-
wordpress (6.3.1+dfsg1-1) unstable; urgency=medium
* New upstream release
-- Craig Small <email address hidden> Tue, 12 Sep 2023 19:36:08 +1000
-
wordpress (6.3+dfsg1-1) unstable; urgency=medium
* New upstream release
-- Craig Small <email address hidden> Thu, 10 Aug 2023 20:53:28 +1000
-
wordpress (6.2.2+dfsg1-1) unstable; urgency=medium
* New upstream security release Closes: #1036689
- Block themes parsing shortcodes in user-generated data
-- Craig Small <email address hidden> Thu, 25 May 2023 20:41:51 +1000
-
wordpress (6.2.1+dfsg1-1) unstable; urgency=high
* New upstream security release Closes: #1036296
- CVE-2023-2745 - Directory traversal in wp_lang
-- Craig Small <email address hidden> Fri, 19 May 2023 07:40:55 +1000
-
wordpress (6.2+dfsg1-1) unstable; urgency=medium
* New upstream release
* Removed ancient (10+ years_ news entries
-- Craig Small <email address hidden> Tue, 11 Apr 2023 22:40:41 +1000
-
wordpress (6.1.1+dfsg1-1) unstable; urgency=medium
* New upstream maintenance release
-- Craig Small <email address hidden> Fri, 09 Dec 2022 21:49:35 +1100
-
wordpress (6.1+dfsg1-1) unstable; urgency=medium
* New upstream release
* Removed TwentyTwenty theme
* Added TwentyTwentyThree theme and made it recommended
-- Craig Small <email address hidden> Sat, 12 Nov 2022 18:01:07 +1100
-
wordpress (6.0.3+dfsg1-1) unstable; urgency=high
* New security release Closes: #1022575
- Stored XSS via wp-mail.php (post by email)
- Open redirect in `wp_nonce_ays`
- Sender’s email address is exposed in wp-mail.php
- Media Library – Reflected XSS via SQLi
- CSRF in wp-trackback.php
- Stored XSS via the Customizer
- Revert shared user instances introduced in 50790
- Stored XSS in WordPress Core via Comment Editing
- Data exposure via the REST Terms/Tags Endpoint
- Content from multipart emails leaked
- SQL Injection due to improper sanitization in `WP_Date_Query`
- RSS Widget: Stored XSS issue
- Stored XSS in the search block
- Feature Image Block: XSS issue
- RSS Block: Stored XSS issue
- Fix widget block XSS
-- Craig Small <email address hidden> Mon, 24 Oct 2022 21:10:11 +1100
-
wordpress (6.0.2+dfsg1-1) unstable; urgency=medium
* New security release Closes: #1018863
- Possible link SQL injection within the Link API
- XSS in Plugins screen
- Output escaping issue within the_meta()
-- Craig Small <email address hidden> Thu, 01 Sep 2022 18:41:07 +1000
-
wordpress (6.0+dfsg1-1) unstable; urgency=medium
* New upstream release
* Added more suggestions for php modules
* Update standards version to 4.6.1, no changes needed.
* Allow WordPress config file to be defined Closes: #834842
-- Craig Small <email address hidden> Thu, 02 Jun 2022 16:37:59 +1000
-
wordpress (5.9.2+dfsg1-2) unstable; urgency=high
* Fix emoji patch Closes: #1008976
-- Craig Small <email address hidden> Wed, 06 Apr 2022 17:20:47 +1000
-
wordpress (5.9.2+dfsg1-1) unstable; urgency=medium
* New security release Closes: #1007005, #1007145
* Themes: 2019 removed, 2022 added
-- Craig Small <email address hidden> Sat, 12 Mar 2022 14:31:34 +1100
-
wordpress (5.8.3+dfsg1-1) unstable; urgency=high
* Upstream security release Closes: #1003243
- CVE-2022-21662 - Stored XSS through authenticated users
- CVE-2022-21663 - Authenticated Object Injection in Multisites
- CVE-2022-21661 - WordPress: SQL Injection through WP_Query
- CVE-2022-21664 - SQL injection due to improper sanitization
in WP_Meta_Query
-- Craig Small <email address hidden> Fri, 07 Jan 2022 15:57:14 +1100
-
wordpress (5.8.2+dfsg1-1) unstable; urgency=medium
[ Debian Janitor ]
* Trim trailing whitespace.
* Remove 1 obsolete maintscript entry.
* Fix day-of-week for changelog entry 2.6.2-1.
* Update standards version to 4.6.0, no changes needed.
[ Craig Small ]
* New upstream release Closes: #1001462
* Don't install ca-certificates.crt but link it Closes: #999568
* Fix updater to complain less
* Stop auto-updates Closes: #1001623
* Added local/apache-wordpress for AppArmor local configs
-- Craig Small <email address hidden> Mon, 20 Dec 2021 21:48:50 +1100
-
wordpress (5.8.1+dfsg1-2) unstable; urgency=high
* Install AppArmor file in correct location
-- Craig Small <email address hidden> Mon, 20 Sep 2021 18:51:00 +1000
-
wordpress (5.8.1+dfsg1-1) unstable; urgency=medium
* Security release
- CVE-2021-39200 - Disclosure in wp_die() Closes: #994060
- CVE-2021-39201 - XSS in editor Closes: #994059
* New upstream release Closes: #992302
* Add direct FS_METHOD in mysql setup Closes: #988991
* Add AppArmor profile
-- Craig Small <email address hidden> Sat, 11 Sep 2021 10:29:52 +1000
-
wordpress (5.7.1+dfsg1-2) unstable; urgency=medium
* Fix symlink for 2021 theme Closes: #986085
-- Craig Small <email address hidden> Tue, 20 Apr 2021 22:28:40 +1000
-
wordpress (5.7.1+dfsg1-1) unstable; urgency=high
* Security release, fixes 2 bugs Closes: #987065
- CVE-2021-29450 - Authenticated disclosure of password-protected
posts and pages.
- CVE-2021-29447 - Authenticated XXE attack when installation is
running PHP 8
-- Craig Small <email address hidden> Sat, 17 Apr 2021 08:46:05 +1000
-
wordpress (5.7+dfsg1-1) unstable; urgency=medium
* New upstream release Closes: #984985
-- Craig Small <email address hidden> Mon, 15 Mar 2021 08:11:27 +1100
-
wordpress (5.6.1+dfsg1-1) unstable; urgency=medium
* New upstream release
* Added core language directory
-- Craig Small <email address hidden> Fri, 05 Feb 2021 18:53:39 +1100
-
wordpress (5.6+dfsg1-2) unstable; urgency=medium
* Removed php5 alternative dependencies as these are only in
oldoldstable
* source-only upload for Bullseye Closes: #977517
-- Craig Small <email address hidden> Mon, 21 Dec 2020 14:39:34 +1100
-
wordpress (5.6+dfsg1-1) unstable; urgency=medium
* New upstream release
* Removed theme twentyseventeen
* Added theme twentytwentyone
* Update to standards version 4.5.1
-- Craig Small <email address hidden> Thu, 17 Dec 2020 22:22:49 +1100
-
wordpress (5.5.3+dfsg1-1) unstable; urgency=high
* Security release, fixes 8 bugs Closes: #973562
- CVE-2020-28039: Protected meta that could lead to arbitrary
file deletion.
- CVE-2020-28035: XML-RPC privilege escalation.
- CVE-2020-28036: XML-RPC privilege escalation.
- CVE-2020-28032: Hardening deserialization requests.
- CVE-2020-28037: DoS attack could lead to RCE.
- CVE-2020-28038: Stored XSS in post slugs.
- CVE-2020-28033: Disable spam embeds from disabled sites
on a multisite network.
- CVE-2020-28034: Cross-Site Scripting (XSS) via global variables.
- CVE-2020-28040: CSRF attacks that change a theme's background image.
* Removed TinyMCE build dependency as its very old
* d/dirs: Add two more language directories
-- Craig Small <email address hidden> Tue, 03 Nov 2020 17:23:49 +1100
-
wordpress (5.5.1+dfsg1-1) unstable; urgency=medium
* New upstream release
* Remove patch CVE-2017-8295 as it is in upstream
-- Craig Small <email address hidden> Wed, 02 Sep 2020 16:25:35 +1000
-
wordpress (5.4.2+dfsg1-1) unstable; urgency=medium
* Security release, fixes 6 security bugs Closes: #962685
- CVE-2020-4046
Authenticated XSS through embed block
- CVE-2020-4047
Authenticated XSS via media attachment page
- CVE-2020-4048
Open redirect in wp_validate_redirect()
- CVE-2020-4049
Authenticated self-XSS via theme uploads
- CVE-2020-4050
'set-screen-option' filter misuse by plugins leading to privilege
escalation
* Prevent unmoderated comments from search engine indexation
-- Craig Small <email address hidden> Mon, 15 Jun 2020 07:53:44 +1000
-
wordpress (5.4.1+dfsg1-1) unstable; urgency=medium
* Security release, fixes 6 security bugs Closes: #959391
- CVE-2020-11025
XSS vulnerability in the navigation section of Customizer allows
JavaScript code to be executed.
- CVE-2020-11026
uploaded files to Media section to lead to script execution
- CVE-2020-11027
Password reset link does not expire
- CVE-2020-11028
Private posts can be found through searching by date
- CVE-2020-11029
XSS in stats() method in class-wp-object-cache
- CVE-2020-11030
Special payload can execute scripts in block editor
* Add multi-arch tags
* Update to standards 4.5.0
-- Craig Small <email address hidden> Sat, 02 May 2020 14:21:58 +1000
-
wordpress (5.4+dfsg1-1) unstable; urgency=medium
* New upstream source
* Remove debian.cnf call for create database Closes: #884877
* Add note for iputils-ping required for setup-mysql. Closes: #944465
* Themes: twentysixteen removed, twentytwenty added
* Themes: remove conflict with ancient wordpress
-- Craig Small <email address hidden> Sun, 05 Apr 2020 12:00:08 +1000
-
wordpress (5.3.2+dfsg1-1) unstable; urgency=high
* Fixes some important but non-security bugs.
* Thanks to Nils Radtke <email address hidden> for
their assistance.
* Version 5.3.1 is a security release, fixes several
issues Closes: #946905
- an unprivileged user could make a post sticky via the REST API.
- cross-site scripting (XSS) could be stored in well-crafted links
- hardening wp_kses_bad_protocol() to ensure that it is aware
of the named colon attribute.
- stored XSS vulnerability using block editor content.
* Fix error in CVE-2017-14990 patch where sub-sites cannot
authenticate users. Thanks Connor for your help!
-- Craig Small <email address hidden> Fri, 27 Dec 2019 15:18:07 +1100
-
wordpress (5.2.4+dfsg1-1) unstable; urgency=high
* Security release, fixes several issues Closes: #942459
- Stored XSS in the Customizer
- Viewing unauthenticated posts
- Stored XSS to inject ajavascript into style tags
- Poisoning JSON GET requests
- SSRF in URL vaidation
- Referer validation in admin screens
-- Craig Small <email address hidden> Thu, 17 Oct 2019 21:32:54 +1100
-
wordpress (5.2.3+dfsg1-1) unstable; urgency=medium
* Security release, fixes several issues Closes: #939543
- XSS in post previews
- XSS in stored comments
- Open redirect due to validation and sanitization
- XSS in media uploads
- XSS in shortcode previews
- XSS in dashboard
- XSS in URL sanitization
* Use replace for dh-linktrees for underscore-js
-- Craig Small <email address hidden> Fri, 06 Sep 2019 18:39:10 +1000
-
wordpress (5.2.2+dfsg1-1) unstable; urgency=medium
* New upstream release
-- Craig Small <email address hidden> Tue, 25 Jun 2019 21:03:42 +1000
-
wordpress (5.2.1+dfsg1-1) unstable; urgency=medium
* New upstream release
-- Craig Small <email address hidden> Sun, 26 May 2019 16:42:33 +1000
-
wordpress (5.1.1+dfsg1-1) unstable; urgency=medium
* New upstream release
* Fixes XSS security hole in comments Closes: #924546
* Added new/better config example
-- Craig Small <email address hidden> Thu, 14 Mar 2019 22:10:00 +1100
-
wordpress (5.0.3+dfsg1-1) unstable; urgency=medium
* New upstream release
* Update to Debian standards 4.3.0
-- Craig Small <email address hidden> Tue, 05 Feb 2019 22:23:39 +1100
-
wordpress (5.0.2+dfsg1-1) unstable; urgency=medium
* New upstream release
-- Craig Small <email address hidden> Fri, 28 Dec 2018 16:00:13 +1100
-
wordpress (5.0.1+dfsg1-1) unstable; urgency=high
* New upstream source. fixes 7 Security issues Closes: #916403
- CVE-2018-20147
Delete files through altered meta data
- CVE-2018-20152
Create posts of unauthorized post types
- CVE-2018-20148
PHP object injection through crafted meta data
- CVE-2018-20153
Edit other users comments, leading to XSS
- CVE-2018-20150
XSS in plugins through crafted URL inputs
- CVE-2018-20151
User activation screen visible to search engines
- CVE-2018-20149
Bypass MIME verification causing XSS
* Themes: Remove twentyfifteen, add twentynineteen and make default
* Remove remote emojis
-- Craig Small <email address hidden> Sun, 16 Dec 2018 10:45:32 +1100
-
wordpress (4.9.8+dfsg1-1) unstable; urgency=medium
* New upstream source
Verify plugin uploads CVE-2018-14028 Closes: #906565
-- Craig Small <email address hidden> Tue, 21 Aug 2018 20:47:44 +1000
-
wordpress (4.9.7+dfsg1-1) unstable; urgency=high
* New upstream source
* Fix directory traversal in thumb parameter
CVE-2018-12895 Closes: #902876
-- Craig Small <email address hidden> Sat, 07 Jul 2018 22:29:18 +1000
-
wordpress (4.9.5+dfsg1-1) unstable; urgency=medium
* New upstream source, fixes 3 Security issues Closes: #895034
- CVE-2018-TBA
Don't treat localhost as same host by default.
- CVE-2018-TBA
Use safe redirects when redirecting login page if SSL is forced
- CVE-2018-TBA
Make sure version string is correctly escaped for use in
generator tags
* Update to standards version 4.1.4
* Remove get-orig-source in rules and use uscan
-- Craig Small <email address hidden> Sun, 08 Apr 2018 08:11:40 +1000
-
wordpress (4.9.4+dfsg-1) unstable; urgency=medium
* New upstream release
* Removed remove_jshint patch as upstream has found a different hinter
-- Craig Small <email address hidden> Fri, 09 Feb 2018 21:35:34 +1100
-
wordpress (4.9.2+dfsg-1) unstable; urgency=high
* New upstream security release Closes: #887596
and resolves CVE-2018-5776
* Update standards version to 4.1.3 - no change
-- Craig Small <email address hidden> Sat, 20 Jan 2018 18:02:18 +1100
-
wordpress (4.9.1+dfsg-1) unstable; urgency=high
* New upstream release
* Release 4.9 was never packaged due to licensing problems
* This release fixes 6 security issues Closes: #883314
- CVE-2017-17091
Use a properly generated hash for the newbloguser key instead
of a determinate substring.
- CVE-2017-17092
Remove the ability to upload JavaScript files for users who
do not have the unfiltered_html capability
- CVE-2017-17093
Add escaping to the language attributes used on html elements
- CVE-2017-17094
Ensure the attributes of enclosures are correctly escaped in
RSS and Atom feeds
* Updated to standards 4.1.1
* New linting for Javascript is disabled due to jshint.js licensing
issues
-- Craig Small <email address hidden> Sat, 09 Dec 2017 16:57:09 +1100
-
wordpress (4.8.3+dfsg-1) unstable; urgency=high
* New upstream security release Closes: #880528
-- Craig Small <email address hidden> Thu, 02 Nov 2017 22:16:15 +1100
-
wordpress (4.8.2+dfsg-2) unstable; urgency=high
* Hash user activation key Closes: #877629
Fixes CVE-2017-14990
-- Craig Small <email address hidden> Wed, 04 Oct 2017 21:59:11 +1100
-
wordpress (4.8.2+dfsg-1) unstable; urgency=high
* New upstream security release fixes 9 security issues closes: #876274
CVE IDs will be updated when issued
- CVE-2017-XXX
$wpdb->prepare() can create unexpected and unsafe queries leading to
potential SQL injection (SQLi)
- CVE-2017-TBA
Cross-site scripting (XSS) vulnerability in the oEmbed discovery
- CVE-2017-TBA
Cross-site scripting (XSS) vulnerability in the visual editor
- CVE-2017-TBA
Path traversal vulnerability in the file unzipping code
- CVE-2017-TBA
Cross-site scripting (XSS) vulnerability in the plugin editor
- CVE-2017-TBA
Open redirect in the user and term edit screens
- CVE-2017-TBA
Path traversal vulnerability in the customizer
- CVE-2017-TBA
Cross-site scripting (XSS) vulnerability in template names
- CVE-2017-TBA
Cross-site scripting (XSS) vulnerability in the link modal
-- Craig Small <email address hidden> Fri, 22 Sep 2017 21:57:06 +1000
-
wordpress (4.8.1+dfsg-1) unstable; urgency=medium
* New upstream release
-- Craig Small <email address hidden> Thu, 03 Aug 2017 21:35:33 +1000
-
wordpress (4.8+dfsg-1) unstable; urgency=medium
* New upstream release
-- Craig Small <email address hidden> Fri, 09 Jun 2017 22:43:40 +1000
-
wordpress (4.7.5+dfsg-2) unstable; urgency=medium
* Don't trust SERVER_NAME variable for emails
CVE-2017-8295 Closes: #862053
-- Craig Small <email address hidden> Mon, 05 Jun 2017 21:45:59 +1000
-
wordpress (4.7.5+dfsg-1) unstable; urgency=high
* New upstream release fixes 6 security issues Closes: #862816
CVEs to be added once issued
- CVE-2017-XXX
Insufficient redirect validation in the HTTP class.
- CVE-2017-XXX
Improper handling of post meta data values in the XML-RPC API.
- CVE-2017-XXX
Lack of capability checks for post meta data in the XML-RPC API.
- CVE-2017-XXX
A Cross Site Request Forgery (CRSF) vulnerability was discovered
in the filesystem credentials dialog.
- CVE-2017-XXX
A cross-site scripting (XSS) vulnerability was discovered when
attempting to upload very large files.
- CVE-2017-XXX
A cross-site scripting (XSS) vulnerability was discovered related
to the Customizer.
-- Craig Small <email address hidden> Wed, 17 May 2017 22:28:18 +1000
-
wordpress (4.7.4+dfsg-1) unstable; urgency=medium
* New upstream maintenance release
-- Craig Small <email address hidden> Sat, 22 Apr 2017 09:01:42 +1000
-
wordpress (4.7.3+dfsg-1) unstable; urgency=high
* New upstream release fixes 6 security issues Closes: #857026
* Will update CVE IDs when available
- CVE-2016-XXX
Cross-site scripting (XSS) via media file metadata.
- CVE-2016-XXX
Control characters can trick redirect URL validation.
- CVE-2016-XXX
Unintended files can be deleted by administrators using the plugin
deletion functionality.
- CVE-2016-XXX
Cross-site scripting (XSS) via video URL in YouTube embeds.
- CVE-2016-XXX
Cross-site scripting (XSS) via taxonomy term names.
- CVE-2016-XXX
Cross-site request forgery (CSRF) in Press This leading to excessive
use of server resources.
-- Craig Small <email address hidden> Tue, 07 Mar 2017 21:59:02 +1100
-
wordpress (4.7.2+dfsg-1) unstable; urgency=high
* New upstream release fixes 3 security issues Closes: #852767
- CVE-2017-5610
The user interface for assigning taxonomy terms in Press This is
shown to users who do not have permissions to use it.
- CVE-2017-5611
WP_Query is vulnerable to a SQL injection (SQLi)
- CVE-2017-5612
XSS in the posts list table
-- Craig Small <email address hidden> Sun, 29 Jan 2017 08:22:44 +1100
-
wordpress (4.7.1+dfsg-1) unstable; urgency=high
* New upstream release fixes 8 security issues, Closes: #851310
- Cryptographically Weak Pseudo-Random Number Generator
- Accessibility Mode Cross-Site Request Forgery (CSRF)
- Post via Email Checks mail.example.com by Default
- Stored Cross-Site Scripting (XSS) via Theme Name fallback
- Cross-Site Request Forgery (CSRF) via Flash Upload
- Authenticated Cross-Site scripting (XSS) in update-core.php
- User Information Disclosure via REST API
- Potential Remote Command Execution (RCE) in PHPMailer
-- Craig Small <email address hidden> Sat, 14 Jan 2017 09:30:12 +1100
-
wordpress (4.7+dfsg-2) unstable; urgency=medium
* Add virtual-mysql-* as an option Closes: #847597
-- Craig Small <email address hidden> Sat, 10 Dec 2016 06:57:01 +1100
-
wordpress (4.7+dfsg-1) unstable; urgency=medium
* New upstream release
* Removed theme twentyfourteen
* Added new theme twentyseventeen
-- Craig Small <email address hidden> Wed, 07 Dec 2016 22:14:14 +1100
-
wordpress (4.6.1+dfsg-2) unstable; urgency=medium
* Remove -e from for loop Closes: #845388
* Thanks to Santiago Vila for above patch
* Update and fix the language files
-- Craig Small <email address hidden> Wed, 30 Nov 2016 22:40:08 +1100
-
wordpress (4.6.1+dfsg-1) unstable; urgency=medium
* New upstream security release, Closes: #837090, fixes CVE-2016-6896 and
CVE-2016-6897
-- Craig Small <email address hidden> Fri, 09 Sep 2016 21:56:22 +1000
-
wordpress (4.5.3+dfsg-1) unstable; urgency=medium
* New upstream release, various security fixes
* Update tinymce missing sources
-- Craig Small <email address hidden> Thu, 23 Jun 2016 22:18:26 +1000
-
wordpress (4.5.2+dfsg-2) unstable; urgency=medium
* Updated language files Closes: #772498
* Add alias to nginx example configuration
* Add warning in description and README about googleapis
Closes: #781449
-- Craig Small <email address hidden> Mon, 13 Jun 2016 12:29:11 +1000
-
wordpress (4.5.2+dfsg-1) unstable; urgency=high
* New upstream release
* Fixes reflected XSS attack in plupload Closes: #823640
* Do not use old mediaelelement
-- Craig Small <email address hidden> Sat, 07 May 2016 12:39:47 +1000
-
wordpress (4.5.1+dfsg-1) unstable; urgency=medium
* New upstream release
* Update to standard version 3.9.8
-- Craig Small <email address hidden> Mon, 02 May 2016 22:18:13 +1000
-
wordpress (4.5+dfsg-1) unstable; urgency=medium
* New upstream release
-- Craig Small <email address hidden> Wed, 13 Apr 2016 21:07:16 +1000
-
wordpress (4.4.2+dfsg-3) unstable; urgency=medium
* Keep php5* alternates Closes: #820288
-- Craig Small <email address hidden> Thu, 07 Apr 2016 21:28:32 +1000
-
wordpress (4.4.2+dfsg-2) unstable; urgency=medium
* Update libphp-phpmailer dependency Closes: #818870
* Update to non-version PHP dependencies
* Update to standards 3.9.7 no change
-- Craig Small <email address hidden> Tue, 05 Apr 2016 22:13:33 +1000
-
wordpress (4.4.2+dfsg-1) unstable; urgency=medium
* New upstream release Closes: #813697
* Fixes open redirection attack CVE-2016-2221
* Fixes possible SSRF for local URIs CVE-2016-2222
-- Craig Small <email address hidden> Fri, 05 Feb 2016 20:34:42 +1100
-
wordpress (4.4.1+dfsg-1) unstable; urgency=medium
* New upstream release
* Fixes XSS vulnerability Closes: #810325
-- Craig Small <email address hidden> Fri, 08 Jan 2016 22:05:11 +1100
-
wordpress (4.4+dfsg-1) unstable; urgency=medium
* New upstream release
* Add languages directory to install Closes: #798382
* Update the setup-mysql script to use correct wp-content dirs
Closes: #755530, #311821, #732134, #783331
* Updated language files
-- Craig Small <email address hidden> Fri, 11 Dec 2015 21:37:01 +1100
-
wordpress (4.3.1+dfsg-1) unstable; urgency=medium
* New upstream release
* Fixes CVE-2015-5714 CVE-2015-5715 Closes: #799140
-- Craig Small <email address hidden> Fri, 18 Sep 2015 20:54:53 +1000
-
wordpress (4.3+dfsg-2) unstable; urgency=medium
* Backport changeset 33646 to fix cron entries Closes: #798350
-- Craig Small <email address hidden> Tue, 08 Sep 2015 22:22:11 +1000
-
wordpress (4.3+dfsg-1) unstable; urgency=medium
* New upstream release
* Adjusted some wp-content directories
* Added symlink for themes
-- Craig Small <email address hidden> Wed, 19 Aug 2015 22:48:32 +1000
-
wordpress (4.2.4+dfsg-1) unstable; urgency=high
* New upstream release
* Security fix for 3 XSS and a SQL injection bugs Closes: #794560
-- Craig Small <email address hidden> Tue, 04 Aug 2015 22:48:41 +1000
-
wordpress (4.2.3+dfsg-1) unstable; urgency=medium
* New upstream release
* Moved theme to Recommends Closes: #784689
* Remove reference to TODO Closes: #786427
-- Craig Small <email address hidden> Fri, 24 Jul 2015 20:54:50 +1000
-
wordpress (4.2.2+dfsg-1) unstable; urgency=medium
* New upstream release
* Fixes security bug in themes on genericons Closes: #784603
-- Craig Small <email address hidden> Wed, 13 May 2015 22:32:03 +1000
-
wordpress (4.2.1+dfsg-1) unstable; urgency=high
* New Security release Closes: #783554
* Patches another XSS due to field length
-- Craig Small <email address hidden> Tue, 28 Apr 2015 08:32:48 +1000
-
wordpress (4.2+dfsg-1) unstable; urgency=high
* New upstream release
* Fixes security bugs:
- XSS vulnerability
- files with invalid or unsafe names could be added
- another limited XSS
- some plugins vulnerable to SQL injection
* README.debian: Added permission note for config file Closes: #773079
* Added php5-ssh2 to suggests Closes: 783333
* Added ngix example Closes: #783334
-- Craig Small <email address hidden> Sun, 26 Apr 2015 21:35:58 +1000
-
wordpress (4.1.1+dfsg-1) unstable; urgency=medium
* New upstream release
-- Craig Small <email address hidden> Sat, 28 Feb 2015 11:17:46 +1100
-
wordpress (4.1+dfsg-1) unstable; urgency=medium
* New upstream release
* Changed trigger to noawait Closes: #772862
* Updated apache example Closes: #773075
* Updated to standards 3.9.6
* Added getid3 and mediaelement to linktree Closes: #762523
* Removed two unbuildable mediaelement files
-- Craig Small <email address hidden> Sat, 20 Dec 2014 15:31:21 +1100
-
wordpress (4.0.1+dfsg-2) unstable; urgency=medium
* Fixed i18n updates
* twentyfourteen theme has translations Closes: #772205
-- Craig Small <email address hidden> Sat, 06 Dec 2014 18:54:49 +1100
-
wordpress (4.0.1+dfsg-1) unstable; urgency=high
* New upstream release
* Fixes several security bugs Closes: #770425
- Three cross-site scripting issues that a contributor or
author could use to compromise a site.
- A cross-site request forgery that could be used to trick a
user into changing their password.
- An issue that could lead to a denial of service when
passwords are checked.
- Additional protections for server-side request forgery
attacks when WordPress makes HTTP requests.
- An extremely unlikely hash collision could allow a user’s
account to be compromised, that also required that they
haven’t logged in since 2008.
- WordPress now invalidates the links in a password reset email
if the user remembers their password, logs in, and changes
their email address.
-- Craig Small <email address hidden> Sat, 22 Nov 2014 19:29:37 +1100
-
wordpress (4.0+dfsg-1) unstable; urgency=medium
* New upstream release
-- Craig Small <email address hidden> Fri, 05 Sep 2014 20:58:06 +1000
-
wordpress (3.9.2+dfsg-1) unstable; urgency=high
* New Upstream release
* Fixes XML Security bug Closes: #757312
-- Craig Small <email address hidden> Thu, 07 Aug 2014 18:26:39 +1000
-
wordpress (3.9.1+dfsg-1) unstable; urgency=medium
* New upstream release
* Use system CA certificate file Closes: #748965
-- Craig Small <email address hidden> Wed, 11 Jun 2014 22:33:48 +1000
-
wordpress (3.9+dfsg-1) unstable; urgency=medium
* New upstream release
* 3.9 seems to handle different locations for plugins so the
plugin directory handling patches have been cut back.
-- Craig Small <email address hidden> Thu, 17 Apr 2014 20:56:19 +1000
-
wordpress (3.8.3+dfsg-1) unstable; urgency=medium
* New upstream release - fixes Quick Draft tool that broke in 3.8.2
-- Craig Small <email address hidden> Wed, 16 Apr 2014 22:48:26 +1000
-
wordpress (3.8.2+dfsg-1) unstable; urgency=high
* New upstream release Fixes CVE-2014-0165, CVE-2014-0166
and Closes: #744019
-- Craig Small <email address hidden> Wed, 09 Apr 2014 22:13:54 +1000
-
wordpress (3.8.1+dfsg1-2) unstable; urgency=medium
* Updated copyright file Closes: #736514
-- Craig Small <email address hidden> Fri, 14 Feb 2014 22:03:49 +1100
-
wordpress (3.8.1+dfsg1-1) unstable; urgency=medium
* Added Breaks/Replaces for combined wordpress Closes: #736688
* Removed moxieplayer.swf and added missing sources Closes: #736804
-- Craig Small <email address hidden> Thu, 06 Feb 2014 22:42:07 +1100
-
wordpress (3.8.1+dfsg-1) unstable; urgency=medium
* New upstream release.
* Depend on either mysql or mariadb client Closes: #732914
-- Craig Small <email address hidden> Fri, 24 Jan 2014 22:20:08 +1100
-
wordpress (3.7.1+dfsg-1) unstable; urgency=low
* New upstream release.
* Enable usage of php5-mysqlnd as an alternative to php5-mysql.
Closes: #722552
* Improve wp-setup to cope with plugins/themes directories with
spaces. Thanks to Oskar Liljeblad <email address hidden> for the patch.
Closes: #723074
* Refresh patches
-- Raphaël Hertzog <email address hidden> Wed, 13 Nov 2013 20:41:09 +0100
-
wordpress (3.6.1+dfsg-1) unstable; urgency=high
* New upstream security release.
-- Raphaël Hertzog <email address hidden> Thu, 12 Sep 2013 07:58:57 +0200
-
wordpress (3.6+dfsg-1) unstable; urgency=low
* New upstream release.
* Improve wp-settings to verify that $_SERVER['HTTP_X_FORWARDED_PROTO']
exists before accessing it (avoids a PHP notice).
Thanks to Paul Dreik <email address hidden> for the report and the patch.
* Document in README.Debian the need to login to /wp-admin/ to complete
an upgrade.
* Drop useless debian/README.source
* Drop 008CVE2008-2392.patch since upstream now disables unfiltered
uploads by default. See http://core.trac.wordpress.org/ticket/10692
* Drop 009CVE2008-6767.patch since the backto parameter is validated
against a whitelist, and externally triggered upgrades are not a
security problem as long as they work.
* Update debian/missing-sources with latest versions.
* Update upstream l10n.
-- Raphaël Hertzog <email address hidden> Wed, 04 Sep 2013 23:18:58 +0200
-
wordpress (3.5.2+dfsg-1) unstable; urgency=low
* New upstream release with many security fixes. Closes: #713947
* Server-Side Request Forgery (SSRF) via the HTTP API. CVE-2013-2199.
* Privilege Escalation: Contributors can publish posts, and users can
reassign authorship. CVE-2013-2200.
* Cross-Site Scripting (XSS) in SWFUpload. CVE-2013-2205.
* Denial of Service (DoS) via Post Password Cookies. CVE-2013-2173.
* Content Spoofing via Flash Applet in TinyMCE Media Plugin.
CVE-2013-2204.
* Cross-Site Scripting (XSS) when Uploading Media. CVE-2013-2201.
* Full Path Disclosure (FPD) during File Upload. CVE-2013-2203.
* Additional security hardening includes:
* Cross-Site Scripting (XSS) (Low Severity) when Editing Media.
CVE-2013-2201.
* Cross-Site Scripting (XSS) (Low Severity) when Installing/Updating
Plugins/Themes. CVE-2013-2201.
* XML External Entity Injection (XXE) via oEmbed. CVE-2013-2202.
* Update the Vcs-Git and Vcs-Browser URLs.
* Update Standards-Version to 3.9.4.
-- Raphaël Hertzog <email address hidden> Tue, 25 Jun 2013 15:52:07 +0200
-
wordpress (3.5.1+dfsg-2) unstable; urgency=low
* Only replace tinymce files by symlinks if the content is exactly the same.
Closes: #700289
* Update debian/get-upstream-i18n to include supplementary PO files
and use a more efficient method to update them. Closes: #697208
-- Raphaël Hertzog <email address hidden> Mon, 11 Feb 2013 13:56:18 +0100
-
wordpress (3.5.1+dfsg-1) unstable; urgency=low
* New upstream maintenance and security release. Closes: #698916
-- Raphaël Hertzog <email address hidden> Mon, 28 Jan 2013 17:15:27 +0100
-
wordpress (3.5+dfsg-1) unstable; urgency=low
* New upstream release.
* Fix sample apache.conf so that Alias directives are in the proper order
(from the most specific to the less specific). Closes: #693122
Thanks to Jérôme Marant for the report.
* Update debian/missing-sources/ with latest upstream changes.
* Update all translations.
* Try to deduplicate (i.e. replace with symlinks) backbone.js and
underscore.js too.
* Drop debian/patches/006rss_language.patch, the rss_language option
is no longer used.
* Update/refresh all other patches on top of the new release.
* Update lintian overrides and debian/wordpress.linktrees to match the
latest changes concerning javascript libraries shipped by WordPress.
* Document the loss of the twentyten theme.
-- Raphaël Hertzog <email address hidden> Fri, 21 Dec 2012 14:17:50 +0100
-
wordpress (3.4.2+dfsg-1) unstable; urgency=low
* New upstream security & bugfix release.
* Also setup languages symlink in setup-mysql. Closes: #684628
Thanks to Jun NOGATA <email address hidden> for the analysis.
* Add new patch 011support-symlinks-for-plugins.patch grabbed
in the upstream ticket to allow plugin directories to be
symlinks (which is required for the Debian package since
we put symlinks in /var/lib/wordpress/wp-content/plugins/).
Closes: #686228
-- Raphaël Hertzog <email address hidden> Wed, 12 Sep 2012 14:52:14 +0200
-
wordpress (3.4.1+dfsg-1) unstable; urgency=high
* New upstream security & bugfix release.
-- Raphaël Hertzog <email address hidden> Tue, 03 Jul 2012 08:36:08 +0200
-
wordpress (3.4+dfsg-3) unstable; urgency=low
* [f7a1c09] Drop useless postrm.
* [d92219b] Add a prerm script calling wp-setup --purge-wp-content on
remove. Closes: #678842
* [2fbf903] Allow wp-setup to symlink files as well as directories.
* [cef928f] Let wp-setup also manage
/var/lib/wordpress/wp-content/languages/.
* [ac86408] Densify output of wp-setup.
-- Raphaël Hertzog <email address hidden> Tue, 26 Jun 2012 10:47:25 +0200
-
wordpress (3.4+dfsg-2) unstable; urgency=low
* [2e63535] Merge unused debian/NEWS into debian/wordpress.NEWS so that
users are correctly informed of the latest changes.
* [e3b7b1c] Improve preinst to also move the
/usr/share/wordpress/wp-content/uploads directory to its new location in
/var/lib/wordpress/wp-content/. The package never created this directory
but many users probably created it and we need to do this to let dpkg
install the symlink that we put into place.
* [5c0a29b] Add a trigger that watches /usr/share/wordpress/wp-content.
When activated, it will execute wp-setup --sync-wp-content
which updates /var/lib/wordpress/wp-content/ with symlinks
to plugins/themes that have been added and it drops symlinks
to plugins/themes which have disappeared. (Closes: #677889)
-- Raphaël Hertzog <email address hidden> Thu, 21 Jun 2012 20:44:53 +0200
-
wordpress (3.4+dfsg-1) unstable; urgency=low
* New upstream release. Closes: #677534
[ Raphaël Hertzog ]
* [a1c0409] Refresh and update all patches to correctly apply on version
3.4.
* [3804496] Update debian/missing-sources/ to match the current versions of
embedded javascript and flash files.
* [185b051] Drop the old "default" theme (and its French translation)
* [966ce6c] Grab latest translations
* [1983326] Update Standards-Version to 3.9.3 (no change).
* [29c48b6] Increase debhelper compat level to 9.
* [73e16d0] Replace debian/dh_linktree by the packaged version.
* [359b660] Update debian/wordpress.linktrees to match latest developments.
* [645b650] Let setup-mysql lowercase the FQDN since the configuration
scheme expects this. Thanks to Chris Butler <email address hidden> for the
report (Closes: #658395)
* [5433e90] Fix setup-mysql to avoid creating /srv/www with restricted
permissions (Closes: #616400)
* [dd2ef1d] Move back wp-config.php to /usr/share/wordpress/ since it's only
a dispatcher to the real configuration file (Closes: #592502)
* [b602372] Improve wp-config.php so that WordPress works behind an https
reverse-proxy.
* [ba0b729] Entirely update and rewrite README.debian. (Closes: #575985,
#639980)
* [683a908] Update wp-config.php to not redefine constants which have
already been set. Thanks to Richard van den Berg <email address hidden> for
the report. (Closes: #613283)
* [315eb68] Let wordpress-l10n depend on the same version than wordpress.
(Closes: #623557)
* [a6d0b9f] Default configuration now sets WP_CONTENT_DIR to
/var/lib/wordpress/wp-content. And the package provides this new directory
appropriately setup with write rights to www-data on blogs.dir and
uploads. themes and plugins are root-owned directories with symlinks
pointing back to the default themes and plugins. (Closes: #675469)
* [4db98c6] Update setup-mysql to use WP_CONTENT_DIR (and no longer use
$upload_dir). (Closes: #658508)
* [a1970da] Extend debian/wordpress.linktrees to cover swfobject.js.
* [8d46dab] Use dpkg-maintscript-helper to drop obsolete
/etc/wordpress/wp-config.php
[ Martin Bagge / brother ]
* [56d0a34] Improve the setup script to be able to use a remote MySQL
server.
-- Raphaël Hertzog <email address hidden> Sat, 16 Jun 2012 01:19:20 +0200
-
wordpress (3.3.2+dfsg-1) unstable; urgency=high
* New upstream security release. Closes: #670124
* Use the embedded copy of SimplePie until #669054 is resolved.
-- Raphaël Hertzog <email address hidden> Tue, 24 Apr 2012 00:31:42 +0200
-
wordpress (3.3.1+dfsg-1) unstable; urgency=low
* New upstream security release. Fixes CVE-2012-0287.
-- Raphaël Hertzog <email address hidden> Wed, 04 Jan 2012 10:15:05 +0100
-
wordpress (3.3+dfsg-1) unstable; urgency=low
* New upstream release. Closes: #652041
* [4deb832] Add all the missing sources in debian/missing-sources/.
(Closes: #646729)
* [913eba5] Refresh all patches.
* [ae61778] Use xz compression for the debian tarball to save some space.
-- Raphaël Hertzog <email address hidden> Tue, 20 Dec 2011 01:01:50 +0100
-
wordpress (3.2.1+dfsg-3) unstable; urgency=medium
* Upload with urgency medium to speed up a bit the transition to testing
since the testing version is broken.
* [72d01a3] Improve dh_linktree.
It is now able to generate dependencies and to have different behaviour
for each file to replace. Modify wordpress.linktrees to ensure we have
the very same JQuery files but blindly replaces all the other files.
Drop the explicit dependencies in favor of the autogenerated dependencies.
As a side-effect this fixes installation of widgets which was broken
by the mismatch of some JQuery ui files.
* [bbce711] Add lintian overrides for warnings about the embedded copy of JQuery.
We do a reasonable effort to replace it if it matches.
-- Raphaël Hertzog <email address hidden> Thu, 27 Oct 2011 16:01:49 +0200
-
wordpress (3.2.1+dfsg-2) unstable; urgency=low
* [af74ce2] Add a preinst to drop symlinks to directories for tinymce
and cropper. The new dh_linktree only symlinks files and hierarchies are
duplicated. So we have to drop symlinks to directories in the preinst,
otherwise dpkg installs the new symlinks in the tinymce/cropper
directories instead of in the wordpress ones.
Also drop the upgrade code in the postinst converting the same directories
into symlinks... (Closes: #639733)
* [0b51c4f] Invite users affected by #639733 to reinstall
tinymce/libjs-cropper.
* [55af033] Fix invalid test in postinst (upgrade → configure)
"upgrade" is not a valid parameter in the postinst. Instead
we get "configure".
-- Raphaël Hertzog <email address hidden> Sat, 22 Oct 2011 17:01:25 +0200
-
wordpress (3.2.1+dfsg-1) unstable; urgency=low
[ Paul Tagliamonte ]
* [c5e4b2c] Added a get-orig-source target to recreate the DFSG-clean
tarball. It drops all the sourceless flash files. Closes: #625773
[ Raphaël Hertzog ]
* [d1035bd] Imported Upstream version 3.2.1+dfsg
* [b968405] Update and refresh all patches.
* [10ab97c] Drop manifest.patch because the description in its header
doesn't make any sense.
* [87537db] Update dependencies as per new upstream requirements.
* [0c534ec] Update packaging to avoid using even more embedded PHP/JS
libraries.
* [ec5c11e] Use a new dh_linktree to replace embedded PHP/JS libraries.
* [8690719] Add lintian override for embedded-php-library streams.php since
it's a false positive.
* [83c15bc] Upgrade Standards-Version to 3.9.2 (no changes needed).
* [938fb15] Update internationalization files.
* [6ac0357] Install class-smtp.php and class-phpmailer.php so that they can
be replaced by dh_linktree.
-- Raphaël Hertzog <email address hidden> Mon, 08 Aug 2011 23:06:20 +0200
-
wordpress (3.0.5+dfsg-1) unstable; urgency=medium
* [077b77b] Imported Upstream version 3.0.5+dfsg * [8d1ce17] Refreshed patches -- Giuseppe Iuculano <email address hidden> Fri, 11 Feb 2011 17:50:40 +0100
-
wordpress (3.0.4+dfsg-1) unstable; urgency=high
* [9d62499] Imported Upstream version 3.0.4+dfsg - This is critical security update, more info: http://wp.me/pZhYe-qt -- Giuseppe Iuculano <email address hidden> Thu, 30 Dec 2010 14:47:40 +0100
-
wordpress (3.0.3.dfsg-1) unstable; urgency=high
* [e113893] Imported Upstream version 3.0.3.dfsg - Re-packaged without the hello dolly plugin (Closes: #607240) * [9d62cfd] Removed hello.patch -- Giuseppe Iuculano <email address hidden> Tue, 28 Dec 2010 17:22:34 +0100
-
wordpress (3.0.3-1) unstable; urgency=high
* [014c926] Imported Upstream version 3.0.3 (Closes: #606657) * [f29b6ac] Use GPL-compliant lyrics in the hello dolly plugin. (Closes: #607240) -- Giuseppe Iuculano <email address hidden> Fri, 17 Dec 2010 11:03:55 +0100
-
wordpress (3.0.2-1) unstable; urgency=high
[ Raphaël Hertzog ] * [9d6922c] Improve wp-config.php to support sites on subdomains and htaccess by providing directives ready to uncomment [ Giuseppe Iuculano ] * [1dc32d3] Imported Upstream version 3.0.2 (Closes: #605880) - Author level SQL injection vulnerability fixed (Closes: #605603) * [b4f2869] Refreshed debian/patches/001readme.patch * [612c23f] Remove flv_player.swf from manifest.php (Closes: #602732) -- Giuseppe Iuculano <email address hidden> Tue, 07 Dec 2010 08:43:38 +0100
-
wordpress (3.0.1-2) unstable; urgency=low
* [e8a913f] Remove swfupload.swf from the binary package, as it cannot
be built from source, violating the Policy. (Closes: #591195)
* [92493d0] Document in Readme.Debian how to get swfupload.swf
* [3663a53] debian/get-upstream-i18n: download also configuration
files for RTL-languages (Closes: #585784)
* [8bbdc8b] Added a missing define in debian/wp-config.php (Closes: #590859)
* [34dd063] Updated language files
* [adf55b3] Install *.php configuration files for RTL-languages
-- Giuseppe Iuculano <email address hidden> Thu, 02 Sep 2010 10:33:50 +0200
-
wordpress (3.0.1-1) unstable; urgency=low
* [e6e4f09] Updated watch file
* [12dd7cd] Imported Upstream version 3.0.1
* [7f03621] Bump to standards-version 3.9.1, no changes needed
-- Giuseppe Iuculano <email address hidden> Wed, 04 Aug 2010 16:41:24 +0200
-
wordpress (3.0-1) unstable; urgency=low
[ Giuseppe Iuculano ]
* [a57d26e] Imported Upstream version 3.0 (Closes: #586764)
* [a74cd68] MU: enable multi-user by default and install the proper
blogs.dir directory
* [ffd926e] fix the blogs.dir link
* [c81081d] Adjust MU setup for Debian installations
* [c14dd9d] Update language files
* [6a7296f] Added Raphaël Hertzog in Uploaders
* [7ea24ff] Updated watch file
[ Raphaël Hertzog ]
* [2d1df3e] Update patch debian/patches/001readme.patch
* [58a772e] Update patch debian/patches/003installer.patch
* [332abfc] Update patch debian/patches/006rss_language.patch
* [ee99544] Update patch debian/patches/008CVE2008-2392.patch
* [b960914] Refresh patch debian/patches/009CVE2008-6767.patch
* [511eea7] Refresh patch
debian/patches/010disabling_update_note.patch
* [22c5015] Refresh patch debian/patches/manifest.patch
* [7cfe147] Switch to source format 3.0 (quilt).
* [8c86759] Add back the default theme that has been dropped upstream
* [390188e] Adjust links and rules to cope with removal of
scriptaculous/prototype.js
* [1313b13] Add package prefix to many debian/ files for clarity
* [c4e7651] Switch to dh7 tiny rules file and general cleanup of the
build process.
* [625cdbb] Updated Vcs-Git/Vcs-Browser to point to the collab-maint
repository.
-- Giuseppe Iuculano <email address hidden> Sun, 27 Jun 2010 15:47:40 +0200
-
wordpress (2.9.2-1) unstable; urgency=low
* [3f228c1] Imported Upstream version 2.9.2
* [7965955] Bump to Standards-Version 3.8.4 (no changes)
* [e86fd59] Updated language files
-- Giuseppe Iuculano <email address hidden> Tue, 16 Feb 2010 12:41:01 +0100
-
wordpress (2.9.1-2) unstable; urgency=low
* [4a7279a] Fixed the security id in wp-admin/menu.php (Closes: #561832) -
thanks to Franck Nouyrigat
* [aa0f3a0] Allow site names with dash character. (Closes: #566224) -
thanks to Mikko Visa
* [ee0a44e] Updated language files
-- Giuseppe Iuculano <email address hidden> Fri, 22 Jan 2010 19:07:14 +0100
-
wordpress (2.9.1-1) unstable; urgency=low
* [a83b8fd] Imported Upstream version 2.9.1
* [216890e] Added ${misc:Depends} in Depends
* [ec95986] Updated language files
-- Giuseppe Iuculano <email address hidden> Wed, 06 Jan 2010 13:20:35 +0100
-
wordpress (2.9-1) unstable; urgency=low
* [fdd001e] Change wordpress-l10n section (localization)
* [625fa21] Imported Upstream version 2.9
* [dd9b536] Refreshed patches
* [1ce2a9d] Do not remove anymore plugins/wordpress/js direcotry
* [3287ec5] Updated language files (Closes: #556902)
-- Giuseppe Iuculano <email address hidden> Wed, 23 Dec 2009 14:31:36 +0100
-
wordpress (2.8.6-1) unstable; urgency=low
* [cf87b24] Updated debian/watch (Closes: #555729) - thanks to Hideki
Yamane
* [997165e] Imported Upstream version 2.8.6
* [05395e1] debian/wp-config.php: sanitize $debian_server and do not
check if $debian_file is under /etc/wordpress (Closes: #549436)
* [dc016ce] Updated language files
-- Giuseppe Iuculano <email address hidden> Sat, 14 Nov 2009 12:53:07 +0100
-
wordpress (2.8.5-1) unstable; urgency=high
* [b0ebbe1] Imported Upstream version 2.8.5 (Closes: #551841)
- This version fixes CVE-2009-3622, Wordpress Trackback DoS
* [cad0da2] Updated languages files
* [e8438f2] Use /var/log/apache2 directory in the apache example file
(Closes: #551380)
-- Giuseppe Iuculano <email address hidden> Wed, 21 Oct 2009 21:43:31 +0200
-
wordpress (2.8.4-3) unstable; urgency=low
* [dc295db] Provide a more descriptive errror message if the vhost
config file is not found. (LP: #365783)
* [c23192a] Depend on libjs-jquery >= 1.3.3-1 (Closes: #544473) -
thanks to Arnaud Guiton
* [fd27308] Updated debian/copyright
* [94ad7d3] Split up the language files into a separate package
* [08334d7] Updated language files
* [6682ab3] Updated my email address and removed DM-Upload-Allowed
control field
-- Giuseppe Iuculano <email address hidden> Sat, 03 Oct 2009 10:28:16 +0200
-
wordpress (2.8.4-2) unstable; urgency=low
* [e582ddd] Removed reference about drag.gif in manifest.php, thanks
to Michel Meyers (Closes: #517969)
* [a0d70c8] Do not symlink readme.html, instead install it in
/usr/share/wordpress
* [e81e4c3] Depend on tinymce (>= 3.2.6-0.1) and added a proper
symlink to the tabfocus plugin
* [0492b02] Added a note in NEWS and README.debian about the secondary
consequence caused by the previous fix for a possible script
injection via /etc/wordpress/wp-config.php
* [6a3c803] Updated language files
-- Giuseppe Iuculano <email address hidden> Wed, 26 Aug 2009 14:53:43 +0200
-
wordpress (2.8.3-2) unstable; urgency=medium
* [2372863] debian/patches/011enforce_activaction_key.dpatch: Enforce
activation key to be a string (Closes: #541102)
* [cb80386] Fixed CVE-2008-6767 patch and prevent redirect loop.
(Closes: #541199)
-- Giuseppe Iuculano <email address hidden> Wed, 12 Aug 2009 18:18:52 +0200
-
wordpress (2.8.3-1) unstable; urgency=medium
* [f625087] Imported Upstream version 2.8.3 (Closes: #533387, #539411)
This release fixed several security issue:
- Privileges unchecked and multiple information disclosures.
(CVE-2009-2334, CVE-2009-2335, CVE-2009-2336) (Closes: #536724)
- CVE-2009-2431, CVE-2009-2432: Obtain sensitive information
(Closes: #537146)
- CVE-2008-6762: Open redirect vulnerability in wp-admin/upgrade.php
(Closes: #531736)
* [347c164] debian/control: Added Giuseppe Iuculano in Uploaders,
added Vcs and DM-Upload-Allowed control field
* [92fb4ab] Bump to debhelper 7 compatibility levels
* [5b8536e] Refreshing patches
* [d999c0e] Added a watch file
* [4163c0c] debian/rules: Do not remove the autosave tinymce plugin, there
isn't anymore.
* [9c4d0e5] debian/get-upstream-i18n: download .xpi files into
debian/languages
* [76b7c5c] Install language files
* [a0bfad2] Move gettext in Build-Depends-Indep
* [8b607bf] Use set -e instead of passing -e to the shell on the #!
line
* [6cbbf36] debian/patches/009CVE2008-6767.dpatch: Only admin can
upgrade wordpress. (CVE-2008-6767) (Closes: #531736)
* [d6adfbe] Disabled the the "please update" warning, thanks to Hans
Spaans and Rolf Leggewie (Closes: #506685)
* [15c360c] Updated to standards version 3.8.2 (No changes needed)
-- Giuseppe Iuculano <email address hidden> Tue, 11 Aug 2009 16:30:35 +0200
-
wordpress (2.7.1-2) unstable; urgency=low
* setup-mysql corrected to accept domain names with hyphens (Closes: #514447)
* wp-config.php now dies if no config file is found (Closes: #500296)
* now the static browser uploader is supported (Closes: #501507)
Users che chose to use the browser (instead of flash) to upload media files.
-- Andrea De Iacovo <email address hidden> Sun, 15 Feb 2009 19:13:35 +0100
-
wordpress (2.5.1-11) unstable; urgency=high
* Added 011CVE2008-5278.patch. (Closes: #507193)
Upstream patch for XSS in feed.php self_link function was
implemented. (CVE-2008-5278)
-- Andrea De Iacovo <email address hidden> Sun, 30 Nov 2008 11:26:39 +0100
-
wordpress (2.5.1-10) unstable; urgency=high
* 007CVE2008-2392.patch modified.
Now users chan dinamically choose to enable unrestricted upload for admins.
* 010_REQUEST.patch added.
This patch is only a workaround for #504771. Now cookies are properly
checked; if something malicious is found wordpress stops any other execution
until cookies are not cleaned.
-- Andrea De Iacovo <email address hidden> Thu, 06 Nov 2008 10:12:35 +0100
-
wordpress (2.5.1-9) unstable; urgency=high
* Wordpress now depends on libphp-snoopy (Closes: #443948)
* libphp-snoopy dependance solves grave security issue (Closes: #504234)
Thanks to the new version of snoopy class the user input is now sanitized
so it's not possibile to inject malicius code anymore (CVE-2008-4796)
* setup-mysql modified to fix permissions on /srv/www
-- Andrea De Iacovo <email address hidden> Mon, 03 Nov 2008 08:39:16 +0100
-
wordpress (2.5.1-8) unstable; urgency=high
* Added 009CVE2008-4106 patch. (Closes: #500115)
Whitespaces in user name are now checked during login.
It's not possible to register an "admin(n-whitespaces)" user anymore
to gain unauthorized access to the admin panel.
-- Andrea De Iacovo <email address hidden> Thu, 25 Sep 2008 17:02:47 +0200
