Subject: CVS commit: pkgsrc/www/wordpress
From: Daniel Horecki
Date: 2017-09-21 21:24:46
Message id: 20170921192446.6FF56FA9A@cvs.NetBSD.org

Log Message:
Security update to version 4.8.2

Security issues:
- $wpdb->prepare() can create unexpected and unsafe queries leading to \ 
potential SQL injection (SQLi). WordPress core is not directly vulnerable to \ 
this issue, but we’ve added hardening to prevent plugins and themes from \ 
accidentally causing a vulnerability. Reported by Slavco.
- A cross-site scripting (XSS) vulnerability was discovered in the oEmbed \ 
discovery. Reported by xknown of the WordPress Security Team.
- A cross-site scripting (XSS) vulnerability was discovered in the visual \ 
editor. Reported by Rodolfo Assis (@brutelogic) of Sucuri Security.
- A path traversal vulnerability was discovered in the file unzipping code. \ 
Reported by Alex Chapman (noxrnet).
- A cross-site scripting (XSS) vulnerability was discovered in the plugin \ 
editor. Reported by 陈瑞琦 (Chen Ruiqi).
- An open redirect was discovered on the user and term edit screens. Reported by \ 
Yasin Soliman (ysx).
- A path traversal vulnerability was discovered in the customizer. Reported by \ 
Weston Ruter of the WordPress Security Team.
- A cross-site scripting (XSS) vulnerability was discovered in template names. \ 
Reported by Luka (sikic).
- A cross-site scripting (XSS) vulnerability was discovered in the link modal. \ 
Reported by Anas Roubi (qasuar).

And 6 other fixes:

* Emoji
- #41584 - Upgrade Twemoji to 2.5.0
- #41852 - Fix UN flag test by returning the correct value.

*I18N
- #41794 - Support numbers in locales during installation

* Security
- #13377 - Add more sanitization in _cleanup_header_comment

*Widgets
- #41596 - New Text Widget recognizes HTML but does not render it in the front end
- #41622 - Text widget can show DOMDocument::loadHTML() warnings in admin when \ 
is_legacy_widget method is called

More on https://codex.wordpress.org/Version_4.8.2

Files:
RevisionActionfile
1.57modifypkgsrc/www/wordpress/distinfo
1.72modifypkgsrc/www/wordpress/Makefile