1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
|
wordpress (2.0.10-1etch6) oldstable; urgency=low
* [1eba647] Fixed CVE-2009-3622: Strip commas and spaces from charset
in wp-trackback.php
-- Giuseppe Iuculano <iuculano@debian.org> Sun, 07 Feb 2010 12:50:52 +0100
wordpress (2.0.10-1etch5) oldstable-security; urgency=high
* [8c26085] Backported absint() function and fixed a regression in
CVE-2008-4769 patch. Thanks to Edward Bjarte Fjellskål.
-- Giuseppe Iuculano <giuseppe@iuculano.it> Mon, 24 Aug 2009 16:35:48 +0200
wordpress (2.0.10-1etch4) oldstable-security; urgency=high
* [2ef79dd] Removed 010CVE2008-0664.patch, it caused a regression and
wordpress 2.0.10 isn't affected by CVE-2008-0664. (Closes: #491846)
* [abbabe9] Fixed CVE-2008-1502 _bad_protocol_once function in KSES
allows remote attackers to conduct XSS attacks (Closes: #504243)
* [e8a73eb] Fixed CVE-2008-4106: Whitespaces in user name are now
checked during login. (Closes: #500115)
* [8a2e4f9] Fixed CVE-2008-4769: Sanitize "cat" query var and cast to
int before looking for a category template
* [711274f] Fixed CVE-2008-4796: missing input sanitising in embedded
copy of Snoopy.class.php (Closes: #504234)
* [17c72c0] Fixed CVE-2008-6762: Force redirect after an upgrade
(Closes: #531736)
* [88d8244] Fixed CVE-2008-6767: Only admin can upgrade wordpress.
(Closes: #531736)
* [d5c02a9] Fixed CVE-2009-2334 and CVE-2009-2854: Added some CYA cap checks
(Closes: #536724)
* [80e9dbd] Fixed CVE-2008-5113: Force REQUEST to be GET + POST. If
SERVER, COOKIE, or ENV are needed, use those superglobals directly.
(Closes: #504771)
* [7f577ca] Fixed CVE-2009-2851: Sanitize HTML URLs in author comments
* [f23d55f] Fixed CVE-2009-2853: Stop direct loading of files in wp-admin
that should only be included
-- Giuseppe Iuculano <giuseppe@iuculano.it> Sat, 15 Aug 2009 11:58:32 +0200
wordpress (2.0.10-1etch3) stable-security; urgency=high
* Added 009CVE2007-1599.patch to fix redirect issue through wp-login.php (CVE-2007-1599)
* Added 011CVE2008-0664.patch to fix remote post edit by unauthorized users issue
in xml-rpc (CVE-2007-0664)
-- Andrea De Iacovo <andrea.de.iacovo@gmail.com> Wed, 07 May 2008 01:03:30 +0200
wordpress (2.0.10-1etch2) stable-security; urgency=high
* 2.0.12 backport to fix some issues
* Added 002CVE2007-3639.patch to fix redirect issue through wp-pass.php (CVE-2007-3639)
* Added 003CVE2007-4153.patch to fix cross-site scripting (XSS)
vulnerabilities through options.php (CVE-2007-4153)
* Added 004CVE2007-4154 to fix SQL injection vulnerability in options.php (CVE-2007-4154)
* Added CVE2007-0540.patch to fix denial of service vulnerability
via pingback service calls (CVE-2007-0540)
* Added 008trac-4748.patch to fix unauthorized acces issue via themes.php; attackers
could change themes and de/activate plugins without permission. (trac #4748)
-- Andrea De Iacovo <andrea.de.iacovo@gmail.com> Tue, 29 Apr 2008 10:57:36 +0200
wordpress (2.0.10-1etch1) stable-security; urgency=high
* Backported upstream security bug patches from 4691, 4690(CVE-2007-3238),
4322(CVE-2007-2821), 4748, 4819
* Closing multiple security vulnerabilities in wordpress-2.0.10-1 (XSS and
SQL injection) (Closes: #437840)
* Removed wp-db-backup.php to fix CVE-2008-0193 & CVE-2008-0194 on advice
from upstream
-- Kai Hendry <hendry@iki.fi> Sat, 09 Feb 2008 09:59:29 +0000
wordpress (2.0.10-1) stable-security; urgency=high
* Non-maintainer upload by the Security Team. Thanks to Kai Hendry
for preparing the update.
* New upstream security release
* http://wordpress.org/development/2007/04/wordpress-213-and-2010/
* http://trac.wordpress.org/milestone/2.0.10
* CVE-2007-1622, CVE-2007-1893, CVE-2007-1894, CVE-2007-1897
-- Noah Meyerhans <noahm@debian.org> Thu, 05 Apr 2007 14:33:12 +0100
wordpress (2.0.9-1) testing-security; urgency=high
* New upstream security release
* http://wordpress.org/development/2007/02/new-releases/
* http://trac.wordpress.org/milestone/2.0.9
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1049
-- Kai Hendry <hendry@iki.fi> Wed, 21 Feb 2007 16:02:10 +0000
wordpress (2.0.8-1) testing-security; urgency=high
[Neil McGovern]
* Non-maintainer upload by security team.
* Fixes for CVE-2007-0539 and CVE-2007-0541
[Kai Hendry]
* New upstream release
* Security fix, urgency high for etch
* 2.0.x currently is the Wordpress *stable* branch
* CVE-2007-0262: wordpress: Full Path disclosure and disclosure of
Table Prefix Weakness (Closes: #407289)
-- Neil McGovern <neilm@debian.org> Fri, 9 Feb 2007 20:08:26 +0000
wordpress (2.0.7-1) unstable; urgency=low
* New upstream release
* New upstream available (security fix) (Closes: #407116)
* Thanks to Fabio Tranchitella and Moritz Muehlenhoff for their support
* Improved the copyright at Moritz's request
* Moritz says the security fix does not apply to Debian's PHP hence low
urgency
* See http://wordpress.org/development/2007/01/wordpress-207/ for details of
minor changes
* Tweaked the dependency line for better php5 support
* setup-mysql -h minor usage summary error + should be executable
(Closes: #407496)
-- Kai Hendry <hendry@iki.fi> Fri, 19 Jan 2007 10:35:57 +0000
wordpress (2.0.6-1) unstable; urgency=high
* New upstream release
* Security fix, urgency high.
* FrSIRT/ADV-2006-5191, CVE-2006-6808: WordPress "get_file_description()"
Function Client-Side Cross Site Scripting Vulnerability.
(Closes: #405299, #405691)
-- Kai Hendry <hendry@iki.fi> Fri, 5 Jan 2007 14:04:56 +0000
wordpress (2.0.5-0.1) unstable; urgency=medium
* NMU on maintainer's request.
* Security fix, urgency medium.
* readme.html: s/license.txt/copyright/. (Closes: #382283)
* New upstream release, which fixes:
- CVE-2006-4208: Directory traversal vulnerability in WP-DB-Backup
plugin for WordPress. (Closes: #384800)
-- Fabio Tranchitella <kobold@debian.org> Fri, 3 Nov 2006 15:12:06 +0100
wordpress (2.0.4-2) unstable; urgency=low
* examples/setup-mysql doesn't work with dash (Closes: #372128)
* installs apache AND apache2 by default (Closes: #379118)
Many thanks to Fabio Tranchitella and Jesus Climent
* "Publish" produces broken links (Closes: #367001)
Disabled "Rich editor" by default
-- Kai Hendry <hendry@iki.fi> Sun, 6 Aug 2006 12:39:56 +0100
wordpress (2.0.4-1) unstable; urgency=high
* New upstream release
* examples/setup-mysql doesn't work with dash (Closes: #372128)
-- Kai Hendry <hendry@iki.fi> Sun, 6 Aug 2006 11:59:39 +0100
wordpress (2.0.3-1) unstable; urgency=high
* New upstream release
* 'Cache' shell injection vulnerability (Closes: #369014)
-- Kai Hendry <hendry@iki.fi> Fri, 2 Jun 2006 21:00:51 +0900
wordpress (2.0.2-2) unstable; urgency=high
* setup-mysql fails if the domain contains a port number (Closes:
#362171)
* Insecure file permissions in /etc/wordpress (Closes: #363580)
* Added a postinst to help users correct permissions
-- Kai Hendry <hendry@iki.fi> Thu, 20 Apr 2006 10:12:56 +0900
wordpress (2.0.2-1) unstable; urgency=high
* New upstream release
* 'This would have been out sooner, if I wasn't in hospital' release ;)
* Changed blogroll link to Planet Debian
* Altered 'plugin policy', it's now DIY
* mysql syntax error when running setup-mysql script (Closes: #355958)
* Several vulnerabilities discovered by 'snake oil' Neo Security Team
(Closes: #355055)
http://somethingunpredictable.com/archives/01/03/2006/wordpress-vulnerabilities-bogus/
* http://wordpress.org/development/2006/03/security-202/
-- Kai Hendry <hendry@iki.fi> Mon, 13 Mar 2006 12:44:44 +0900
wordpress (2.0.1-1) unstable; urgency=low
* New upstream release
* CSS Security Vulnerability (Closes: #328909)
* Please announce that upgrade.php needs to be run after update
(Closes: #348458)
-- Kai Hendry <hendry@iki.fi> Thu, 2 Feb 2006 11:22:31 +0900
wordpress (2.0-1) unstable; urgency=low
* New upstream release
* Closes: #320462: Wordpress replaces valid characters in urls with
HTML entities, breaking the URL
* Closes: #326685: Incorrectly mangles URLs using the wptexturize
function
* Closes: #347339: Wordpress version 2 is available
* Closes: #345508: Should have a dependancy on the php5-gd package
-- Kai Hendry <hendry@iki.fi> Fri, 13 Jan 2006 03:58:59 +0000
wordpress (1.5.2-2) unstable; urgency=low
* Now with support for PHP5
* Requires mysql-server when the server can actually be on a remote
server (Closes: #328554)
-- Kai Hendry <hendry@iki.fi> Thu, 22 Sep 2005 13:56:50 +1000
wordpress (1.5.2-1) unstable; urgency=high
* New upstream "security fix" release
* Closes: #323040: CAN-2005-2612
* See: http://wordpress.org/development/2005/08/one-five-two/
-- Kai Hendry <hendry@iki.fi> Fri, 19 Aug 2005 10:58:17 +1000
wordpress (1.5.1.3-4) unstable; urgency=medium
* 'I really should have tested this on another machine' release
* Closes: #319007: dbconfig dep screws upgrade
-- Kai Hendry <hendry@iki.fi> Tue, 19 Jul 2005 20:03:10 +1000
wordpress (1.5.1.3-3) unstable; urgency=low
* Improved the setup-mysql script for Wordpress MASS hosting with Apache's
VirtualDocumentRoot
-- Kai Hendry <hendry@iki.fi> Fri, 15 Jul 2005 10:50:59 +1000
wordpress (1.5.1.3-2) unstable; urgency=high
* The no XML-RPC vulnerabilities here release. ;)
* Strongly advised to upgrade due to inconsistencies between 1.5.1.3-1 orig
tar.gz and the upstream 1.5.1.3 latest.tar.gz after checking.
* Closes: #312721: wordpress does not see mysql
* Changed upstream's default links. Controversial?
-- Kai Hendry <hendry@iki.fi> Fri, 8 Jul 2005 12:11:23 +1000
wordpress (1.5.1.3-1) unstable; urgency=high
* New upstream release
* Yet another security release:
http://wordpress.org/development/2005/06/wordpress-1513
-- Kai Hendry <hendry@iki.fi> Thu, 30 Jun 2005 15:25:27 +1000
wordpress (1.5.1.2-1) unstable; urgency=high
* New upstream release
* Another security release:
http://wordpress.org/development/2005/05/security-update/
-- Kai Hendry <hendry@iki.fi> Sun, 29 May 2005 00:52:39 +1000
wordpress (1.5.1-1) unstable; urgency=high
* Upstream changelog is here:
http://codex.wordpress.org/Changelog/1.5.1
* Fixes an unannounced "important security fix"
-- <hendry@cs.helsinki.fi> Tue, 10 May 2005 01:48:34 +0100
wordpress (1.5.0-2) unstable; urgency=low
* Thanks to NOKUBI Takatsugu and the Debian Japan people for making this
release possible
* Moved mysql setup out of postinst allowing multiple blogs on the host at
the loss of automated mysql setup.
* Closes: #298563: incompatible with mysql-server-4.1
* Closes: #298571: multiple installation support
* Closes: #300200: multiple installation support
* Closes: #300757: How would one add plugins to wordpress ?
-- Kai Hendry <hendry@cs.helsinki.fi> Sat, 23 Apr 2005 15:17:45 +0900
wordpress (1.5.0-1) unstable; urgency=high
* Closes: #275814: New version fixes security flaws
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1559
* Closes: #288613: /usr/share/wordpress/readme.html missing
* Closes: #287086: new upstream 1.2.2
* Added some NEWS that users will find helpful in the upgrade
-- Kai Hendry <hendry@cs.helsinki.fi> Fri, 25 Feb 2005 07:11:47 +0200
wordpress (1.2.2-1.1) unstable; urgency=medium
* NMU
* Thank you Dominic Hargreaves and svn-upgrade
-- Kai Hendry <hendry@cs.helsinki.fi> Sat, 18 Dec 2004 09:32:14 +0200
wordpress (1.2.1-1.1) unstable; urgency=medium
* NMU
* Closes: #275814: New upstream release that fixes security problem
detailed: http://secunia.com/advisories/12773/
* Closes: #276112: Need more complete README.Debian for new users
Added some detail to README.Debian
* Escaped a mysql line in the postrm that might avoid a bug.
-- Kai Hendry <hendry@cs.helsinki.fi> Sat, 27 Nov 2004 16:48:32 +0200
wordpress (1.2.0-1.1) unstable; urgency=low
* NMU
* Closes: #250812: New upstream
* Closes: #251653: apache2 support
* Closes: #255121: conffiles not marked
* Revised dependency on mysql-server otherwise debian-sys-maint will never work
* Thanks to Teemu Hukkanen, Corey Wright, Christian Hammers and Matt Mullenweg
-- Kai Hendry <hendry@cs.helsinki.fi> Thu, 12 Aug 2004 21:50:04 +0300
wordpress (1.0.2-1) unstable; urgency=low
* New upstream release
* New package description (Closes: #237137)
* Made a plain text version of readme.html
-- Gabriel Rodríguez Alberich <chewie@the-geek.org> Sun, 21 Mar 2004 18:25:20 +0000
wordpress (1.0.1-1) unstable; urgency=low
* Initial release (Closes: #230034)
-- Gabriel Rodríguez Alberich <chewie@the-geek.org> Thu, 26 Feb 2004 19:37:33 +0000
|
