Log message:
Security and maintenance update to version 5.5.3.

5.5.3:

This maintenance release fixes an issue introduced in WordPress 5.5.2
which makes it impossible to install WordPress on a brand new website
that does not have an existing database connection configuration.
This release does not affect sites where a database connection is
already configured, for example, via one-click installers or
an existing wp-config.php file.

5.5.2:

Security updates:
- Props to Alex Concha of the WordPress Security Team for their work in \ 
hardening deserialization requests.
- Props to David Binovec on a fix to disable spam embeds from disabled sites on \ 
a multisite network.
- Thanks to Marc Montas from Sucuri for reporting an issue that could lead to \ 
XSS from global variables.
- Thanks to Justin Tran who reported an issue surrounding privilege escalation \ 
in XML-RPC. He also found and disclosed an issue around privilege escalation \ 
around post commenting via XML-RPC.
- Props to Omar Ganiev who reported a method where a DoS attack could lead to RCE.
- Thanks to Karim El Ouerghemmi from RIPS who disclosed a method to store XSS in \ 
post slugs.
- Thanks to Slavco for reporting, and confirmation from Karim El Ouerghemmi, a \ 
method to bypass protected meta that could lead to arbitrary file deletion.
- And a special thanks to @zieladam who was integral in many of the releases and \ 
patches during this release.

Maintenance updates:
#51130 Events displayed in venue timezone instead of user’s
#51659 Update Gutenberg Dependencies for WordPress 5.5.2
#50861 Remove Facebook and Instagram as an oEmbed Source
#50903 Set the local environment to a development environment type by default
#50949 Posts show wrong time when user is in a different time zone than the site’s
#51053 Video Embeds set to align left disappear in Gutenberg editor
#51175 Wrong reply box title
#51219 Theme editor page showing undefined variable notice
#51251 Fix PHP notice when opening the edit image popup
#51263 PHP warning when editing comments in the administration comment edit screen
#51320 PHP Notice while moving post to trash (post_type has 2 registered \ 
taxonomies both with default_term set)
#51400 Undefined index during automatic plugin/theme updates
#51595 Unable to make anonymous comments via XML-RPC
#51645 Undefined index: echo in core files

Log message:
Update to wordpress 5.5.1.

Changes:

5.5:
- lazy-loaded images
- new sitemap
- autoupdate of plugins and themes
- block editor:
  - block patterns
  - block directory
  - inline image editing

5.5.1:
WordPress Core changes on Trac:

#50882 - Administration: WP 5.5: Cannot attribute content when deleting users
#50998 - Quick/Bulk Edit: Editing posts using bottom "Bulk actions" \ 
dropdown menu doesn't work
#38009 - Comments: #reply-title.comment-reply-title not updating when replying \ 
to an individual
#50845 - Editor: Block patterns: Fix translatable strings (take 2)
#50858 - Site Health: Check PHP notices with site_status_tests filter
#50887 - Site Health: Add site environment to debug information
#50892 - Editor: Some block patterns have text contrast issues with dark themes
#50910 - Sitemaps: 5.5 Sitemap URLs are incorrectly paginated
#50912 - Site Health: flags define WP_AUTO_UPDATE_CORE value as an error
#50919 - Script Loader: Change the jquery handle back to an alias for jquery-core
#50933 - Media: Lazy loading in 5.5 causes flashing of custom logo in Firefox
#50945 - Site Health: don't give a warning when upload_max_size is lower than \ 
max_post_size
#50988 - Upgrade/Install: Pass details about the specific plugin and theme \ 
updates attempted to filters
#50992 - Bootstrap/Load: Remove the ability to alter the list of environment \ 
types in wp_get_environment_type()
#50999 - Script Loader: Disable concatenation for scripts with translations to \ 
ensure they are printed in the right order
#51011 - Upgrade/Install: Empty string comparison on home option during DB \ 
upgrades is invalid
#51018 - Editor: PHP Notice thrown when searching for certain terms via the \ 
Gutenberg block directory
#51151 - Editor: Packages update
#51021 - REST API: Permit uniqueItems keyword in endpoint args
#51146 - REST API: Fix multi-type schemas with integer fields
#51029 - Filesystem API: Typo in variable name causes warning from fclose()
#51042 - Post: missing excerpt
#51050 - Docs: Add docblock for get_the_archive_title() filter
#51052 - Administration: Undefined index: update-supported
#51060 - Docs: Update register_rest_route docblock to reflect additions since 5.5
#51064 - Bootstrap/Load: Consider adding "local" as environment on \ 
WP_ENVIRONMENT_TYPE
#51073 - Administration: Extra padding below the admin bar
#51075 - Docs: Update docs for custom logo functions
#51122 - Docs: add a mention about the use of loading attribute in \ 
wp_get_attachment_image function
#51127 - UI/CSS: Remove non-color related styling from Modern color scheme
#51129 - Upgrade/Install: Only display the auto-update links on the Network \ 
Admin > Themes screen for themes that support the feature
#51337 - Template: wp_terms_checklist not checking selected taxonomy items with \ 
selected_cats option
#51184 - get_the_date() checks $format only for empty variable and fails on \ 
false boolean
#51182 - Theme_Installer_skin::do_overwrite does not work on a Windows server
#38009 - #reply-title.comment-reply-title not updating when replying to an individual
#51123 - commonL10n and other JS globals removed without backwards compatibility
#50848 - Clarify the usage of null for auto_update_{$type} filter
#51081 - Fatal Error - Undefined get_page_templates() in Customizer
#51154 - sitemaps should be initialized before each test is run
#51028 - Dot should be out of the quotes

Block editor changes from GitHub:

PR24609 -  Fix missing selected block highlighting in list view
PR24599 -  Fix specificity for buttons with outline style and background colors
PR24533 -  Fix incorrect aria description in List View
PR24516 -  Fix regression bug for category select in QueryControls component
PR24478 -  Fix tiny editor preview when using Mobile or Tablet options with \ 
metaboxes enabled

Log message:
Security and maintenance update to Wordpress 5.4.2.

Changes:

WordPress versions 5.4 and earlier are affected by the following bugs, which are \ 
fixed in version 5.4.2. If you haven’t yet updated to 5.4, there are also \ 
updated versions of 5.3 and earlier that fix the security issues.

- Props to Sam Thomas (jazzy2fives) for finding an XSS issue where authenticated \ 
users with low privileges are able to add JavaScript to posts in the block \ 
editor.
- Props to Luigi – (gubello.me) for discovering an XSS issue where \ 
authenticated users with upload permissions are able to add JavaScript to media \ 
files.
- Props to Ben Bidner of the WordPress Security Team for finding an open \ 
redirect issue in wp_validate_redirect().
- Props to Nrimo Ing Pandum for finding an authenticated XSS issue via theme uploads.
- Props to Simon Scannell of RIPS Technologies for finding an issue where \ 
set-screen-option can be misused by plugins leading to privilege escalation.
- Props to Carolina Nymark for discovering an issue where comments from \ 
password-protected posts and pages could be displayed under certain conditions.

Thank you to all of the reporters for privately disclosing the vulnerabilities. \ 
This gave the security team time to fix the vulnerabilities before WordPress \ 
sites could be attacked.

More details on \ 
https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/

Log message:
Update to version 5.4.1.

Changes for 5.4:

Too much to include here, visit \ 
https://wordpress.org/support/wordpress-version/version-5-4/

Changes for 5.4.1:

Six security issues affect WordPress versions 5.4 and earlier; version 5.4.1 \ 
fixes them, so you’ll want to upgrade. If you haven’t yet updated to 5.4, \ 
there are also updated versions of 5.3 and earlier that fix the security issues.

- Props to Muaz Bin Abdus Sattar and Jannes who both independently reported an \ 
issue where password reset tokens were not properly invalidated
- Props to ka1n4t for finding an issue where certain private posts can be viewed \ 
unauthenticated
- Props to Evan Ricafort for discovering an XSS issue in the Customizer
- Props to Ben Bidner from the WordPress Security Team who discovered an XSS \ 
issue in the search block
- Props to Nick Daugherty from WPVIP.com / WordPress Security Team who \ 
discovered an XSS issue in wp-object-cache
- Props to Ronnie Goodrich (Kahoots) and Jason Medeiros who independently \ 
reported an XSS issue in file uploads.
- Additionally, an authenticated XSS issue in the block editor was discovered by \ 
Nguyen the Duc in WordPress 5.4 RC1 and RC2. It was fixed in 5.4 RC5. We wanted \ 
to be sure to give credit and thank them for all of their work in making \ 
WordPress more secure.

WordPress 5.4.1 also fixes some regressions introduced in version 5.4:

#49838 – Accessibility: Fix the headings hierarchy on the Freedoms page
#49798 – Customize: Give the WordPress logo a white background for dark mode \ 
browsers
#49853 – Mail: Make the check for empty post title in wp-mail.php more resilient
#49753 – Media: Remove display: none; from the (visually hidden) <input \ 
type="file"> button used in Plupload to select files for uploading. \ 
Fixes selecting files in Edge <= 44 and iOS Safari
#49772 – Privacy: Support additional elements (table, ol, ul) in privacy \ 
policy guide new styling
#49802 – Privacy: Make the deprecated wp_get_user_request_data() function \ 
available on front end
#49645 – REST API: Fix revisions controller get_item permission check
#49648 – REST API: Fix _fields filtering of registered rest fields
#49824 – Site Health: Instantiation prevents use of some hooks by plugins
#49759 – Taxonomy: Un-deprecate category_link and tag_link filters
#49974 – Block Editor updates

Log message:
Update to version 5.3.2.

Changes:

Version 5.3.2:
Maintenance updates
- Date/Time: Ensure that get_feed_build_date() correctly handles a modified post \ 
object with invalid date.
- Uploads: Fix file name collision in wp_unique_filename() when uploading a file \ 
with upper case extension on non case-sensitive file systems.
- Media: Fix PHP warnings in wp_unique_filename() when the destination directory \ 
is unreadable.
- Administration: Fix the colors in all color schemes for buttons with the \ 
.active class.
- Tests/build tools: In wp_insert_post(), when checking the post date to set \ 
future or publish status, use a proper delta comparison.

Version 5.3.1:
Security fixes
- Props to Daniel Bachhuber for finding an issue where an unprivileged user \ 
could make a post sticky via the REST API.
- Props to Simon Scannell of RIPS Technologies for finding and disclosing an \ 
issue where cross-site scripting (XSS) could be stored in well-crafted links.
- Props to the WordPress.org Security Team for hardening wp_kses_bad_protocol() \ 
to ensure that it is aware of the named colon attribute.
- Props to Nguyen The Duc for discovering a stored XSS vulnerability using block \ 
editor content.

Maintenance updates
- Administration: improvements to admin form controls height and alignment \ 
standardization (see related dev note), dashboard widget links accessibility and \ 
alternate color scheme readability issues (see related dev note).
- Block editor: fix Edge scrolling issues and intermittent JavaScript issues.
- Bundled themes: add customizer option to show/hide author bio, replace JS \ 
based smooth scroll with CSS (see related dev note) and fix Instagram embed CSS.
- Date/time: improve non-GMT dates calculation, fix date format output in \ 
specific languages and make get_permalink() more resilient against PHP timezone \ 
changes.
- Embeds: remove CollegeHumor oEmbed provider as the service doesn’t exist anymore.
- External libraries: update sodium_compat.
- Site health: allow the remind interval for the admin email verification to be \ 
filtered.
- Uploads: avoid thumbnails overwriting other uploads when filename matches, and \ 
exclude PNG images from scaling after upload.
- Users: ensure administration email verification uses the user’s locale \ 
instead of the site locale.

Log message:
Bump PKGREVISION by changing of default PHP version.

Log message:
Update to version 5.3.

Changes:
- Block Editor Improvements
- Expanded Design Flexibility
- new theme called Twenty Twenty
- Automatic Image Rotation
- Site Health Checks
- Admin Email Verification
- Date/Time Component Fixes
- PHP 7.4 Compatibility

For full changes, look at \ 
https://wordpress.org/support/wordpress-version/version-5-3/

Log message:
Maintenance and security update to version 5.2.4.

Changes:
5.2.4:

Props to Evan Ricafort for finding an issue where stored XSS (cross-site \ 
scripting) could be added via the Customizer.
Props to J.D. Grimes who found and disclosed a method of viewing unauthenticated \ 
posts.
Props to Weston Ruter for finding a way to create a stored XSS to inject \ 
Javascript into style tags.
Props to David Newman for highlighting a method to poison the cache of JSON GET \ 
requests via the Vary: Origin header.
Props to Eugene Kolodenker who found a server-side request forgery in the way \ 
that URLs are validated.
Props to Ben Bidner of the WordPress Security Team who discovered issues related \ 
to referrer validation in the admin.

5.2.3:
#38415: New Custom Link menu item has a wrong fallback label
#45739: Block Editor: $editor_styles bug.
#45935: A URL in do_block_editor_incompatible_meta_box function does not have \ 
classic-editor__forget parameter
#46757: Media Trash: The Bulk Media options when in the Trash shouldn’t \ 
provide two primary buttons
#46758: Media Trash: Primary button(s) should be on the left
#46899: Ensure that tables generated by the Settings API have no semantics
#47079: Incorrect version for excerpt_allowed_blocks filter
#47113: Media views: dismiss notice button is invisible
#47145: Feature Image dialog does not follow the dialog pattern
#47190: Twenty Seventeen: Native audio and video embeds have no focus state.
#47340: Twenty Nineteen: Revise Latest Posts block styles to support post \ 
content options.
#47386: Fix headings hierarchy in the legacy Custom Background and Custom Header \ 
pages
#47390: Improve accessibility of forms elements within some “form-table” forms
#47414: Twenty Seventeen: Button block preview has extra spacing within button
#47458: Fix tab sequence order in the Media attachment browser
#47489: Emoji are substituted in preformatted blocks
#47502: Media modal bottom toolbar cuts-off content in Internet Explorer 11
#47538: Minor Verbiage Update – Switch ‘developer time’ for ‘a developer’
#47543: Twenty Seventeen: buttons don’t change color on hover and focus
#47561: Plugin: View details popup layout issue
#47603: My account toggle on admin bar not visible at high zoom levels
#47604: Undefined variable: locked in wp-admin/edit-form-blocks.php
#47687: Use alt tags for gallery images in editor
#47688: Color hex code in color picker displayed in RTL instead of LTR on RTL \ 
install (take 2)
#47693: customizer Color picker should get closed when click on color picker area.
#47723: Adding a custom link in nav-menus.php doesn’t trim whitespace
#47758: Font sizes on installation screen are too small
#47835: PHP requirement always set to null for plugins
#47888: Adding a custom link in menu via Customize doesn’t trim whitespace.

Security Fixes
Props to Simon Scannell of RIPS Technologies for finding and disclosing two \ 
issues. The first, a cross-site scripting (XSS) vulnerability found in post \ 
previews by contributors. The second was a cross-site scripting vulnerability in \ 
stored comments.
Props to Tim Coen for disclosing an issue where validation and sanitization of a \ 
URL could lead to an open redirect.
Props to Anshul Jain for disclosing reflected cross-site scripting during media \ 
uploads.
Props to Zhouyuan Yang of Fortinet’s FortiGuard Labs who disclosed a \ 
vulnerability that for cross-site scripting (XSS) in shortcode previews.
Props to Ian Dunn of the Core Security Team for finding and disclosing a case \ 
where reflected cross-site scripting could be found in the dashboard.
Props to Soroush Dalili (@irsdl) from NCC Group for disclosing an issue with URL \ 
sanitization that can lead to cross-site scripting (XSS) attacks.
In addition to the above changes, we are also updating jQuery on older versions \ 
of WordPress. This change was added in 5.2.1 and is now being brought to older \ 
versions.

Log message:
Update to 5.2.2. From the changelog:

5.2:
- Site Health
- PHP Error Protection
- Accessibility Updates
- New Dashboard Icons
- Plugin Compatibility Checks
- Privacy Updates
- New Body Hook
- Building JavaScript

5.2.1:
- 47180: An issue typing in the block editor while using a RTL language
  has been fixed.
- 47186: An bug causing 32-bit systems to run out of memory when using
  sodium_compat was fixed.
- 47189: The "Update your plugins" link in Site Health now links to the
  correct page in multisite installs.
- 47185: An issue in wp_delete_file_from_directory() where files were
  not deleting on Windows systems has been fixed.
- 47205: A bug was fixed where spaces could not be added in the Classic
  Editor after pressing shift+enter.
- 47265: 2 fatal errors on the error protection page when a PHP error
  was encountered in a drop-in (such as advanced-cache.php) were fixed.
- 47244: wp_targeted_link_rel() has been improved to prevent instances
  where single and double quotation marks were incorrectly staggered.
- 47169: PHP/MySQL minimum version requirement checks now return proper
  error codes when requirements are not met in test environments.
- 47177: The backwards compatibility of get_search_form() was improved.
- 47297: The accuracy of the HTTP requests test in Site Health was improved.
- 47229: TinyMCE has been updated to version 4.9.4.
- 47323: Prevents a fatal error that occurs when upgrading to 5.2.1 from
  WordPress < 5.2.
- 47304: Fixes a regression that can affect the accuracy of
  <lastBuildDate> in feeds.
- 47312: Changes the string used on the About page for 5.2.1 to one that
  is already translated.

5.2.2:
- 45094: Dashboard elements don't always have clear focus states, tab order
- 46289: RTL Bug – wrong navigation arrows in media modal
- 46749: Extra border is displaying at bottom of Help section in Firefox
  (Responsive : 778 * 841)
- 46881: Site Health: improve the header elements horizontal centering
- 46957: Site Health: Make site health page access be filterable
- 46960: Site Health: Table design issue in small devices (iphone 5/SE).
- 46997: Theme update links show in Customizer and don't work
- 47070: Recovery Mode Exit button not visible in responsive view
- 47158: Merge similar strings introduced in WP 5.2
- 47227: I18n: Merge similar translation strings – site health tabs
- 47475: I18n: Merge similar strings and fix typo
- 47429: Editor: Update packages for WordPress 5.2.2
- 47457: Fix the mediaelements player controls bar sizing

Log message:
all: replace SUBST_SED with the simpler SUBST_VARS

pkglint -Wall -r --only "substitution command" -F

With manual review and indentation fixes since pkglint doesn't get that
part correct in every case.