Bug 217608 - */wordpress*: Updates to 4.7.3
Summary: */wordpress*: Updates to 4.7.3
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Torsten Zuehlsdorff
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-03-07 12:16 UTC by Jochen Neumeister
Modified: 2017-03-08 13:21 UTC (History)
2 users (show)

See Also:
tz: merge-quarterly+


Attachments
Patch (4.61 KB, patch)
2017-03-07 12:16 UTC, Jochen Neumeister
joneum: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jochen Neumeister freebsd_committer freebsd_triage 2017-03-07 12:16:30 UTC
Created attachment 180598 [details]
Patch

WordPress 4.7.3 Security and Maintenance Release: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/

This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.7.2 and earlier are affected by six security issues:

    Cross-site scripting (XSS) via media file metadata.  Reported by Chris Andrè Dale, Yorick Koster, and Simon P. Briggs.
    Control characters can trick redirect URL validation.  Reported by Daniel Chatfield.
    Unintended files can be deleted by administrators using the plugin deletion functionality.  Reported by xuliang.
    Cross-site scripting (XSS) via video URL in YouTube embeds.  Reported by Marc Montpas.
    Cross-site scripting (XSS) via taxonomy term names.  Reported by Delta.
    Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources.  Reported by Sipke Mellema.


This Patch will Update the following ports:

www/wordpress
chinese/wordpress-zh_CN
chinese/wordpress-zh_TW
german/wordpress
japanese/wordpress

poudriere build fine for:
9.3 amd + i386
10.3 amd + i386
12-current amd + i386 (r313761)


Cheers
jochen
Comment 1 Torsten Zuehlsdorff freebsd_committer freebsd_triage 2017-03-07 13:30:30 UTC
Aloha Jochen,

since i'm already doing the updates for our customers, i grep your PR too ;)

Did you ever tried to update a vuxml entry? Have a look at security/vuxml. You already know my email if you have any questions. ;)
The vuxml entry should be added whenever security is concerned. Its a way to say the user via pkg audit that there are known security issues at his computer.

Greetings,
Torsten
Comment 2 Jochen Neumeister freebsd_committer freebsd_triage 2017-03-07 13:40:17 UTC
(In reply to Torsten Zuehlsdorff from comment #1)
Heya Torsten,

a long time ago,Beat explained to me on IRC. I will search in my IRC logs. I'll try it.
Comment 3 Torsten Zuehlsdorff freebsd_committer freebsd_triage 2017-03-07 13:46:09 UTC
Aloha Jochen,

its a simple (but confusing) XML (=text) file. Have a look at it and an older wordpress entry. This should be enough for the first try!

Greetings,
Torsten
Comment 4 commit-hook freebsd_committer freebsd_triage 2017-03-07 13:57:23 UTC
A commit references this bug:

Author: tz
Date: Tue Mar  7 13:56:45 UTC 2017
New revision: 435603
URL: https://svnweb.freebsd.org/changeset/ports/435603

Log:
  chinese/wordpress-zh_CN, chinese/wordpress-zh_TW, german/wordpress,
  japanese/wordpress and www/wordpress, : Update from 4.7.2 to 4.7.3

  Changelog: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/

  This update fixes 6 security issues.

  PR:           217608
  Submitted by: Jochen Neumeister (maintainer)
  MFH:          2017Q1

Changes:
  head/chinese/wordpress-zh_CN/Makefile
  head/chinese/wordpress-zh_CN/distinfo
  head/chinese/wordpress-zh_TW/Makefile
  head/chinese/wordpress-zh_TW/distinfo
  head/german/wordpress/Makefile
  head/german/wordpress/distinfo
  head/japanese/wordpress/Makefile
  head/japanese/wordpress/distinfo
  head/www/wordpress/Makefile
  head/www/wordpress/distinfo
Comment 5 Jochen Neumeister freebsd_committer freebsd_triage 2017-03-08 08:49:24 UTC
(In reply to Torsten Zuehlsdorff from comment #1)

Hey Torsten,

you got eMail! ;-)
Comment 6 commit-hook freebsd_committer freebsd_triage 2017-03-08 10:27:33 UTC
A commit references this bug:

Author: tz
Date: Wed Mar  8 10:26:57 UTC 2017
New revision: 435666
URL: https://svnweb.freebsd.org/changeset/ports/435666

Log:
  MFH: r435603

  chinese/wordpress-zh_CN, chinese/wordpress-zh_TW, german/wordpress,
  japanese/wordpress and www/wordpress, : Update from 4.7.2 to 4.7.3

  Changelog: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/

  This update fixes 6 security issues.

  PR:           217608
  Submitted by: Jochen Neumeister (maintainer)

  Approved by:  ports-secteam (junovitch)

Changes:
_U  branches/2017Q1/
  branches/2017Q1/chinese/wordpress-zh_CN/Makefile
  branches/2017Q1/chinese/wordpress-zh_CN/distinfo
  branches/2017Q1/chinese/wordpress-zh_TW/Makefile
  branches/2017Q1/chinese/wordpress-zh_TW/distinfo
  branches/2017Q1/german/wordpress/Makefile
  branches/2017Q1/german/wordpress/distinfo
  branches/2017Q1/japanese/wordpress/Makefile
  branches/2017Q1/japanese/wordpress/distinfo
  branches/2017Q1/www/wordpress/Makefile
  branches/2017Q1/www/wordpress/distinfo
Comment 7 commit-hook freebsd_committer freebsd_triage 2017-03-08 13:20:06 UTC
A commit references this bug:

Author: tz
Date: Wed Mar  8 13:19:22 UTC 2017
New revision: 435685
URL: https://svnweb.freebsd.org/changeset/ports/435685

Log:
  Document wordpress security issues

  PR:       217608, 217598
  Security: https://vuxml.FreeBSD.org/freebsd/82752070-0349-11e7-b48d-00e04c1ea73d.html

Changes:
  head/security/vuxml/vuln.xml
Comment 8 Torsten Zuehlsdorff freebsd_committer freebsd_triage 2017-03-08 13:21:40 UTC
Aloha Jochen,

i used your send vuxml nearly unchanged. Just fixed some copy-paste errors. You can see the diff in the log.

Thank you very much!
Torsten