wp-includes/js/dist/blocks.js | 1 0 + 1 - 0 !
wp-includes/js/dist/blocks.min.js | 4 2 + 2 - 0 !
2 files changed, 2 insertions(+), 3 deletions(-)

 remove remote emojis
 Delete emojis that make remote http/https calls to websites.

wp-includes/class-wp-http.php | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 use system ca file
 Instead of the shipped CA file use the system one found in the
 Debian ca-certificates package.
Bug-Debian: http://bugs.debian.org/748965

readme.html | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 provide url for gpl-2+ license in readme

wp-admin/install.php | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 patching install.php to permit a valid upload path

wp-activate.php | 10 8 + 2 - 0 !
wp-admin/user-new.php | 4 2 + 2 - 0 !
wp-includes/ms-default-filters.php | 4 2 + 2 - 0 !
wp-includes/ms-functions.php | 93 77 + 16 - 0 !
4 files changed, 89 insertions(+), 22 deletions(-)

 use hash for user activation key
 Removes cleartext of the user activation key
 CVE-2017-14990

wp-includes/js/tw-sack.js | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

---

wp-admin/includes/class-wp-site-health-auto-updates.php | 34 24 + 10 - 0 !
1 file changed, 24 insertions(+), 10 deletions(-)

 disable auto update site checks
 If this WordPress package is installed then you cannot use the standard WordPress
core auto-update system so any warnings about it need to be removed.
Files should not be writable by the webserver user so reverse that check too.
Added a note that updates are done by the Debian package system.