diff -Nru wordpress-5.8.2+dfsg1/debian/changelog wordpress-5.8.3+dfsg1/debian/changelog --- wordpress-5.8.2+dfsg1/debian/changelog 2021-12-31 08:13:41.000000000 +0000 +++ wordpress-5.8.3+dfsg1/debian/changelog 2022-01-11 01:05:34.000000000 +0000 @@ -1,3 +1,22 @@ +wordpress (5.8.3+dfsg1-1ubuntu1) jammy; urgency=low + + * Merge from Debian unstable. Remaining changes: + - debian/setup-mysql: create the user before granting privileges, and + use mysql_native_password authentication. + + -- Steve Langasek Mon, 10 Jan 2022 17:05:34 -0800 + +wordpress (5.8.3+dfsg1-1) unstable; urgency=high + + * Upstream security release Closes: #1003243 + - CVE-2022-21662 - Stored XSS through authenticated users + - CVE-2022-21663 - Authenticated Object Injection in Multisites + - CVE-2022-21661 - WordPress: SQL Injection through WP_Query + - CVE-2022-21664 - SQL injection due to improper sanitization + in WP_Meta_Query + + -- Craig Small Fri, 07 Jan 2022 15:57:14 +1100 + wordpress (5.8.2+dfsg1-1ubuntu1) jammy; urgency=low * Merge from Debian unstable. Remaining changes: diff -Nru wordpress-5.8.2+dfsg1/debian/wordpress.postinst wordpress-5.8.3+dfsg1/debian/wordpress.postinst --- wordpress-5.8.2+dfsg1/debian/wordpress.postinst 2021-12-20 15:54:24.000000000 +0000 +++ wordpress-5.8.3+dfsg1/debian/wordpress.postinst 2022-01-07 09:20:57.000000000 +0000 @@ -4,13 +4,6 @@ case "$1" in configure) - if dpkg --compare-versions "$2" lt 2.0.2-2; then - # To address security bug #363580, but don't change them again and - # again if local admin put something else. - chmod 640 /etc/wordpress/config* >/dev/null 2>&1 || true - chgrp www-data /etc/wordpress/config* >/dev/null 2>&1 || true - fi - # Reload the Apache profile APP_PROFILE="/etc/apparmor.d/usr.sbin.apache2" if [ -f "$APP_PROFILE" ] && aa-status --enabled 2>/dev/null; then diff -Nru wordpress-5.8.2+dfsg1/debian/wordpress.preinst wordpress-5.8.3+dfsg1/debian/wordpress.preinst --- wordpress-5.8.2+dfsg1/debian/wordpress.preinst 2021-12-20 15:54:24.000000000 +0000 +++ wordpress-5.8.3+dfsg1/debian/wordpress.preinst 2022-01-07 09:20:56.000000000 +0000 @@ -2,46 +2,8 @@ set -e -symlinks_to_drop=" -/usr/share/wordpress/wp-includes/js/tinymce/plugins/inlinepopups -/usr/share/wordpress/wp-includes/js/tinymce/plugins/safari -/usr/share/wordpress/wp-includes/js/tinymce/plugins/paste -/usr/share/wordpress/wp-includes/js/tinymce/plugins/fullscreen -/usr/share/wordpress/wp-includes/js/tinymce/plugins/autosave -/usr/share/wordpress/wp-includes/js/tinymce/plugins/spellchecker/css -/usr/share/wordpress/wp-includes/js/tinymce/plugins/spellchecker/img -/usr/share/wordpress/wp-includes/js/tinymce/plugins/media -/usr/share/wordpress/wp-includes/js/tinymce/plugins/tabfocus -/usr/share/wordpress/wp-includes/js/tinymce/plugins/directionality -/usr/share/wordpress/wp-includes/js/crop -" - case "$1" in upgrade) - if dpkg --compare-versions "$2" lt 3.2.1+dfsg-2; then - for symlink in $symlinks_to_drop; do - if [ -h $symlink ]; then - echo "Dropping $symlink to convert it into a directory" - rm -f $symlink - fi - done - fi - if dpkg --compare-versions "$2" lt 3.4; then - # Move some sub-directories of wp-content to their new place - # in /var/lib/wordpress/wp-content - if [ -e /var/lib/wordpress/blogs.dir ]; then - mkdir -p /var/lib/wordpress/wp-content - mv /var/lib/wordpress/blogs.dir /var/lib/wordpress/wp-content/ - chown www-data:www-data /var/lib/wordpress/wp-content/blogs.dir - fi - if [ -d /usr/share/wordpress/wp-content/uploads ] && \ - [ ! -h /usr/share/wordpress/wp-content/uploads ] && \ - [ ! -e /var/lib/wordpress/wp-content/uploads ]; then - mkdir -p /var/lib/wordpress/wp-content - mv /usr/share/wordpress/wp-content/uploads /var/lib/wordpress/wp-content/ - chown www-data:www-data /var/lib/wordpress/wp-content/uploads - fi - fi if dpkg --compare-versions "$2" lt 5.8.1+dfsg1-2; then # Move the incorrectly placed AppArmor file if [ -d /etc/apparmor.d/apache2.d/wordpress ]; then diff -Nru wordpress-5.8.2+dfsg1/wp-admin/about.php wordpress-5.8.3+dfsg1/wp-admin/about.php --- wordpress-5.8.2+dfsg1/wp-admin/about.php 2021-11-10 17:05:56.000000000 +0000 +++ wordpress-5.8.3+dfsg1/wp-admin/about.php 2022-01-06 18:45:01.000000000 +0000 @@ -46,6 +46,26 @@

Version %s addressed some security issues.' ), + '5.8.3' + ); + ?> + the release notes.' ), + sprintf( + /* translators: %s: WordPress version. */ + esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ), + sanitize_title( '5.8.3' ) + ) + ); + ?> +

+

+ Version %1$s addressed a security issue and fixed %2$s bug.', diff -Nru wordpress-5.8.2+dfsg1/wp-admin/includes/upgrade.php wordpress-5.8.3+dfsg1/wp-admin/includes/upgrade.php --- wordpress-5.8.2+dfsg1/wp-admin/includes/upgrade.php 2021-06-08 01:55:57.000000000 +0000 +++ wordpress-5.8.3+dfsg1/wp-admin/includes/upgrade.php 2022-01-06 17:29:56.000000000 +0000 @@ -1612,8 +1612,8 @@ $start = 0; while ( $rows = $wpdb->get_results( "SELECT option_name, option_value FROM $wpdb->options ORDER BY option_id LIMIT $start, 20" ) ) { foreach ( $rows as $row ) { - $value = $row->option_value; - if ( ! @unserialize( $value ) ) { + $value = maybe_unserialize( $row->option_value ); + if ( $value === $row->option_value ) { $value = stripslashes( $value ); } if ( $value !== $row->option_value ) { diff -Nru wordpress-5.8.2+dfsg1/wp-includes/class-wp-meta-query.php wordpress-5.8.3+dfsg1/wp-includes/class-wp-meta-query.php --- wordpress-5.8.2+dfsg1/wp-includes/class-wp-meta-query.php 2021-03-25 12:39:07.000000000 +0000 +++ wordpress-5.8.3+dfsg1/wp-includes/class-wp-meta-query.php 2022-01-06 17:25:00.000000000 +0000 @@ -812,7 +812,7 @@ $clause_compare = strtoupper( $clause['compare'] ); $sibling_compare = strtoupper( $sibling['compare'] ); if ( in_array( $clause_compare, $compatible_compares, true ) && in_array( $sibling_compare, $compatible_compares, true ) ) { - $alias = $sibling['alias']; + $alias = preg_replace( '/\W/', '_', $sibling['alias'] ); break; } } diff -Nru wordpress-5.8.2+dfsg1/wp-includes/class-wp-tax-query.php wordpress-5.8.3+dfsg1/wp-includes/class-wp-tax-query.php --- wordpress-5.8.2+dfsg1/wp-includes/class-wp-tax-query.php 2020-07-14 12:10:05.000000000 +0000 +++ wordpress-5.8.3+dfsg1/wp-includes/class-wp-tax-query.php 2022-01-06 17:25:00.000000000 +0000 @@ -527,7 +527,7 @@ // The sibling must both have compatible operator to share its alias. if ( in_array( strtoupper( $sibling['operator'] ), $compatible_operators, true ) ) { - $alias = $sibling['alias']; + $alias = preg_replace( '/\W/', '_', $sibling['alias'] ); break; } } @@ -556,7 +556,11 @@ return; } - $query['terms'] = array_unique( (array) $query['terms'] ); + if ( 'slug' === $query['field'] || 'name' === $query['field'] ) { + $query['terms'] = array_unique( (array) $query['terms'] ); + } else { + $query['terms'] = wp_parse_id_list( $query['terms'] ); + } if ( is_taxonomy_hierarchical( $query['taxonomy'] ) && $query['include_children'] ) { $this->transform_query( $query, 'term_id' ); diff -Nru wordpress-5.8.2+dfsg1/wp-includes/formatting.php wordpress-5.8.3+dfsg1/wp-includes/formatting.php --- wordpress-5.8.2+dfsg1/wp-includes/formatting.php 2021-06-08 22:15:12.000000000 +0000 +++ wordpress-5.8.3+dfsg1/wp-includes/formatting.php 2022-01-06 17:37:02.000000000 +0000 @@ -1138,12 +1138,14 @@ * Encode the Unicode values to be used in the URI. * * @since 1.5.0 + * @since 5.8.3 Added the `encode_ascii_characters` parameter. * - * @param string $utf8_string - * @param int $length Max length of the string + * @param string $utf8_string String to encode. + * @param int $length Max length of the string + * @param bool $encode_ascii_characters Whether to encode ascii characters such as < " ' * @return string String with Unicode encoded for URI. */ -function utf8_uri_encode( $utf8_string, $length = 0 ) { +function utf8_uri_encode( $utf8_string, $length = 0, $encode_ascii_characters = false ) { $unicode = ''; $values = array(); $num_octets = 1; @@ -1158,11 +1160,14 @@ $value = ord( $utf8_string[ $i ] ); if ( $value < 128 ) { - if ( $length && ( $unicode_length >= $length ) ) { + $char = chr( $value ); + $encoded_char = $encode_ascii_characters ? rawurlencode( $char ) : $char; + $encoded_char_length = strlen( $encoded_char ); + if ( $length && ( $unicode_length + $encoded_char_length ) > $length ) { break; } - $unicode .= chr( $value ); - $unicode_length++; + $unicode .= $encoded_char; + $unicode_length += $encoded_char_length; } else { if ( count( $values ) == 0 ) { if ( $value < 224 ) { diff -Nru wordpress-5.8.2+dfsg1/wp-includes/post.php wordpress-5.8.3+dfsg1/wp-includes/post.php --- wordpress-5.8.2+dfsg1/wp-includes/post.php 2021-05-25 23:41:57.000000000 +0000 +++ wordpress-5.8.3+dfsg1/wp-includes/post.php 2022-01-06 17:37:02.000000000 +0000 @@ -4924,7 +4924,7 @@ if ( $decoded_slug === $slug ) { $slug = substr( $slug, 0, $length ); } else { - $slug = utf8_uri_encode( $decoded_slug, $length ); + $slug = utf8_uri_encode( $decoded_slug, $length, true ); } } diff -Nru wordpress-5.8.2+dfsg1/wp-includes/version.php wordpress-5.8.3+dfsg1/wp-includes/version.php --- wordpress-5.8.2+dfsg1/wp-includes/version.php 2021-11-10 17:03:58.000000000 +0000 +++ wordpress-5.8.3+dfsg1/wp-includes/version.php 2022-01-06 18:45:01.000000000 +0000 @@ -13,7 +13,7 @@ * * @global string $wp_version */ -$wp_version = '5.8.2'; +$wp_version = '5.8.3'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.