Package: wordpress | Debian Sources

Package: wordpress / 3.6.1+dfsg-1~deb7u10

Metadata

Package	Version	Patches format
wordpress	3.6.1+dfsg-1~deb7u10	3.0 (quilt)

Patch series

view the series file

Patch	File delta	Description
cs27976_priv_esc \| (download)	wp-admin/includes/class-wp-posts-list-table.php \| 2 1 + 1 - 0 ! wp-admin/includes/post.php \| 54 47 + 7 - 0 ! 2 files changed, 48 insertions(+), 8 deletions(-)	---
cs28054_auth_cookie \| (download)	wp-includes/pluggable.php \| 2 1 + 1 - 0 ! 1 file changed, 1 insertion(+), 1 deletion(-)	---
cs27873_hardening_pingback \| (download)	wp-includes/class-wp-xmlrpc-server.php \| 7 7 + 0 - 0 ! 1 file changed, 7 insertions(+)	---
001readme.patch \| (download)	readme.html \| 2 1 + 1 - 0 ! 1 file changed, 1 insertion(+), 1 deletion(-)	fixing reame file
003installer.patch \| (download)	wp-admin/install.php \| 5 5 + 0 - 0 ! 1 file changed, 5 insertions(+)	patching install.php to permit a valid upload path
010disabling_update_note.patch \| (download)	wp-admin/includes/update.php \| 2 2 + 0 - 0 ! 1 file changed, 2 insertions(+)	disabled the the "please update" warning, thanks to hans spaans and rolf leggewie (closes: #506685)
011support symlinks for plugins.patch \| (download)	wp-admin/includes/plugin.php \| 11 8 + 3 - 0 ! wp-includes/plugin.php \| 30 30 + 0 - 0 ! 2 files changed, 38 insertions(+), 3 deletions(-)	support symlinks for plugin directories
mu.patch \| (download)	wp-admin/network.php \| 10 5 + 5 - 0 ! 1 file changed, 5 insertions(+), 5 deletions(-)	---
cs28073_edit_post \| (download)	wp-admin/includes/post.php \| 8 4 + 4 - 0 ! 1 file changed, 4 insertions(+), 4 deletions(-)	ensure edit_post() promotes an auto-draft to draft. Fixes Quick Draft
cs28114_nostomp_postdata \| (download)	wp-admin/includes/post.php \| 5 5 + 0 - 0 ! 1 file changed, 5 insertions(+)	avoid stomping of bulk postdata inside the bulk_edit_posts() loop.
cs29405_ignore_xml \| (download)	wp-includes/class-IXR.php \| 32 29 + 3 - 0 ! 1 file changed, 29 insertions(+), 3 deletions(-)	ignore entities in xml-rpc requests
cs29390_disable_id3_entities \| (download)	wp-includes/ID3/getid3.lib.php \| 11 6 + 5 - 0 ! 1 file changed, 6 insertions(+), 5 deletions(-)	disable external entities in id3.
cs29384_time_nonce \| (download)	wp-includes/compat.php \| 29 29 + 0 - 0 ! wp-includes/pluggable.php \| 44 41 + 3 - 0 ! 2 files changed, 70 insertions(+), 3 deletions(-)	constant time for wp_verify_nonce()
cs29408_delim_nonce \| (download)	wp-includes/pluggable.php \| 6 3 + 3 - 0 ! 1 file changed, 3 insertions(+), 3 deletions(-)	use delimiters when building nonce hashes
cs29398_escape_get_avatar \| (download)	wp-includes/pluggable.php \| 3 2 + 1 - 0 ! 1 file changed, 2 insertions(+), 1 deletion(-)	---
374to375 \| (download)	wp-admin/includes/image.php \| 6 6 + 0 - 0 ! wp-admin/press-this.php \| 2 1 + 1 - 0 ! wp-includes/class-phpass.php \| 8 8 + 0 - 0 ! wp-includes/formatting.php \| 13 11 + 2 - 0 ! wp-includes/http.php \| 8 4 + 4 - 0 ! wp-includes/kses.php \| 2 1 + 1 - 0 ! wp-includes/pluggable.php \| 2 1 + 1 - 0 ! wp-includes/user.php \| 3 3 + 0 - 0 ! wp-login.php \| 8 6 + 2 - 0 ! 9 files changed, 41 insertions(+), 11 deletions(-)	---
cs32163_query_sanity_checks \| (download)	wp-includes/wp-db.php \| 792 743 + 49 - 0 ! 1 file changed, 743 insertions(+), 49 deletions(-)	---
cs32165_sanitize_orderby \| (download)	wp-includes/formatting.php \| 22 12 + 10 - 0 ! 1 file changed, 12 insertions(+), 10 deletions(-)	---
cs32174_multisite_switch \| (download)	wp-includes/capabilities.php \| 12 8 + 4 - 0 ! 1 file changed, 8 insertions(+), 4 deletions(-)	---
cs32176_dashboard_esc_titles \| (download)	wp-admin/includes/class-wp-comments-list-table.php \| 4 2 + 2 - 0 ! wp-admin/includes/dashboard.php \| 2 1 + 1 - 0 ! wp-admin/includes/template.php \| 2 1 + 1 - 0 ! wp-admin/js/nav-menu.js \| 6 3 + 3 - 0 ! 4 files changed, 7 insertions(+), 7 deletions(-)	---
cs32234_wpdb_query_sanity \| (download)	wp-includes/wp-db.php \| 21 20 + 1 - 0 ! 1 file changed, 20 insertions(+), 1 deletion(-)	---
cs32307_dbstring_length \| (download)	wp-includes/wp-db.php \| 114 114 + 0 - 0 ! 1 file changed, 114 insertions(+)	sanity check strings too long XSS bug if you send >64kB long comments
cs33529_xss_widget_title \| (download)	wp-includes/default-widgets.php \| 2 1 + 1 - 0 ! 1 file changed, 1 insertion(+), 1 deletion(-)	nav menus: consistent titles in widgets Prevent XSS attack in widget titles CVE-2015-5732
cs33542_post_lock_release \| (download)	wp-admin/includes/post.php \| 2 1 + 1 - 0 ! wp-admin/post.php \| 1 1 + 0 - 0 ! 2 files changed, 2 insertions(+), 1 deletion(-)	heartbeat: ensure post locks are released. Prevent an attacker from locking a post from being edited CVE-2015-5731
cs33555_ids_are_integers \| (download)	wp-includes/post.php \| 7 4 + 3 - 0 ! 1 file changed, 4 insertions(+), 3 deletions(-)	ids are integers Remove source of SQL Injection CVE-2015-2213
cs33359_reliable_shortcode \| (download)	wp-includes/class-wp-embed.php \| 6 5 + 1 - 0 ! wp-includes/formatting.php \| 71 71 + 0 - 0 ! wp-includes/kses.php \| 266 228 + 38 - 0 ! wp-includes/shortcodes.php \| 164 161 + 3 - 0 ! 4 files changed, 465 insertions(+), 42 deletions(-)	cve-2015-5622 improve reliability of shortcodes There are no shortcode input escaping functions available in core even though the Shortcode API is increasingly strict about not allowing special characters inside shortcode attributes.
cs33549_xss_theme_view \| (download)	wp-includes/theme.php \| 24 3 + 21 - 0 ! 1 file changed, 3 insertions(+), 21 deletions(-)	themes: fix some broken links in the legacy theme preview CVE-2015-5734
cs34137_escape_email \| (download)	wp-admin/includes/class-wp-ms-users-list-table.php \| 2 1 + 1 - 0 ! wp-admin/includes/class-wp-users-list-table.php \| 2 1 + 1 - 0 ! 2 files changed, 2 insertions(+), 2 deletions(-)	escape email addresses
cs34144_shortcode_close_elements \| (download)	wp-includes/media.php \| 2 2 + 0 - 0 ! wp-includes/shortcodes.php \| 9 9 + 0 - 0 ! 2 files changed, 11 insertions(+)	don't allow unclosed html elements in attributes CVE-2015-5714
cs34151_unsticky_private_posts \| (download)	wp-includes/class-wp-xmlrpc-server.php \| 4 2 + 2 - 0 ! 1 file changed, 2 insertions(+), 2 deletions(-)	xmlrpc: don't allow private posts to be sticky. CVE-2015-5715
cs36185_xss_theme \| (download)	wp-includes/class-wp-theme.php \| 6 3 + 3 - 0 ! 1 file changed, 3 insertions(+), 3 deletions(-)	stop xss in theme title Backport of changeset 36185 Fixes CVE-2016-1564
cs36435_http_valid_ip \| (download)	wp-includes/http.php \| 2 1 + 1 - 0 ! 1 file changed, 1 insertion(+), 1 deletion(-)	http: 0.1.2.3 is not valid ip Check for IP address starting with 0.
cs36444_plug_valid_redirect \| (download)	wp-includes/pluggable.php \| 12 10 + 2 - 0 ! 1 file changed, 10 insertions(+), 2 deletions(-)	better validation of the url used in http redirects.

Patch	File delta	Description
cs27976_priv_esc \| (download)	wp-admin/includes/class-wp-posts-list-table.php \| 2 1 + 1 - 0 ! wp-admin/includes/post.php \| 54 47 + 7 - 0 ! 2 files changed, 48 insertions(+), 8 deletions(-)	---
cs28054_auth_cookie \| (download)	wp-includes/pluggable.php \| 2 1 + 1 - 0 ! 1 file changed, 1 insertion(+), 1 deletion(-)	---
cs27873_hardening_pingback \| (download)	wp-includes/class-wp-xmlrpc-server.php \| 7 7 + 0 - 0 ! 1 file changed, 7 insertions(+)	---
001readme.patch \| (download)	readme.html \| 2 1 + 1 - 0 ! 1 file changed, 1 insertion(+), 1 deletion(-)	fixing reame file
003installer.patch \| (download)	wp-admin/install.php \| 5 5 + 0 - 0 ! 1 file changed, 5 insertions(+)	patching install.php to permit a valid upload path
010disabling_update_note.patch \| (download)	wp-admin/includes/update.php \| 2 2 + 0 - 0 ! 1 file changed, 2 insertions(+)	disabled the the "please update" warning, thanks to hans spaans and rolf leggewie (closes: #506685)
011support symlinks for plugins.patch \| (download)	wp-admin/includes/plugin.php \| 11 8 + 3 - 0 ! wp-includes/plugin.php \| 30 30 + 0 - 0 ! 2 files changed, 38 insertions(+), 3 deletions(-)	support symlinks for plugin directories
mu.patch \| (download)	wp-admin/network.php \| 10 5 + 5 - 0 ! 1 file changed, 5 insertions(+), 5 deletions(-)	---
cs28073_edit_post \| (download)	wp-admin/includes/post.php \| 8 4 + 4 - 0 ! 1 file changed, 4 insertions(+), 4 deletions(-)	ensure edit_post() promotes an auto-draft to draft. Fixes Quick Draft
cs28114_nostomp_postdata \| (download)	wp-admin/includes/post.php \| 5 5 + 0 - 0 ! 1 file changed, 5 insertions(+)	avoid stomping of bulk postdata inside the bulk_edit_posts() loop.
cs29405_ignore_xml \| (download)	wp-includes/class-IXR.php \| 32 29 + 3 - 0 ! 1 file changed, 29 insertions(+), 3 deletions(-)	ignore entities in xml-rpc requests
cs29390_disable_id3_entities \| (download)	wp-includes/ID3/getid3.lib.php \| 11 6 + 5 - 0 ! 1 file changed, 6 insertions(+), 5 deletions(-)	disable external entities in id3.
cs29384_time_nonce \| (download)	wp-includes/compat.php \| 29 29 + 0 - 0 ! wp-includes/pluggable.php \| 44 41 + 3 - 0 ! 2 files changed, 70 insertions(+), 3 deletions(-)	constant time for wp_verify_nonce()
cs29408_delim_nonce \| (download)	wp-includes/pluggable.php \| 6 3 + 3 - 0 ! 1 file changed, 3 insertions(+), 3 deletions(-)	use delimiters when building nonce hashes
cs29398_escape_get_avatar \| (download)	wp-includes/pluggable.php \| 3 2 + 1 - 0 ! 1 file changed, 2 insertions(+), 1 deletion(-)	---
374to375 \| (download)	wp-admin/includes/image.php \| 6 6 + 0 - 0 ! wp-admin/press-this.php \| 2 1 + 1 - 0 ! wp-includes/class-phpass.php \| 8 8 + 0 - 0 ! wp-includes/formatting.php \| 13 11 + 2 - 0 ! wp-includes/http.php \| 8 4 + 4 - 0 ! wp-includes/kses.php \| 2 1 + 1 - 0 ! wp-includes/pluggable.php \| 2 1 + 1 - 0 ! wp-includes/user.php \| 3 3 + 0 - 0 ! wp-login.php \| 8 6 + 2 - 0 ! 9 files changed, 41 insertions(+), 11 deletions(-)	---
cs32163_query_sanity_checks \| (download)	wp-includes/wp-db.php \| 792 743 + 49 - 0 ! 1 file changed, 743 insertions(+), 49 deletions(-)	---
cs32165_sanitize_orderby \| (download)	wp-includes/formatting.php \| 22 12 + 10 - 0 ! 1 file changed, 12 insertions(+), 10 deletions(-)	---
cs32174_multisite_switch \| (download)	wp-includes/capabilities.php \| 12 8 + 4 - 0 ! 1 file changed, 8 insertions(+), 4 deletions(-)	---
cs32176_dashboard_esc_titles \| (download)	wp-admin/includes/class-wp-comments-list-table.php \| 4 2 + 2 - 0 ! wp-admin/includes/dashboard.php \| 2 1 + 1 - 0 ! wp-admin/includes/template.php \| 2 1 + 1 - 0 ! wp-admin/js/nav-menu.js \| 6 3 + 3 - 0 ! 4 files changed, 7 insertions(+), 7 deletions(-)	---
cs32234_wpdb_query_sanity \| (download)	wp-includes/wp-db.php \| 21 20 + 1 - 0 ! 1 file changed, 20 insertions(+), 1 deletion(-)	---
cs32307_dbstring_length \| (download)	wp-includes/wp-db.php \| 114 114 + 0 - 0 ! 1 file changed, 114 insertions(+)	sanity check strings too long XSS bug if you send >64kB long comments
cs33529_xss_widget_title \| (download)	wp-includes/default-widgets.php \| 2 1 + 1 - 0 ! 1 file changed, 1 insertion(+), 1 deletion(-)	nav menus: consistent titles in widgets Prevent XSS attack in widget titles CVE-2015-5732
cs33542_post_lock_release \| (download)	wp-admin/includes/post.php \| 2 1 + 1 - 0 ! wp-admin/post.php \| 1 1 + 0 - 0 ! 2 files changed, 2 insertions(+), 1 deletion(-)	heartbeat: ensure post locks are released. Prevent an attacker from locking a post from being edited CVE-2015-5731
cs33555_ids_are_integers \| (download)	wp-includes/post.php \| 7 4 + 3 - 0 ! 1 file changed, 4 insertions(+), 3 deletions(-)	ids are integers Remove source of SQL Injection CVE-2015-2213
cs33359_reliable_shortcode \| (download)	wp-includes/class-wp-embed.php \| 6 5 + 1 - 0 ! wp-includes/formatting.php \| 71 71 + 0 - 0 ! wp-includes/kses.php \| 266 228 + 38 - 0 ! wp-includes/shortcodes.php \| 164 161 + 3 - 0 ! 4 files changed, 465 insertions(+), 42 deletions(-)	cve-2015-5622 improve reliability of shortcodes There are no shortcode input escaping functions available in core even though the Shortcode API is increasingly strict about not allowing special characters inside shortcode attributes.
cs33549_xss_theme_view \| (download)	wp-includes/theme.php \| 24 3 + 21 - 0 ! 1 file changed, 3 insertions(+), 21 deletions(-)	themes: fix some broken links in the legacy theme preview CVE-2015-5734
cs34137_escape_email \| (download)	wp-admin/includes/class-wp-ms-users-list-table.php \| 2 1 + 1 - 0 ! wp-admin/includes/class-wp-users-list-table.php \| 2 1 + 1 - 0 ! 2 files changed, 2 insertions(+), 2 deletions(-)	escape email addresses
cs34144_shortcode_close_elements \| (download)	wp-includes/media.php \| 2 2 + 0 - 0 ! wp-includes/shortcodes.php \| 9 9 + 0 - 0 ! 2 files changed, 11 insertions(+)	don't allow unclosed html elements in attributes CVE-2015-5714
cs34151_unsticky_private_posts \| (download)	wp-includes/class-wp-xmlrpc-server.php \| 4 2 + 2 - 0 ! 1 file changed, 2 insertions(+), 2 deletions(-)	xmlrpc: don't allow private posts to be sticky. CVE-2015-5715
cs36185_xss_theme \| (download)	wp-includes/class-wp-theme.php \| 6 3 + 3 - 0 ! 1 file changed, 3 insertions(+), 3 deletions(-)	stop xss in theme title Backport of changeset 36185 Fixes CVE-2016-1564
cs36435_http_valid_ip \| (download)	wp-includes/http.php \| 2 1 + 1 - 0 ! 1 file changed, 1 insertion(+), 1 deletion(-)	http: 0.1.2.3 is not valid ip Check for IP address starting with 0.
cs36444_plug_valid_redirect \| (download)	wp-includes/pluggable.php \| 12 10 + 2 - 0 ! 1 file changed, 10 insertions(+), 2 deletions(-)	better validation of the url used in http redirects.