wp-includes/class-http.php | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 use system ca file
 Instead of the shipped CA file use the system one found in the
 Debian ca-certificates package.
Bug-Debian: http://bugs.debian.org/748965

readme.html | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fixing readme file

wp-admin/install.php | 5 5 + 0 - 0 !
1 file changed, 5 insertions(+)

 patching install.php to permit a valid upload path

wp-admin/includes/update.php | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 disabled the the "please update" warning, thanks to hans spaans and rolf leggewie (closes: #506685)

wp-admin/network.php | 8 4 + 4 - 0 !
1 file changed, 4 insertions(+), 4 deletions(-)

---

wp-includes/wp-db.php | 788 739 + 49 - 0 !
1 file changed, 739 insertions(+), 49 deletions(-)

---

wp-includes/formatting.php | 22 12 + 10 - 0 !
1 file changed, 12 insertions(+), 10 deletions(-)

---

wp-includes/functions.php | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

---

wp-includes/capabilities.php | 12 8 + 4 - 0 !
1 file changed, 8 insertions(+), 4 deletions(-)

---

wp-admin/includes/class-wp-comments-list-table.php | 4 2 + 2 - 0 !
wp-admin/includes/dashboard.php | 2 1 + 1 - 0 !
wp-admin/includes/template.php | 2 1 + 1 - 0 !
wp-admin/js/nav-menu.js | 6 3 + 3 - 0 !
4 files changed, 7 insertions(+), 7 deletions(-)

---

wp-includes/wp-db.php | 21 20 + 1 - 0 !
1 file changed, 20 insertions(+), 1 deletion(-)

---

wp-includes/wp-db.php | 114 114 + 0 - 0 !
1 file changed, 114 insertions(+)

 sanity check strings too long
 XSS bug if you send >64kB long comments

wp-admin/includes/upgrade.php | 53 53 + 0 - 0 !
wp-includes/compat.php | 146 132 + 14 - 0 !
wp-includes/version.php | 2 1 + 1 - 0 !
wp-includes/wp-db.php | 145 89 + 56 - 0 !
4 files changed, 275 insertions(+), 71 deletions(-)

 cve-2015-8834 xss via comment
 WPDB: When checking that a string can be sent to MySQL, we shouldn't use

wp-content/themes/twentyfifteen/genericons/example.html | 719 0 + 719 - 0 !
wp-content/themes/twentyfourteen/genericons/example.html | 464 0 + 464 - 0 !
wp-content/themes/twentythirteen/genericons/example.html | 464 0 + 464 - 0 !
3 files changed, 1647 deletions(-)

 remove genericons example files
 These example files had a XSS and are not used

wp-admin/includes/dashboard.php | 4 4 + 0 - 0 !
wp-admin/post.php | 5 3 + 2 - 0 !
wp-includes/capabilities.php | 4 3 + 1 - 0 !
3 files changed, 10 insertions(+), 3 deletions(-)

 cve-2015-5623 check perms on auto-draft
 Capabilities: When creating an auto-draft, ensure that the current user
 still has permission to do so.

wp-includes/class-wp-embed.php | 6 5 + 1 - 0 !
wp-includes/formatting.php | 71 71 + 0 - 0 !
wp-includes/kses.php | 266 228 + 38 - 0 !
wp-includes/shortcodes.php | 164 161 + 3 - 0 !
4 files changed, 465 insertions(+), 42 deletions(-)

 cve-2015-5622 improve reliability of shortcodes
 There are no shortcode input escaping functions available in core even 
 though the Shortcode API is increasingly strict about not allowing 
 special characters inside shortcode attributes.

wp-includes/post.php | 7 4 + 3 - 0 !
1 file changed, 4 insertions(+), 3 deletions(-)

 ids are integers
 Remove source of SQL Injection CVE-2015-2213

wp-includes/class-wp-customize-widgets.php | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 use hash_equals() for widgets
 Fixes a potiential timing side-channel attack
 CVE-2015-5730

wp-admin/includes/post.php | 2 1 + 1 - 0 !
wp-admin/post.php | 1 1 + 0 - 0 !
2 files changed, 2 insertions(+), 1 deletion(-)

 heartbeat: ensure post locks are released.
 Prevent an attacker from locking a post from being edited
 CVE-2015-5731

wp-includes/default-widgets.php | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 nav menus: consistent titles in widgets
 Prevent XSS attack in widget titles
 CVE-2015-5732

wp-includes/theme.php | 25 2 + 23 - 0 !
1 file changed, 2 insertions(+), 23 deletions(-)

 themes: fix some broken links in the legacy theme preview
 CVE-2015-5734

wp-admin/includes/class-wp-ms-users-list-table.php | 2 1 + 1 - 0 !
wp-admin/includes/class-wp-users-list-table.php | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

 escape email addresses

wp-includes/media.php | 2 2 + 0 - 0 !
wp-includes/shortcodes.php | 9 9 + 0 - 0 !
2 files changed, 11 insertions(+)

 don't allow unclosed html elements in attributes
 CVE-2015-5714

wp-includes/class-wp-xmlrpc-server.php | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 xmlrpc: don't allow private posts to be sticky.
 CVE-2015-5715

wp-includes/class-wp-theme.php | 8 4 + 4 - 0 !
1 file changed, 4 insertions(+), 4 deletions(-)

 stop xss in theme title
 Backport of changeset 36185
 Fixes CVE-2016-1564

wp-includes/http.php | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 http: 0.1.2.3 is not valid ip
 Check for IP address starting with 0.

wp-includes/pluggable.php | 12 10 + 2 - 0 !
1 file changed, 10 insertions(+), 2 deletions(-)

 better validation of the url used in http redirects.

wp-includes/pluggable.php | 20 8 + 12 - 0 !
1 file changed, 8 insertions(+), 12 deletions(-)

 admin: allow for the consistent filtering of auth_redirect_scheme

wp-admin/customize.php | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 customize: make sure that preview and return urls are urls.

wp-admin/includes/post.php | 7 7 + 0 - 0 !
1 file changed, 7 insertions(+)

 taxonomy: more specific cap check when processing category data on post save.

wp-includes/post-template.php | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 admin: escape attachment name in case it contains special characters

wp-admin/includes/ajax-actions.php | 2 1 + 1 - 0 !
wp-admin/revision.php | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

 revisions: change the capability needed to view revision diffs to edit_post.

wp-admin/includes/post.php | 10 5 + 5 - 0 !
1 file changed, 5 insertions(+), 5 deletions(-)

 admin: escape url-encoded permalinks

wp-includes/formatting.php | 11 10 + 1 - 0 !
1 file changed, 10 insertions(+), 1 deletion(-)

 media: improve handling of extensionless filenames.

wp-admin/includes/media.php | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 sanitize title of uploaded filename
 Convert uploaded filename to title, but sanitize it
 Fixes CVE-2016-7168

wp-admin/includes/class-wp-upgrader.php | 6 5 + 1 - 0 !
1 file changed, 5 insertions(+), 1 deletion(-)

 upgrade/install: sanitize file name in file_upload_upgrader

wp-includes/http.php | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 cve-2016-4029

WordPress before 4.5 does not consider octal and hexadecimal IP address formats
when determining an intranet address, which allows remote attackers to bypass
an intended SSRF protection mechanism via a crafted address.

https://codex.wordpress.org/Version_4.5
See also https://wpvulndb.com/vulnerabilities/8473

wp-admin/network/settings.php | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 cve-2016-6634

Cross-site scripting (XSS) vulnerability in the network settings page in
WordPress before 4.5 allows remote attackers to inject arbitrary web script or
HTML via unspecified vectors.

https://wpvulndb.com/vulnerabilities/8474

wp-admin/includes/ajax-actions.php | 2 2 + 0 - 0 !
wp-admin/includes/template.php | 3 2 + 1 - 0 !
wp-includes/compat.php | 18 18 + 0 - 0 !
wp-includes/functions.php | 72 64 + 8 - 0 !
4 files changed, 86 insertions(+), 9 deletions(-)

 cve-2016-6635

Cross-site request forgery (CSRF) vulnerability in the
wp_ajax_wp_compression_test function in wp-admin/includes/ajax-actions.php in
WordPress before 4.5 allows remote attackers to hijack the authentication of
administrators for requests that change the script compression option.

Function wp_json_encode did not exist in 3.6.1. This required a backport of
related functions.

wp-includes/ms-functions.php | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 multisite: use `wp_rand()` in signup key creation.

wp-admin/includes/screen.php | 3 2 + 1 - 0 !
wp-admin/widgets.php | 2 2 + 0 - 0 !
2 files changed, 4 insertions(+), 1 deletion(-)

 add nonce for widget accessibility mode.

wp-mail.php | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

 mail: disable wp-mail.php when `mailserver_url` is mail.example.com.

wp-includes/class-wp-theme.php | 5 3 + 2 - 0 !
1 file changed, 3 insertions(+), 2 deletions(-)

 themes: fix markup for theme name fallbacks.

wp-admin/update-core.php | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 updates: translate plugin data on the updates screen.

wp-includes/class-phpmailer.php | 2251 1513 + 738 - 0 !
1 file changed, 1513 insertions(+), 738 deletions(-)

 upgrade phpmailer to 5.2.22
 Fixes some RCE vulnerabilities CVE-2016-10033 and CVE-2016-10045
 Needed changeset 39728 and 39790

wp-includes/functions.php | 61 53 + 8 - 0 !
1 file changed, 53 insertions(+), 8 deletions(-)

 media: improve image filetype checking
 This adds a new function wp_get_image_mime() which is used by
 wp_check_filetype_and_ext() to validate image files using exif_imagetype()
 if available instead of getimagesize().
 getimagesize() is less performant than exif_imagetype() and is
 dependent on GD. If exif_imagetype() is not available, it falls back to
 getimagesize() as before.
 If wp_check_filetype_and_ext() can't validate the filetype, we now return
 false for ext/MIME values.
 Includes the small fix in changeset 39857 too

wp-admin/press-this.php | 143 83 + 60 - 0 !
1 file changed, 83 insertions(+), 60 deletions(-)

 fix permission problem in press this
 Press This: Do not show Categories & Tags UI for users who cannot assign
 terms to posts anyways.

wp-includes/query.php | 11 6 + 5 - 0 !
1 file changed, 6 insertions(+), 5 deletions(-)

 query: remove sqli with special chars
 Query: Ensure that queries work correctly with post type names with
 special characters.
 Merge of [39952] to the 4.1 branch.

wp-admin/includes/class-wp-posts-list-table.php | 5 3 + 2 - 0 !
1 file changed, 3 insertions(+), 2 deletions(-)

 cross-site scripting (xss) in posts list table
 Posts, Post Types: When using Excerpt mode on the Posts list table, ensure
 the excerpt output matches what was manually entered into the Excerpt field.
 Merges changeset 39956 to the 4.1 branch.

wp-admin/includes/media.php | 4 4 + 0 - 0 !
wp-includes/formatting.php | 28 28 + 0 - 0 !
wp-includes/kses.php | 15 15 + 0 - 0 !
3 files changed, 47 insertions(+)

 validate video and audio metadata

wp-includes/pluggable.php | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 strip control characters before validating redirect

wp-includes/media.php | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 embeds: url encode youtube video ids for broader compatibility

wp-admin/plugins.php | 8 8 + 0 - 0 !
1 file changed, 8 insertions(+)

 plugin: add file check to plugin deletions

wp-includes/class-wp-xmlrpc-server.php | 5 5 + 0 - 0 !
1 file changed, 5 insertions(+)

 adjust post meta checks
 Fixes CVE-2017-962
 Improper handling of post meta data values in the XML-RPC API.

wp-includes/class-wp-xmlrpc-server.php | 30 24 + 6 - 0 !
1 file changed, 24 insertions(+), 6 deletions(-)

 whitelist post arguments in xml-rpc
 Fixes CVE-2017-9065 - Lack of capability checks for post meta data 
 in the XML-RPC API.

wp-admin/includes/file.php | 37 27 + 10 - 0 !
1 file changed, 27 insertions(+), 10 deletions(-)

 add nonce for updating file system credentials.
 Fixes CVE-2017-9064 - A Cross Site Request Forgery (CRSF) vulnerability
 was discovered in the filesystem credentials dialog.

wp-includes/js/plupload/handlers.js | 23 16 + 7 - 0 !
1 file changed, 16 insertions(+), 7 deletions(-)

 media: simplify upload error message construction.
 Fixes CVE-2017-9061 XSS when attempting to upload very large files

wp-admin/customize.php | 2 1 + 1 - 0 !
wp-admin/js/customize-controls.js | 10 10 + 0 - 0 !
wp-includes/class-wp-customize-manager.php | 18 18 + 0 - 0 !
3 files changed, 29 insertions(+), 1 deletion(-)

 customize: ignore invalid customization sessions.
 Fixes CVE-2017-9063 - A cross-site scripting (XSS) vulnerability
 was discovered related to the Customizer.

wp-includes/pluggable.php | 9 3 + 6 - 0 !
1 file changed, 3 insertions(+), 6 deletions(-)

 don't use server_name for emails
 WordPress uses the SERVER_NAME variable to generate the from address for
 password resets. This variable can be set by the hostname sent by the
 client, which means it can be spoofed.

 This patch fixes CVE-2017-8295