Subject: CVS commit: pkgsrc/www/php-ja-wordpress
From: Takahiro Kambe
Date: 2020-06-21 18:42:56
Message id: 20200621164256.1D5ABFB28@cvs.NetBSD.org

Log Message:
www/php-ja-wordpress: update to 5.4.2

Update php-ja-wordpress to 5.4.2

pkgsrc changes: clean up Makefile a little.

Quote from release document but omit maintenance updates for 5.4.1 and
later.

5.3.2 (2019-12-18)

Maintenance updates

- Date/Time: Ensure that get_feed_build_date() correctly handles a modified
  post object with invalid date.
- Uploads: Fix file name collision in wp_unique_filename() when uploading a
  file with upper case extension on non case-sensitive file systems.
- Media: Fix PHP warnings in wp_unique_filename() when the destination
  directory is unreadable.
- Administration: Fix the colors in all color schemes for buttons with the
  .active class.
- Tests/build tools: In wp_insert_post(), when checking the post date to set
  future or publish status, use a proper delta comparison.

5.4 (2020-03-31)

Too much to include here, visit
https://wordpress.org/support/wordpress-version/version-5-4/

5.4.1 (2020-04-29)5.4

Six security issues affect WordPress versions 5.4 and earlier; version 5.4.1
fixes them, so you'll want to upgrade. If you haven't yet updated to 5.4,
there are also updated versions of 5.3 and earlier that fix the security
issues.

- Props to Muaz Bin Abdus Sattar and Jannes who both independently reported
  an issue where password reset tokens were not properly invalidated
- Props to ka1n4t for finding an issue where certain private posts can be
  viewed unauthenticated
- Props to Evan Ricafort for discovering an XSS issue in the Customizer
- Props to Ben Bidner from the WordPress Security Team who discovered an XSS
  issue in the search block
- Props to Nick Daugherty from WPVIP.com / WordPress Security Team who
  discovered an XSS issue in wp-object-cache
- Props to Ronnie Goodrich (Kahoots) and Jason Medeiros who independently
  reported an XSS issue in file uploads.
- Additionally, an authenticated XSS issue in the block editor was
  discovered by Nguyen the Duc in WordPress 5.4 RC1 and RC2. It was fixed in
  5.4 RC5. We wanted to be sure to give credit and thank them for all of
  their work in making WordPress more secure.

5.4.2 (2020-06-10)

Security Updates

WordPress versions 5.4 and earlier are affected by the following bugs, which
are fixed in version 5.4.2. If you haven't yet updated to 5.4, there are
also updated versions of 5.3 and earlier that fix the security issues.

- Props to Sam Thomas (jazzy2fives) for finding an XSS issue where
  authenticated users with low privileges are able to add JavaScript to
  posts in the block editor.
- Props to Luigi - (gubello.me) for discovering an XSS issue where
  authenticated users with upload permissions are able to add JavaScript to
  media files.
- Props to Ben Bidner of the WordPress Security Team for finding an open
  redirect issue in wp_validate_redirect().
- Props to Nrimo Ing Pandum for finding an authenticated XSS issue via theme
  uploads.
- Props to Simon Scannell of RIPS Technologies for finding an issue where
  set-screen-option can be misused by plugins leading to privilege
  escalation.
- Props to Carolina Nymark for discovering an issue where comments from
  password-protected posts and pages could be displayed under certain
  conditions.

Files:
RevisionActionfile
1.5modifypkgsrc/www/php-ja-wordpress/MESSAGE
1.19modifypkgsrc/www/php-ja-wordpress/Makefile
1.12modifypkgsrc/www/php-ja-wordpress/PLIST
1.16modifypkgsrc/www/php-ja-wordpress/distinfo