wordpress (4.1+dfsg-1+deb8u17) jessie-security; urgency=high * Non-maintainer upload. * Fix CVE-2018-10100: the redirection URL for the login page was not validated or sanitized if forced to use HTTPS. * Fix CVE-2018-10102: the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag. (Closes: #895034) -- Markus Koschany Sat, 28 Apr 2018 22:49:06 +0200 wordpress (4.1+dfsg-1+deb8u16) jessie-security; urgency=high * Backport securitty patches from 4.9.1 - CVE-2017-17091 Changeset: 42296 Use a properly generated hash for the newbloguser key instead of a determinate substring. - CVE-2017-17092 Changeset: 42299 Remove the ability to upload JavaScript files for users who do not have the unfiltered_html capability - CVE-2017-17093 Changeset: 42297 Add escaping to the language attributes used on html elements - CVE-2017-17094 Changeset: 42298 Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds * Additional two patches for security fixes - CVE-2017-9066 Redirect validation patch from backports - CVE-2017-16510 Changeset: 42064 Restore numbered placeholders in $wpdb->prepare -- Craig Small Sat, 06 Jan 2018 20:10:26 +1100 wordpress (4.1+dfsg-1+deb8u15) jessie-security; urgency=medium * Backport security patches from 4.8.2 - CVE-2017-14723 $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi) Changeset 41472, 41498 - CVE-2017-14726 Cross-site scripting (XSS) vulnerability in the visual editor Changeset 41436 - CVE-2017-14719 Path traversal vulnerability in the file unzipping code Changeset 41459 - CVE-2017-14721 Cross-site scripting (XSS) vulnerability in the plugin editor Changeset 41413 - CVE-2017-14725 Open redirect in the user edit screens The term/tag edit screen does not have this issue. Changeset 41424 - CVE-2017-14722 Path traversal vulnerability in the customizer Changeset 41430 - CVE-2017-14720 Cross-site scripting (XSS) vulnerability in template names Changeset 41413 (same as plugin editor) - CVE-2017-14718 Cross-site scripting (XSS) vulnerability in the link modal * Not vulnerable: - CVE-2017-14724 Cross-site scripting (XSS) vulnerability in the oEmbed discovery oEmbed feature not present in this version * Hash user activation key Closes: #877629 Fixes CVE-2017-14990 -- Craig Small Wed, 11 Oct 2017 21:27:47 +1100 wordpress (4.1+dfsg-1+deb8u14) jessie-security; urgency=medium * Backport patches from 4.7.5 Closes: #862816 - CVE-2017-9062 Improper handling of post meta data values in the XML-RPC API. Changeset 40699 - CVE-2017-9065 Lack of capability checks for post meta data in the XML-RPC API. Changeset 40684 - CVE-2017-9064 A Cross Site Request Forgery (CRSF) vulnerability was discovered in the filesystem credentials dialog. Changeset 40730 - CVE-2017-9061 A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files. Changeset 40743 - CVE-2017-9063 A cross-site scripting (XSS) vulnerability was discovered related to the Customizer. Changeset 40711 * CVE-2017-9066 not fixed as the relevant code has changed dramatically and there is no upstream patch for it. Insufficient redirect validation in the HTTP class. * CVE-2017-8295 Don't use client-provided data to form password reset from email address, from WordPress ticket #23239 Closes: #862053 -- Craig Small Wed, 24 May 2017 22:24:48 +1000 wordpress (4.1+dfsg-1+deb8u13) jessie-security; urgency=medium * Backport patches from 4.7.3 Closes: #857026 - CVE-2017-6814 Cross-site scripting (XSS) via media file metadata. Changeset 40155 - CVE-2017-6815 Control characters can trick redirect URL validation. Changeset 40190 - CVE-2017-6816 Unintended files can be deleted by administrators using the plugin deletion functionality. Changeset 40176 - CVE-2017-6817 Cross-site scripting (XSS) via video URL in YouTube embeds. Chamgeset 40167 * Not vulnerable: - CVE-2017-6819 Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources. Press This introduced in 4.2 - CVE-2017-6818 Cross-site scripting (XSS) via taxonomy term names. -- Craig Small Thu, 16 Mar 2017 06:19:41 +1100 wordpress (4.1+dfsg-1+deb8u12) jessie-security; urgency=high * Backport patches from 4.7.1 Closes: #851310 - CVE-2016-10066 Potential Remote Command Execution (RCE) in PHPMailer - CVE-2017-5488 Authenticated Cross-Site scripting (XSS) in update-core.php - CVE-2017-5490 Stored Cross-Site Scripting (XSS) via Theme Name fallback - CVE-2017-5491 Post via Email Checks mail.example.com by Default - CVE-2017-5492 Accessibility Mode Cross-Site Request Forgery (CSRF) - CVE-2017-5493 Cryptographically Weak Pseudo-Random Number Generator - CVE-2017-5489 Cross-Site Request Forgery (CSRF) via Flash Upload Changesets 39838 and 39857, thanks Seb * Backport patches from 4.7.2 Closes: #852767 - CVE-2017-5610 The user interface for assigning taxonomy terms in Press This is shown to users who do not have permissions to use it. Changeset 39976 - CVE-2017-5611 WP_Query is vulnerable to a SQL injection (SQLi) Changeset 39962 - CVE-2017-5612 XSS in the posts list table Changeset 39985 * Not vulnerable - CVE-2017-5487 User Information Disclosure via REST API - API doesn't exist -- Craig Small Sun, 29 Jan 2017 08:53:11 +1100 wordpress (4.1+dfsg-1+deb8u11) jessie-security; urgency=high * Non-maintainer upload by the Security Team. * debian/patches/CVE-2016-6635.patch: - don't duplicate wp_encode_json() which has already been backported upstream, just merge later changes, fix regression in the previous upload. closes: #839190 * debian/languages: fix language with "\n" inconsistencies in msgid/msgstr. -- Yves-Alexis Perez Sat, 01 Oct 2016 11:38:14 +0200 wordpress (4.1+dfsg-1+deb8u10) jessie-security; urgency=high * Backport patches from 4.6.1/4.1.13 Closes: #837090 * CVE-2016-6896 and CVE-2016-6897 not vulnerable * Changeset 38538 sanitize filename in media CVE-2016-7168 * Changeset 38524 sanitize filename upload upgrader CVE-2016-7169 * CVE-2016-4029: WordPress before 4.5 does not consider octal and hexadecimal IP address formats when determining an intranet address, which allows remote attackers to bypass an intended SSRF protection mechanism via a crafted address. * CVE-2016-6634: Cross-site scripting (XSS) vulnerability in the network settings page in WordPress before 4.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. * CVE-2016-6635: Cross-site request forgery (CSRF) vulnerability in the wp_ajax_wp_compression_test function in wp-admin/includes/ajax-actions.php in WordPress before 4.5 allows remote attackers to hijack the authentication of administrators for requests that change the script compression option. -- Craig Small Sat, 10 Sep 2016 08:07:11 +1000 wordpress (4.1+dfsg-1+deb8u9) jessie-security; urgency=high * Backport patches from 4.5.3/4.1.12 Closes: #828225 * Fixes CVE-2016-5834, CVE-2016-5838, CVE-2016-5839 * Changeset 37762 admin auth redirect * Changeset 37773 Customizer urls CVE-2016-5832 * Changeset 37781 Category check CVE-2016-5837 * Changeset 37790 admin escape attach * Changeset 37800 Revision capability CVE-2016-5835 * Changeset 37815 escape url permalinks * Changeset 37818 media extensionless filenames * Changeset 32387 CVE-2015-8834 XSS in comments -- Craig Small Wed, 06 Jul 2016 20:52:08 +1000 wordpress (4.1+dfsg-1+deb8u8) jessie-security; urgency=high * Changeset 36435 fixes SSRF for URLs CVE-2016-2222 * Changeset 36444 improved redirect checking CVE-2016-2221 * Closes: #813697 -- Craig Small Sat, 06 Feb 2016 15:13:23 +1100 wordpress (4.1+dfsg-1+deb8u7) jessie-security; urgency=high * Apply changeset 36185 fixes XSS CVE-2016-1564 Closes: #810325 -- Craig Small Sat, 09 Jan 2016 08:21:54 +1100 wordpress (4.1+dfsg-1+deb8u6) jessie-security; urgency=high * Fix changeset 33359 Closes: #803100 -- Craig Small Wed, 28 Oct 2015 21:46:15 +1100 wordpress (4.1+dfsg-1+deb8u5) jessie-security; urgency=medium * Backport of 4.3.1 security fixes Closes: #799140 * Changeset 34137 XSS in user list table * Changeset 34144 unclosed HTML elements CVE-2015-5714 * Changeset 34151 unsticky private posts CVE-2015-5715 -- Craig Small Mon, 21 Sep 2015 21:37:40 +1000 wordpress (4.1+dfsg-1+deb8u4) jessie-security; urgency=high * Rework changeset 33359 reliable shortcodes CVE-2015-5622 Closes: #794548 * Backports of 4.2.4 security fixes Closes: #794560 * Changeset 33555 SQL Injection CVE-2015-2213 * Changeset 33535 fixes timing attack CVE-2015-4730 * Changeset 33542 prevent posts lock attack CVE-2015-5731 * Changeset 33529 XSS widget title CVE-2015-5732 * CVE-2015-5733: Not vulnerable CS32176 fixes this * Changeset 33549 theme preview XSS CVE-2015-5734 -- Craig Small Wed, 05 Aug 2015 22:44:20 +1000 wordpress (4.1+dfsg-1+deb8u3) jessie-security; urgency=high * Non-maintainer upload by the Security Team * Back out fautly patch: - Changeset 33359 reliable shortcodes CVE-2015-5622 -- Thijs Kinkhorst Tue, 04 Aug 2015 11:50:49 +0200 wordpress (4.1+dfsg-1+deb8u2) jessie-security; urgency=high * Removed genericons example files CVE-2015-3429 Closes: #784603 * Backports of 4.1.3 security fixes - Changeset 33357 autodraft perms CVE-2015-5623 - Changeset 33359 reliable shortcodes CVE-2015-5622 -- Craig Small Tue, 28 Jul 2015 20:42:55 +1000 wordpress (4.1+dfsg-1+deb8u1) jessie-security; urgency=high * Backports of 4.1.2 security fixes Closes: #783347 - Changeset 32163 sanity checks - Changeset 32165 sanitize order by - Changeset 32172 filename check - Changeset 32174 multisite change extra checks - Changeset 32176 Dashboard escapes titles - Changeset 32234 More WPDB query sanity * Backport of 4.2.1 for security fixes Closes: #783554 - Changeset 32307: XSS for long 64k+ comments -- Craig Small Sat, 02 May 2015 12:59:53 +1000 wordpress (4.1+dfsg-1) unstable; urgency=medium * New upstream release * Changed trigger to noawait Closes: #772862 * Updated apache example Closes: #773075 * Updated to standards 3.9.6 * Added getid3 and mediaelement to linktree Closes: #762523 * Removed two unbuildable mediaelement files -- Craig Small Sat, 20 Dec 2014 15:31:21 +1100 wordpress (4.0.1+dfsg-2) unstable; urgency=medium * Fixed i18n updates * twentyfourteen theme has translations Closes: #772205 -- Craig Small Sat, 06 Dec 2014 18:54:49 +1100 wordpress (4.0.1+dfsg-1) unstable; urgency=high * New upstream release * Fixes several security bugs Closes: #770425 - Three cross-site scripting issues that a contributor or author could use to compromise a site. - A cross-site request forgery that could be used to trick a user into changing their password. - An issue that could lead to a denial of service when passwords are checked. - Additional protections for server-side request forgery attacks when WordPress makes HTTP requests. - An extremely unlikely hash collision could allow a user’s account to be compromised, that also required that they haven’t logged in since 2008. - WordPress now invalidates the links in a password reset email if the user remembers their password, logs in, and changes their email address. -- Craig Small Sat, 22 Nov 2014 19:29:37 +1100 wordpress (4.0+dfsg-1) unstable; urgency=medium * New upstream release -- Craig Small Fri, 05 Sep 2014 20:58:06 +1000 wordpress (3.9.2+dfsg-1) unstable; urgency=high * New Upstream release * Fixes XML Security bug Closes: #757312 -- Craig Small Thu, 07 Aug 2014 18:26:39 +1000 wordpress (3.9.1+dfsg-1) unstable; urgency=medium * New upstream release * Use system CA certificate file Closes: #748965 -- Craig Small Wed, 11 Jun 2014 22:33:48 +1000 wordpress (3.9+dfsg-1) unstable; urgency=medium * New upstream release * 3.9 seems to handle different locations for plugins so the plugin directory handling patches have been cut back. -- Craig Small Thu, 17 Apr 2014 20:56:19 +1000 wordpress (3.8.3+dfsg-1) unstable; urgency=medium * New upstream release - fixes Quick Draft tool that broke in 3.8.2 -- Craig Small Wed, 16 Apr 2014 22:48:26 +1000 wordpress (3.8.2+dfsg-1) unstable; urgency=high * New upstream release Fixes CVE-2014-0165, CVE-2014-0166 and Closes: #744018 -- Craig Small Wed, 09 Apr 2014 22:13:54 +1000 wordpress (3.8.1+dfsg1-2) unstable; urgency=medium * Updated copyright file Closes: #736514 -- Craig Small Fri, 14 Feb 2014 22:03:49 +1100 wordpress (3.8.1+dfsg1-1) unstable; urgency=medium * Added Breaks/Replaces for combined wordpress Closes: #736688 * Removed moxieplayer.swf and added missing sources Closes: #736804 -- Craig Small Thu, 06 Feb 2014 22:42:07 +1100 wordpress (3.8.1+dfsg-1) unstable; urgency=medium * New upstream release. * Depend on either mysql or mariadb client Closes: #732914 -- Craig Small Fri, 24 Jan 2014 22:20:08 +1100 wordpress (3.8+dfsg-1) unstable; urgency=low [ Pablo Vazquez Martinez ] * Split themes in different binary packages. Closes: #723819 [ Craig Small ] * New upstream release. Closes: #733726 * Update Standards-Version to 3.9.5. * New Maintainer -- Craig Small Wed, 22 Jan 2014 22:28:02 +1100 wordpress (3.7.1+dfsg-1) unstable; urgency=low * New upstream release. * Enable usage of php5-mysqlnd as an alternative to php5-mysql. Closes: #722552 * Improve wp-setup to cope with plugins/themes directories with spaces. Thanks to Oskar Liljeblad for the patch. Closes: #723074 * Refresh patches -- Raphaël Hertzog Wed, 13 Nov 2013 20:41:09 +0100 wordpress (3.6.1+dfsg-1) unstable; urgency=high * New upstream security release. Fixes CVE-2013-4338 CVE-2013-4339 CVE-2013-4340. Closes: #722537 -- Raphaël Hertzog Thu, 12 Sep 2013 07:58:57 +0200 wordpress (3.6+dfsg-1) unstable; urgency=low * New upstream release. * Improve wp-settings to verify that $_SERVER['HTTP_X_FORWARDED_PROTO'] exists before accessing it (avoids a PHP notice). Thanks to Paul Dreik for the report and the patch. * Document in README.Debian the need to login to /wp-admin/ to complete an upgrade. * Drop useless debian/README.source * Drop 008CVE2008-2392.patch since upstream now disables unfiltered uploads by default. See http://core.trac.wordpress.org/ticket/10692 * Drop 009CVE2008-6767.patch since the backto parameter is validated against a whitelist, and externally triggered upgrades are not a security problem as long as they work. * Update debian/missing-sources with latest versions. * Update upstream l10n. -- Raphaël Hertzog Wed, 04 Sep 2013 23:18:58 +0200 wordpress (3.5.2+dfsg-1) unstable; urgency=low * New upstream release with many security fixes. Closes: #713947 * Server-Side Request Forgery (SSRF) via the HTTP API. CVE-2013-2199. * Privilege Escalation: Contributors can publish posts, and users can reassign authorship. CVE-2013-2200. * Cross-Site Scripting (XSS) in SWFUpload. CVE-2013-2205. * Denial of Service (DoS) via Post Password Cookies. CVE-2013-2173. * Content Spoofing via Flash Applet in TinyMCE Media Plugin. CVE-2013-2204. * Cross-Site Scripting (XSS) when Uploading Media. CVE-2013-2201. * Full Path Disclosure (FPD) during File Upload. CVE-2013-2203. * Additional security hardening includes: * Cross-Site Scripting (XSS) (Low Severity) when Editing Media. CVE-2013-2201. * Cross-Site Scripting (XSS) (Low Severity) when Installing/Updating Plugins/Themes. CVE-2013-2201. * XML External Entity Injection (XXE) via oEmbed. CVE-2013-2202. * Update the Vcs-Git and Vcs-Browser URLs. * Update Standards-Version to 3.9.4. -- Raphaël Hertzog Tue, 25 Jun 2013 15:52:07 +0200 wordpress (3.5.1+dfsg-2) unstable; urgency=low * Only replace tinymce files by symlinks if the content is exactly the same. Closes: #700289 * Update debian/get-upstream-i18n to include supplementary PO files and use a more efficient method to update them. Closes: #697208 -- Raphaël Hertzog Mon, 11 Feb 2013 13:56:18 +0100 wordpress (3.5.1+dfsg-1) unstable; urgency=low * New upstream maintenance and security release. Closes: #698916 -- Raphaël Hertzog Mon, 28 Jan 2013 17:15:27 +0100 wordpress (3.5+dfsg-1) unstable; urgency=low * New upstream release. * Fix sample apache.conf so that Alias directives are in the proper order (from the most specific to the less specific). Closes: #693122 Thanks to Jérôme Marant for the report. * Update debian/missing-sources/ with latest upstream changes. * Update all translations. * Try to deduplicate (i.e. replace with symlinks) backbone.js and underscore.js too. * Drop debian/patches/006rss_language.patch, the rss_language option is no longer used. * Update/refresh all other patches on top of the new release. * Update lintian overrides and debian/wordpress.linktrees to match the latest changes concerning javascript libraries shipped by WordPress. * Document the loss of the twentyten theme. -- Raphaël Hertzog Fri, 21 Dec 2012 14:17:50 +0100 wordpress (3.4.2+dfsg-1) unstable; urgency=low * New upstream security & bugfix release. * Also setup languages symlink in setup-mysql. Closes: #684628 Thanks to Jun NOGATA for the analysis. * Add new patch 011support-symlinks-for-plugins.patch grabbed in the upstream ticket to allow plugin directories to be symlinks (which is required for the Debian package since we put symlinks in /var/lib/wordpress/wp-content/plugins/). Closes: #686228 -- Raphaël Hertzog Wed, 12 Sep 2012 14:52:14 +0200 wordpress (3.4.1+dfsg-1) unstable; urgency=high * New upstream security & bugfix release. Closes: #680721 Fixes CVE-2012-3383, CVE-2012-3384, CVE-2012-3385. -- Raphaël Hertzog Tue, 03 Jul 2012 08:36:08 +0200 wordpress (3.4+dfsg-3) unstable; urgency=low * [f7a1c09] Drop useless postrm. * [d92219b] Add a prerm script calling wp-setup --purge-wp-content on remove. Closes: #678842 * [2fbf903] Allow wp-setup to symlink files as well as directories. * [cef928f] Let wp-setup also manage /var/lib/wordpress/wp-content/languages/. * [ac86408] Densify output of wp-setup. -- Raphaël Hertzog Tue, 26 Jun 2012 10:47:25 +0200 wordpress (3.4+dfsg-2) unstable; urgency=low * [2e63535] Merge unused debian/NEWS into debian/wordpress.NEWS so that users are correctly informed of the latest changes. * [e3b7b1c] Improve preinst to also move the /usr/share/wordpress/wp-content/uploads directory to its new location in /var/lib/wordpress/wp-content/. The package never created this directory but many users probably created it and we need to do this to let dpkg install the symlink that we put into place. * [5c0a29b] Add a trigger that watches /usr/share/wordpress/wp-content. When activated, it will execute wp-setup --sync-wp-content which updates /var/lib/wordpress/wp-content/ with symlinks to plugins/themes that have been added and it drops symlinks to plugins/themes which have disappeared. (Closes: #677889) -- Raphaël Hertzog Thu, 21 Jun 2012 20:44:53 +0200 wordpress (3.4+dfsg-1) unstable; urgency=low * New upstream release. Closes: #677534 [ Raphaël Hertzog ] * [a1c0409] Refresh and update all patches to correctly apply on version 3.4. * [3804496] Update debian/missing-sources/ to match the current versions of embedded javascript and flash files. * [185b051] Drop the old "default" theme (and its French translation) * [966ce6c] Grab latest translations * [1983326] Update Standards-Version to 3.9.3 (no change). * [29c48b6] Increase debhelper compat level to 9. * [73e16d0] Replace debian/dh_linktree by the packaged version. * [359b660] Update debian/wordpress.linktrees to match latest developments. * [645b650] Let setup-mysql lowercase the FQDN since the configuration scheme expects this. Thanks to Chris Butler for the report (Closes: #658395) * [5433e90] Fix setup-mysql to avoid creating /srv/www with restricted permissions (Closes: #616400) * [dd2ef1d] Move back wp-config.php to /usr/share/wordpress/ since it's only a dispatcher to the real configuration file (Closes: #592502) * [b602372] Improve wp-config.php so that WordPress works behind an https reverse-proxy. * [ba0b729] Entirely update and rewrite README.debian. (Closes: #575985, #639980) * [683a908] Update wp-config.php to not redefine constants which have already been set. Thanks to Richard van den Berg for the report. (Closes: #613283) * [315eb68] Let wordpress-l10n depend on the same version than wordpress. (Closes: #623557) * [a6d0b9f] Default configuration now sets WP_CONTENT_DIR to /var/lib/wordpress/wp-content. And the package provides this new directory appropriately setup with write rights to www-data on blogs.dir and uploads. themes and plugins are root-owned directories with symlinks pointing back to the default themes and plugins. (Closes: #675469) * [4db98c6] Update setup-mysql to use WP_CONTENT_DIR (and no longer use $upload_dir). (Closes: #658508) * [a1970da] Extend debian/wordpress.linktrees to cover swfobject.js. * [8d46dab] Use dpkg-maintscript-helper to drop obsolete /etc/wordpress/wp-config.php [ Martin Bagge / brother ] * [56d0a34] Improve the setup script to be able to use a remote MySQL server. -- Raphaël Hertzog Sat, 16 Jun 2012 01:19:20 +0200 wordpress (3.3.2+dfsg-1) unstable; urgency=high * New upstream security release. Closes: #670124 * Use the embedded copy of SimplePie until #669054 is resolved. -- Raphaël Hertzog Tue, 24 Apr 2012 00:31:42 +0200 wordpress (3.3.1+dfsg-1) unstable; urgency=low * New upstream security release. Fixes CVE-2012-0287. -- Raphaël Hertzog Wed, 04 Jan 2012 10:15:05 +0100 wordpress (3.3+dfsg-1) unstable; urgency=low * New upstream release. Closes: #652041 * [4deb832] Add all the missing sources in debian/missing-sources/. (Closes: #646729) * [913eba5] Refresh all patches. * [ae61778] Use xz compression for the debian tarball to save some space. -- Raphaël Hertzog Tue, 20 Dec 2011 01:01:50 +0100 wordpress (3.2.1+dfsg-3) unstable; urgency=medium * Upload with urgency medium to speed up a bit the transition to testing since the testing version is broken. * [72d01a3] Improve dh_linktree. It is now able to generate dependencies and to have different behaviour for each file to replace. Modify wordpress.linktrees to ensure we have the very same JQuery files but blindly replaces all the other files. Drop the explicit dependencies in favor of the autogenerated dependencies. As a side-effect this fixes installation of widgets which was broken by the mismatch of some JQuery ui files. * [bbce711] Add lintian overrides for warnings about the embedded copy of JQuery. We do a reasonable effort to replace it if it matches. -- Raphaël Hertzog Thu, 27 Oct 2011 16:01:49 +0200 wordpress (3.2.1+dfsg-2) unstable; urgency=low * [af74ce2] Add a preinst to drop symlinks to directories for tinymce and cropper. The new dh_linktree only symlinks files and hierarchies are duplicated. So we have to drop symlinks to directories in the preinst, otherwise dpkg installs the new symlinks in the tinymce/cropper directories instead of in the wordpress ones. Also drop the upgrade code in the postinst converting the same directories into symlinks... (Closes: #639733) * [0b51c4f] Invite users affected by #639733 to reinstall tinymce/libjs-cropper. * [55af033] Fix invalid test in postinst (upgrade → configure) "upgrade" is not a valid parameter in the postinst. Instead we get "configure". -- Raphaël Hertzog Sat, 22 Oct 2011 17:01:25 +0200 wordpress (3.2.1+dfsg-1) unstable; urgency=low [ Paul Tagliamonte ] * [c5e4b2c] Added a get-orig-source target to recreate the DFSG-clean tarball. It drops all the sourceless flash files. Closes: #625773 [ Raphaël Hertzog ] * [d1035bd] Imported Upstream version 3.2.1+dfsg * [b968405] Update and refresh all patches. * [10ab97c] Drop manifest.patch because the description in its header doesn't make any sense. * [87537db] Update dependencies as per new upstream requirements. * [0c534ec] Update packaging to avoid using even more embedded PHP/JS libraries. * [ec5c11e] Use a new dh_linktree to replace embedded PHP/JS libraries. * [8690719] Add lintian override for embedded-php-library streams.php since it's a false positive. * [83c15bc] Upgrade Standards-Version to 3.9.2 (no changes needed). * [938fb15] Update internationalization files. * [6ac0357] Install class-smtp.php and class-phpmailer.php so that they can be replaced by dh_linktree. -- Raphaël Hertzog Mon, 08 Aug 2011 23:06:20 +0200 wordpress (3.0.5+dfsg-1) unstable; urgency=medium * [077b77b] Imported Upstream version 3.0.5+dfsg * [8d1ce17] Refreshed patches -- Giuseppe Iuculano Fri, 11 Feb 2011 17:50:40 +0100 wordpress (3.0.4+dfsg-1) unstable; urgency=high * [9d62499] Imported Upstream version 3.0.4+dfsg - This is critical security update, more info: http://wp.me/pZhYe-qt -- Giuseppe Iuculano Thu, 30 Dec 2010 14:47:40 +0100 wordpress (3.0.3.dfsg-1) unstable; urgency=high * [e113893] Imported Upstream version 3.0.3.dfsg - Re-packaged without the hello dolly plugin (Closes: #607240) * [9d62cfd] Removed hello.patch -- Giuseppe Iuculano Tue, 28 Dec 2010 17:22:34 +0100 wordpress (3.0.3-1) unstable; urgency=high * [014c926] Imported Upstream version 3.0.3 (Closes: #606657) * [f29b6ac] Use GPL-compliant lyrics in the hello dolly plugin. (Closes: #607240) -- Giuseppe Iuculano Fri, 17 Dec 2010 11:03:55 +0100 wordpress (3.0.2-1) unstable; urgency=high [ Raphaël Hertzog ] * [9d6922c] Improve wp-config.php to support sites on subdomains and htaccess by providing directives ready to uncomment [ Giuseppe Iuculano ] * [1dc32d3] Imported Upstream version 3.0.2 (Closes: #605880) - Author level SQL injection vulnerability fixed (Closes: #605603) * [b4f2869] Refreshed debian/patches/001readme.patch * [612c23f] Remove flv_player.swf from manifest.php (Closes: #602732) -- Giuseppe Iuculano Tue, 07 Dec 2010 08:43:38 +0100 wordpress (3.0.1-2) unstable; urgency=low * [e8a913f] Remove swfupload.swf from the binary package, as it cannot be built from source, violating the Policy. (Closes: #591195) * [92493d0] Document in Readme.Debian how to get swfupload.swf * [3663a53] debian/get-upstream-i18n: download also configuration files for RTL-languages (Closes: #585784) * [8bbdc8b] Added a missing define in debian/wp-config.php (Closes: #590859) * [34dd063] Updated language files * [adf55b3] Install *.php configuration files for RTL-languages -- Giuseppe Iuculano Thu, 02 Sep 2010 10:33:50 +0200 wordpress (3.0.1-1) unstable; urgency=low * [e6e4f09] Updated watch file * [12dd7cd] Imported Upstream version 3.0.1 * [7f03621] Bump to standards-version 3.9.1, no changes needed -- Giuseppe Iuculano Wed, 04 Aug 2010 16:41:24 +0200 wordpress (3.0-1) unstable; urgency=low [ Giuseppe Iuculano ] * [a57d26e] Imported Upstream version 3.0 (Closes: #586764) * [a74cd68] MU: enable multi-user by default and install the proper blogs.dir directory * [ffd926e] fix the blogs.dir link * [c81081d] Adjust MU setup for Debian installations * [c14dd9d] Update language files * [6a7296f] Added Raphaël Hertzog in Uploaders * [7ea24ff] Updated watch file [ Raphaël Hertzog ] * [2d1df3e] Update patch debian/patches/001readme.patch * [58a772e] Update patch debian/patches/003installer.patch * [332abfc] Update patch debian/patches/006rss_language.patch * [ee99544] Update patch debian/patches/008CVE2008-2392.patch * [b960914] Refresh patch debian/patches/009CVE2008-6767.patch * [511eea7] Refresh patch debian/patches/010disabling_update_note.patch * [22c5015] Refresh patch debian/patches/manifest.patch * [7cfe147] Switch to source format 3.0 (quilt). * [8c86759] Add back the default theme that has been dropped upstream * [390188e] Adjust links and rules to cope with removal of scriptaculous/prototype.js * [1313b13] Add package prefix to many debian/ files for clarity * [c4e7651] Switch to dh7 tiny rules file and general cleanup of the build process. * [625cdbb] Updated Vcs-Git/Vcs-Browser to point to the collab-maint repository. -- Giuseppe Iuculano Sun, 27 Jun 2010 15:47:40 +0200 wordpress (2.9.2-1) unstable; urgency=low * [3f228c1] Imported Upstream version 2.9.2 * [7965955] Bump to Standards-Version 3.8.4 (no changes) * [e86fd59] Updated language files -- Giuseppe Iuculano Tue, 16 Feb 2010 12:41:01 +0100 wordpress (2.9.1-2) unstable; urgency=low * [4a7279a] Fixed the security id in wp-admin/menu.php (Closes: #561832) - thanks to Franck Nouyrigat * [aa0f3a0] Allow site names with dash character. (Closes: #566224) - thanks to Mikko Visa * [ee0a44e] Updated language files -- Giuseppe Iuculano Fri, 22 Jan 2010 19:07:14 +0100 wordpress (2.9.1-1) unstable; urgency=low * [a83b8fd] Imported Upstream version 2.9.1 * [216890e] Added ${misc:Depends} in Depends * [ec95986] Updated language files -- Giuseppe Iuculano Wed, 06 Jan 2010 13:20:35 +0100 wordpress (2.9-1) unstable; urgency=low * [fdd001e] Change wordpress-l10n section (localization) * [625fa21] Imported Upstream version 2.9 * [dd9b536] Refreshed patches * [1ce2a9d] Do not remove anymore plugins/wordpress/js direcotry * [3287ec5] Updated language files (Closes: #556902) -- Giuseppe Iuculano Wed, 23 Dec 2009 14:31:36 +0100 wordpress (2.8.6-1) unstable; urgency=low * [cf87b24] Updated debian/watch (Closes: #555729) - thanks to Hideki Yamane * [997165e] Imported Upstream version 2.8.6 * [05395e1] debian/wp-config.php: sanitize $debian_server and do not check if $debian_file is under /etc/wordpress (Closes: #549436) * [dc016ce] Updated language files -- Giuseppe Iuculano Sat, 14 Nov 2009 12:53:07 +0100 wordpress (2.8.5-1) unstable; urgency=high * [b0ebbe1] Imported Upstream version 2.8.5 (Closes: #551841) - This version fixes CVE-2009-3622, Wordpress Trackback DoS * [cad0da2] Updated languages files * [e8438f2] Use /var/log/apache2 directory in the apache example file (Closes: #551380) -- Giuseppe Iuculano Wed, 21 Oct 2009 21:43:31 +0200 wordpress (2.8.4-3) unstable; urgency=low * [dc295db] Provide a more descriptive errror message if the vhost config file is not found. (LP: #365783) * [c23192a] Depend on libjs-jquery >= 1.3.3-1 (Closes: #544473) - thanks to Arnaud Guiton * [fd27308] Updated debian/copyright * [94ad7d3] Split up the language files into a separate package * [08334d7] Updated language files * [6682ab3] Updated my email address and removed DM-Upload-Allowed control field -- Giuseppe Iuculano Sat, 03 Oct 2009 10:28:16 +0200 wordpress (2.8.4-2) unstable; urgency=low * [e582ddd] Removed reference about drag.gif in manifest.php, thanks to Michel Meyers (Closes: #517969) * [a0d70c8] Do not symlink readme.html, instead install it in /usr/share/wordpress * [e81e4c3] Depend on tinymce (>= 3.2.6-0.1) and added a proper symlink to the tabfocus plugin * [0492b02] Added a note in NEWS and README.debian about the secondary consequence caused by the previous fix for a possible script injection via /etc/wordpress/wp-config.php * [6a3c803] Updated language files -- Giuseppe Iuculano Wed, 26 Aug 2009 14:53:43 +0200 wordpress (2.8.4-1) unstable; urgency=low * [5f0812d] Imported Upstream version 2.8.4 * [e1ea94b] Switch to quilt * [cf8904e] Removed Andrea De Iacovo from Maintainer field, thanks Andrea for the prior work on wordpress! * [6013bd8] Removed 007_REQUEST.patch, upstream already fixed CVE-2008-5113 in a better way * [8da39ea] Removed 004languages.patch, it contains outdated languages files * [d5696ea] debian/control: Updated Vcs control field * [89316e0] debian/rules: Comment the DH_VERBOSE export * [cf78bf5] debian/wp-config.php: check if $debian_file is under /etc/wordpress and mitigate a possible script injection via /etc/wordpress/wp-config.php. Thanks to Raphael Geissert (Closes: #500295) * [ece1c25] debian/get-upstream-i18n: Do not remove outdated language files by default * [59547a2] Do not embed tinymce, php-gettext and cropper. (Closes: #504242) * [848828d] debian/postinst: Create the symlinks manually, dpkg doesn't replace directories with symlinks. (Closes: #517969) * [2af4aea] debian/patches/009CVE2008-6767.patch: Grant upgrade privilege to all admin users. Thanks to Ivan Warren (Closes: #541371) * [46e8f2b] debian/control: Removed the sentence about the French language support, now there are a lot of language files * [fcd94c6] debian/control: Remove outdated packages from Depends, Suggests, and Conflicts * [9c28177] Updated to standards version 3.8.3 (No changes needed) * [700156e] Added a README.source (Debian Policy Manual section 4.14) * [13a98d5] Updated language files * [a86b72a] Do not install readme.html in doc, it doesn't contain any relevant information for Debian users * [25d4e8e] Updated copyright file -- Giuseppe Iuculano Tue, 18 Aug 2009 08:28:23 +0200 wordpress (2.8.3-2) unstable; urgency=medium * [2372863] debian/patches/011enforce_activaction_key.dpatch: Enforce activation key to be a string (Closes: #541102) * [cb80386] Fixed CVE-2008-6767 patch and prevent redirect loop. (Closes: #541199) -- Giuseppe Iuculano Wed, 12 Aug 2009 18:18:52 +0200 wordpress (2.8.3-1) unstable; urgency=medium * [f625087] Imported Upstream version 2.8.3 (Closes: #533387, #539411) This release fixed several security issue: - Privileges unchecked and multiple information disclosures. (CVE-2009-2334, CVE-2009-2335, CVE-2009-2336) (Closes: #536724) - CVE-2009-2431, CVE-2009-2432: Obtain sensitive information (Closes: #537146) - CVE-2008-6762: Open redirect vulnerability in wp-admin/upgrade.php (Closes: #531736) * [347c164] debian/control: Added Giuseppe Iuculano in Uploaders, added Vcs and DM-Upload-Allowed control field * [92fb4ab] Bump to debhelper 7 compatibility levels * [5b8536e] Refreshing patches * [d999c0e] Added a watch file * [4163c0c] debian/rules: Do not remove the autosave tinymce plugin, there isn't anymore. * [9c4d0e5] debian/get-upstream-i18n: download .xpi files into debian/languages * [76b7c5c] Install language files * [a0bfad2] Move gettext in Build-Depends-Indep * [8b607bf] Use set -e instead of passing -e to the shell on the #! line * [6cbbf36] debian/patches/009CVE2008-6767.dpatch: Only admin can upgrade wordpress. (CVE-2008-6767) (Closes: #531736) * [d6adfbe] Disabled the the "please update" warning, thanks to Hans Spaans and Rolf Leggewie (Closes: #506685) * [15c360c] Updated to standards version 3.8.2 (No changes needed) -- Giuseppe Iuculano Tue, 11 Aug 2009 16:30:35 +0200 wordpress (2.7.1-2) unstable; urgency=low * setup-mysql corrected to accept domain names with hyphens (Closes: #514447) * wp-config.php now dies if no config file is found (Closes: #500296) * now the static browser uploader is supported (Closes: #501507) Users che chose to use the browser (instead of flash) to upload media files. -- Andrea De Iacovo Sun, 15 Feb 2009 19:13:35 +0100 wordpress (2.7.1-1) experimental; urgency=low * Merge with upstream Wordpress-2.7 (Closes: #514845) * Corrected security regression on CVE-2008-2392. Admins had unfiltered upload capability again. Now this options is disabled by default and can be enable through the security options panel. -- Andrea De Iacovo Thu, 12 Feb 2009 00:39:29 +0100 wordpress (2.7-1) experimental; urgency=low * Merge with upstream Wordpress-2.7 (Closes: #507356) * README file is now more clear about Apache configuration (Closes: #511312, #507981) -- Andrea De Iacovo Mon, 12 Jan 2009 12:30:05 +0100 wordpress (2.6.2-2) experimental; urgency=low * 007CVE2008-2392.patch modified. Now users chan dinamically choose to enable unrestricted upload for admins. -- Andrea De Iacovo Thu, 06 Nov 2008 10:38:07 +0100 wordpress (2.6.2-1) experimental; urgency=low * Merge with upstream Wordpress-2.6.2 (Closes: #490977) * Dependency field was changed to erase useless dependencies (Closes: #496240) -- Andrea De Iacovo Tue, 23 Oct 2008 17:20:34 +0200 wordpress (2.5.1-8) unstable; urgency=high * Added 009CVE2008-4106 patch. (Closes: #500115) Whitespaces in user name are now checked during login. It's not possible to register an "admin(n-whitespaces)" user anymore to gain unauthorized access to the admin panel. -- Andrea De Iacovo Thu, 25 Sep 2008 17:02:47 +0200 wordpress (2.5.1-7) unstable; urgency=high * Modified CVE2008-3747 patch. (Closes: #497524) The old patch made the package completely unusable. The new one should solve the issue. (Thanks to Del Gurt) -- Andrea De Iacovo Thu, 04 Sep 2008 00:42:11 +0200 wordpress (2.5.1-6) unstable; urgency=high * Added patch to fix remote attack vulnerability (Closes: #497216) Attackers could gain administrative powers by sniffing cookies. This patch force wordpress over a ssl connection to prevent this issue. (CVE-2008-3747) -- Andrea De Iacovo Sun, 31 Aug 2008 09:02:22 +0200 wordpress (2.5.1-5) unstable; urgency=low * Modified rules file to have a lintian clean package. -- Andrea De Iacovo Mon, 16 Jun 2008 18:41:21 +0200 wordpress (2.5.1-4) unstable; urgency=low * Added patch to fix unrestricted file upload vulnerability (Closes: #485807) Now administrators can upload only files that are in the standard mime-type set (Fixes CVE-2008-2392) -- Andrea De Iacovo Sat, 14 Jun 2008 17:31:04 +0200 wordpress (2.5.1-3) unstable; urgency=low * rss_language is now modifiable through wp-admin panel. Thanks to Lionel Elie Mamane (Closes: #461584) * Makes Wordpress depend on tinymce (>= 3.0.7) -- Andrea De Iacovo Mon, 05 May 2008 23:39:35 +0200 wordpress (2.5.1-2) unstable; urgency=low * Wordpress provides a MODIFIED tinymce (Closes: #478257) * Setup-mysql script modified to handle SECURITY_KEY. (Closes: #478515) -- Andrea De Iacovo Mon, 28 Apr 2008 18:45:10 +0200 wordpress (2.5.1-1) unstable; urgency=high * Merged with upstream 2.5.1 security release * CVE-2008-1930 integrity protection vulnerability (Closes: #477910) * Depends on tinymce -- Andrea De Iacovo Sat, 26 Apr 2008 19:08:14 +0200 wordpress (2.5.0-2) unstable; urgency=low * New maintainer. (Closes: #473451: ITA: wordpress -- weblog manager) * Doesn't have a sane upload directory set (Closes: #430781) * Don't embedd prototype/scriptaculous (Closes: #475284 -- Andrea De Iacovo Fri, 18 Apr 2008 20:50:26 +0100 wordpress (2.5.0-1) unstable; urgency=low [ Kai Hendry ] * New Upstream Version [ Lionel Elie Mamane ] * Import translations as of 2008-04-01: ca.po, fr_FR, id_ID, ja, pt_PT, ru_RU, sr_RS * Update French theme to 2.5.0 -- Lionel Elie Mamane Wed, 02 Apr 2008 00:33:30 +0200 wordpress (2.3.3+fr-2) unstable; urgency=low * Update French translation to 2.3.3 upstream version. -- Lionel Elie Mamane Mon, 03 Mar 2008 11:09:56 +0100 wordpress (2.3.3+fr-1) unstable; urgency=low * Add French language support back (accidentally dropped in 2.3.2-1, closes: #461617) -- Lionel Elie Mamane Sat, 09 Feb 2008 09:44:24 +0100 wordpress (2.3.3-1) unstable; urgency=high * New upstream security release: http://wordpress.org/development/2008/02/wordpress-233/ - Fix for security flaw in XML-RPC implementation (CVE-2008-0664, closes: #464170) and http://trac.wordpress.org/ticket/5313 -- Kai Hendry Tue, 05 Feb 2008 16:22:57 +0000 wordpress (2.3.2+fr-1) unstable; urgency=low * Add French language support (Closes: #461617) * Bump up Standards-Version to 3.7.3 * Move Homepage from description to dpkg field * Tweak description to make it less advertisy * Consistently prefer php5 over php4 in dependency alternatives * Don't override local admin's idea of permissions on /etc/wordpress/config-* on every upgrade. -- Lionel Elie Mamane Mon, 21 Jan 2008 23:08:32 +0100 wordpress (2.3.2-1) unstable; urgency=high * New upstream security release * http://wordpress.org/development/2007/12/wordpress-232/ * new version 2.3.2 fixes security bugs (Closes: #459305) -- Kai Hendry Sun, 06 Jan 2008 18:12:21 +0000 wordpress (2.3.1-1) unstable; urgency=high * New upstream security release * http://wordpress.org/development/2007/10/wordpress-231/ * should depend on php4-gd | php5-gd (Closes: #447492) php4-gd | php5-gd moves from suggests to depends * Bugs closed in this release: http://trac.wordpress.org/query?status=closed&milestone=2.3.1 -- Kai Hendry Sun, 28 Oct 2007 17:20:12 +0000 wordpress (2.3-1) unstable; urgency=low * New upstream release * Maintainer meets upstream: http://flickr.com/photos/hendry/1468125949/ * http://wordpress.org/development/2007/09/wordpress-23/ -- Kai Hendry Mon, 01 Oct 2007 23:51:59 +0100 wordpress (2.2.3-1) unstable; urgency=high * New upstream security release * http://wordpress.org/development/2007/09/wordpress-223/ * wordpress debian config overrides $file, $server in upstream php files (Closes: #440572) -- Kai Hendry Mon, 10 Sep 2007 19:36:34 +0100 wordpress (2.2.2-1) unstable; urgency=high * New upstream security release * http://wordpress.org/development/2007/08/wordpress-222-and-2011/ * Bugs closed http://trac.wordpress.org/query?status=closed&milestone=2.2.2 * Changed files http://trac.wordpress.org/changeset?new=branches%2F2.2%405849&old=branches%2F2.2%405725 * Several vulnerabilities detected (XSS, SQL-injection) (Closes: #435848) * wp-config.php breaks when accessed with port (Closes: #435289) -- Kai Hendry Sun, 05 Aug 2007 09:59:15 +0100 wordpress (2.2.1-1) unstable; urgency=high * New upstream release * http://wordpress.org/development/2007/06/wordpress-221/ * Needs to use libphp-phpmailer (Closes: #429346) * [CVE-2007-3215] remote shell command injection in PHPMailer (Closes: #429194) * remote SQL injection vulnerability (Closes: #428073) -- Kai Hendry Sat, 23 Jun 2007 12:47:10 +0100 wordpress (2.2-1) unstable; urgency=low * New upstream release * http://wordpress.org/development/2007/05/wordpress-22/ -- Kai Hendry Wed, 16 May 2007 09:54:36 +0100 wordpress (2.1.3-1) unstable; urgency=high * New upstream security release * http://wordpress.org/development/2007/04/wordpress-213-and-2010/ * attempt to create a link into /srv/www/, directory which may not exist (Closes: #409258) -- Kai Hendry Wed, 04 Apr 2007 20:35:40 +0100 wordpress (2.1.2-1) unstable; urgency=high * New upstream security release * possible security issue (Closes: #413171) * http://trac.wordpress.org/ticket/3879 * http://wordpress.org/development/2007/03/upgrade-212/ -- Kai Hendry Sun, 4 Mar 2007 20:53:12 +0000 wordpress (2.1.1-1) unstable; urgency=high * New upstream security release * Updated copyright with new download link * http://wordpress.org/development/2007/02/new-releases * http://trac.wordpress.org/milestone/2.1.1 * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1049 -- Kai Hendry Wed, 21 Feb 2007 11:14:33 +0000 wordpress (2.1.0-1) unstable; urgency=low * New upstream release * http://wordpress.org/development/2007/01/ella-21/ * Thanks to #debian-devel's Sesse and seanius to help fix the execute perm problems on wp-includes/ * Modified Blogroll to point only to Planet Debian -- Kai Hendry Tue, 23 Jan 2007 14:47:30 +0000 wordpress (2.0.7-1) unstable; urgency=low * New upstream release * New upstream available (security fix) (Closes: #407116) * Thanks to Fabio Tranchitella and Moritz Muehlenhoff for their support * Improved the copyright at Moritz's request * Moritz says the security fix does not apply to Debian's PHP hence low urgency * See http://wordpress.org/development/2007/01/wordpress-207/ for details of minor changes * Tweaked the dependency line for better php5 support * setup-mysql -h minor usage summary error + should be executable (Closes: #407496) -- Kai Hendry Fri, 19 Jan 2007 10:35:57 +0000 wordpress (2.0.6-1) unstable; urgency=high * New upstream release * Security fix, urgency high. * FrSIRT/ADV-2006-5191, CVE-2006-6808: WordPress "get_file_description()" Function Client-Side Cross Site Scripting Vulnerability. (Closes: #405299, #405691) -- Kai Hendry Fri, 5 Jan 2007 14:04:56 +0000 wordpress (2.0.5-0.1) unstable; urgency=medium * NMU on maintainer's request. * Security fix, urgency medium. * readme.html: s/license.txt/copyright/. (Closes: #382283) * New upstream release, which fixes: - CVE-2006-4208: Directory traversal vulnerability in WP-DB-Backup plugin for WordPress. (Closes: #384800) -- Fabio Tranchitella Fri, 3 Nov 2006 15:12:06 +0100 wordpress (2.0.4-2) unstable; urgency=low * examples/setup-mysql doesn't work with dash (Closes: #372128) * installs apache AND apache2 by default (Closes: #379118) Many thanks to Fabio Tranchitella and Jesus Climent * "Publish" produces broken links (Closes: #367001) Disabled "Rich editor" by default -- Kai Hendry Sun, 6 Aug 2006 12:39:56 +0100 wordpress (2.0.4-1) unstable; urgency=high * New upstream release * examples/setup-mysql doesn't work with dash (Closes: #372128) -- Kai Hendry Sun, 6 Aug 2006 11:59:39 +0100 wordpress (2.0.3-1) unstable; urgency=high * New upstream release * 'Cache' shell injection vulnerability (Closes: #369014) -- Kai Hendry Fri, 2 Jun 2006 21:00:51 +0900 wordpress (2.0.2-2) unstable; urgency=high * setup-mysql fails if the domain contains a port number (Closes: #362171) * Insecure file permissions in /etc/wordpress (Closes: #363580) * Added a postinst to help users correct permissions -- Kai Hendry Thu, 20 Apr 2006 10:12:56 +0900 wordpress (2.0.2-1) unstable; urgency=high * New upstream release * 'This would have been out sooner, if I wasn't in hospital' release ;) * Changed blogroll link to Planet Debian * Altered 'plugin policy', it's now DIY * mysql syntax error when running setup-mysql script (Closes: #355958) * Several vulnerabilities discovered by 'snake oil' Neo Security Team (Closes: #355055) http://somethingunpredictable.com/archives/01/03/2006/wordpress-vulnerabilities-bogus/ * http://wordpress.org/development/2006/03/security-202/ -- Kai Hendry Mon, 13 Mar 2006 12:44:44 +0900 wordpress (2.0.1-1) unstable; urgency=low * New upstream release * CSS Security Vulnerability (Closes: #328909) * Please announce that upgrade.php needs to be run after update (Closes: #348458) -- Kai Hendry Thu, 2 Feb 2006 11:22:31 +0900 wordpress (2.0-1) unstable; urgency=low * New upstream release * Closes: #320462: Wordpress replaces valid characters in urls with HTML entities, breaking the URL * Closes: #326685: Incorrectly mangles URLs using the wptexturize function * Closes: #347339: Wordpress version 2 is available * Closes: #345508: Should have a dependancy on the php5-gd package -- Kai Hendry Fri, 13 Jan 2006 03:58:59 +0000 wordpress (1.5.2-2) unstable; urgency=low * Now with support for PHP5 * Requires mysql-server when the server can actually be on a remote server (Closes: #328554) -- Kai Hendry Thu, 22 Sep 2005 13:56:50 +1000 wordpress (1.5.2-1) unstable; urgency=high * New upstream "security fix" release * Closes: #323040: CAN-2005-2612 * See: http://wordpress.org/development/2005/08/one-five-two/ -- Kai Hendry Fri, 19 Aug 2005 10:58:17 +1000 wordpress (1.5.1.3-4) unstable; urgency=medium * 'I really should have tested this on another machine' release * Closes: #319007: dbconfig dep screws upgrade -- Kai Hendry Tue, 19 Jul 2005 20:03:10 +1000 wordpress (1.5.1.3-3) unstable; urgency=low * Improved the setup-mysql script for Wordpress MASS hosting with Apache's VirtualDocumentRoot -- Kai Hendry Fri, 15 Jul 2005 10:50:59 +1000 wordpress (1.5.1.3-2) unstable; urgency=high * The no XML-RPC vulnerabilities here release. ;) * Strongly advised to upgrade due to inconsistencies between 1.5.1.3-1 orig tar.gz and the upstream 1.5.1.3 latest.tar.gz after checking. * Closes: #312721: wordpress does not see mysql * Changed upstream's default links. Controversial? -- Kai Hendry Fri, 8 Jul 2005 12:11:23 +1000 wordpress (1.5.1.3-1) unstable; urgency=high * New upstream release * Yet another security release: http://wordpress.org/development/2005/06/wordpress-1513 -- Kai Hendry Thu, 30 Jun 2005 15:25:27 +1000 wordpress (1.5.1.2-1) unstable; urgency=high * New upstream release * Another security release: http://wordpress.org/development/2005/05/security-update/ -- Kai Hendry Sun, 29 May 2005 00:52:39 +1000 wordpress (1.5.1-1) unstable; urgency=high * Upstream changelog is here: http://codex.wordpress.org/Changelog/1.5.1 * Fixes an unannounced "important security fix" -- Tue, 10 May 2005 01:48:34 +0100 wordpress (1.5.0-2) unstable; urgency=low * Thanks to NOKUBI Takatsugu and the Debian Japan people for making this release possible * Moved mysql setup out of postinst allowing multiple blogs on the host at the loss of automated mysql setup. * Closes: #298563: incompatible with mysql-server-4.1 * Closes: #298571: multiple installation support * Closes: #300200: multiple installation support * Closes: #300757: How would one add plugins to wordpress ? -- Kai Hendry Sat, 23 Apr 2005 15:17:45 +0900 wordpress (1.5.0-1) unstable; urgency=high * Closes: #275814: New version fixes security flaws http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1559 * Closes: #288613: /usr/share/wordpress/readme.html missing * Closes: #287086: new upstream 1.2.2 * Added some NEWS that users will find helpful in the upgrade -- Kai Hendry Fri, 25 Feb 2005 07:11:47 +0200 wordpress (1.2.2-1.1) unstable; urgency=medium * NMU * Thank you Dominic Hargreaves and svn-upgrade -- Kai Hendry Sat, 18 Dec 2004 09:32:14 +0200 wordpress (1.2.1-1.1) unstable; urgency=medium * NMU * Closes: #275814: New upstream release that fixes security problem detailed: http://secunia.com/advisories/12773/ * Closes: #276112: Need more complete README.Debian for new users Added some detail to README.Debian * Escaped a mysql line in the postrm that might avoid a bug. -- Kai Hendry Sat, 27 Nov 2004 16:48:32 +0200 wordpress (1.2.0-1.1) unstable; urgency=low * NMU * Closes: #250812: New upstream * Closes: #251653: apache2 support * Closes: #255121: conffiles not marked * Revised dependency on mysql-server otherwise debian-sys-maint will never work * Thanks to Teemu Hukkanen, Corey Wright, Christian Hammers and Matt Mullenweg -- Kai Hendry Thu, 12 Aug 2004 21:50:04 +0300 wordpress (1.0.2-1) unstable; urgency=low * New upstream release * New package description (Closes: #237137) * Made a plain text version of readme.html -- Gabriel Rodríguez Alberich Sun, 21 Mar 2004 18:25:20 +0000 wordpress (1.0.1-1) unstable; urgency=low * Initial release (Closes: #230034) -- Gabriel Rodríguez Alberich Thu, 26 Feb 2004 19:37:33 +0000