (rouca)
-  NOTE: 20250804: Sync with DSA (rouca)
-  NOTE: 20250902: prepped DSA update, will sync w/ Security and then release DLA. (utkarsh)
-  NOTE: 20250922: csmall replied, will follow up. but will release DLA w/o waiting on stable*. (utkarsh)
-  NOTE: 20250922: update: carnil advised to wait for a bit... (utkarsh)
-  NOTE: 20251006: we've waitied so much that there are new CVEs now. d'oh. (utkarsh)
-  NOTE: 20251006: will re-propose the diff to security team again. (utkarsh)
-  NOTE: 20251026: untested update prepared - will test this week & coordinate with the sec team. (utkarsh)
-  NOTE: 20251028: pinged Craig and security team with the update on Mon 27th Oct. (utkarsh)
---
 xmlrpc-c
   NOTE: 20250411: Added by Front-Desk (Beuc)
   NOTE: 20250411: See issues with old embedded expat library:



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f166b41ed76d509efc4dad771897b36baff01bd

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f166b41ed76d509efc4dad771897b36baff01bd
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20251102/e613bbd8/attachment-0001.htm>
