wordpress (5.6+dfsg1-2ubuntu1) hirsute; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/setup-mysql: create the user before granting privileges, and
use mysql_native_password authentication.
wordpress (5.6+dfsg1-2) unstable; urgency=medium
* Removed php5 alternative dependencies as these are only in
oldoldstable
* source-only upload for Bullseye Closes: #977517
wordpress (5.6+dfsg1-1) unstable; urgency=medium
* New upstream release
* Removed theme twentyseventeen
* Added theme twentytwentyone
* Update to standards version 4.5.1
wordpress (5.5.3+dfsg1-1) unstable; urgency=high
* Security release, fixes 8 bugs Closes: #973562
- CVE-2020-28039: Protected meta that could lead to arbitrary
file deletion.
- CVE-2020-28035: XML-RPC privilege escalation.
- CVE-2020-28036: XML-RPC privilege escalation.
- CVE-2020-28032: Hardening deserialization requests.
- CVE-2020-28037: DoS attack could lead to RCE.
- CVE-2020-28038: Stored XSS in post slugs.
- CVE-2020-28033: Disable spam embeds from disabled sites
on a multisite network.
- CVE-2020-28034: Cross-Site Scripting (XSS) via global variables.
- CVE-2020-28040: CSRF attacks that change a theme's background image.
* Removed TinyMCE build dependency as its very old
* d/dirs: Add two more language directories
wordpress (5.5.1+dfsg1-1) unstable; urgency=medium
* New upstream release
* Remove patch CVE-2017-8295 as it is in upstream
wordpress (5.4.2+dfsg1-1) unstable; urgency=medium
* Security release, fixes 6 security bugs Closes: #962685
- CVE-2020-4046
Authenticated XSS through embed block
- CVE-2020-4047
Authenticated XSS via media attachment page
- CVE-2020-4048
Open redirect in wp_validate_redirect()
- CVE-2020-4049
Authenticated self-XSS via theme uploads
- CVE-2020-4050
'set-screen-option' filter misuse by plugins leading to privilege
escalation
* Prevent unmoderated comments from search engine indexation
wordpress (5.4.1+dfsg1-1) unstable; urgency=medium
* Security release, fixes 6 security bugs Closes: #959391
- CVE-2020-11025
XSS vulnerability in the navigation section of Customizer allows
JavaScript code to be executed.
- CVE-2020-11026
uploaded files to Media section to lead to script execution
- CVE-2020-11027
Password reset link does not expire
- CVE-2020-11028
Private posts can be found through searching by date
- CVE-2020-11029
XSS in stats() method in class-wp-object-cache
- CVE-2020-11030
Special payload can execute scripts in block editor
* Add multi-arch tags
* Update to standards 4.5.0
wordpress (5.4+dfsg1-1) unstable; urgency=medium
* New upstream source
* Remove debian.cnf call for create database Closes: #884877
* Add note for iputils-ping required for setup-mysql. Closes: #944465
* Themes: twentysixteen removed, twentytwenty added
* Themes: remove conflict with ancient wordpress
-- Steve Langasek <email address hidden> Fri, 08 Jan 2021 15:56:33 -0800