Update information on CVE-2018-1000773 and CVE-2017-1000600

According to the available information CVE-2017-1000600 has been fixed
(but without upstream details) in 4.9. As such we mark the first version
in unstable in the 4.9 series as fixed.

1 files changed, 6 insertions, 2 deletions

diff --git a/data/CVE/list b/data/CVE/list
index 5caa375db2..ccbf7b3613 100644
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -41727,7 +41727,8 @@ CVE-2018-1000801 (okular version 18.08 and earlier contains a Directory Traversa
 CVE-2018-1000800 (zephyr-rtos version 1.12.0 contains a NULL base pointer reference vuln ...)
 	NOT-FOR-US: zephyr-rtos
 CVE-2018-1000773 (WordPress version 4.9.8 and earlier contains a CWE-20 Input Validation ...)
-	- wordpress <undetermined>
+	- wordpress <unfixed>
+	NOTE: This CVE exists due to an incomplete fix in 4.9 for CVE-2017-1000600.
 CVE-2018-1000673
 	REJECTED
 CVE-2018-1000671 (sympa version 6.2.16 and later contains a CWE-601: URL Redirection to  ...)
@@ -41763,11 +41764,14 @@ CVE-2018-1000659 (LimeSurvey version 3.14.4 and earlier contains a directory tra
 CVE-2018-1000658 (LimeSurvey version prior to 3.14.4 contains a file upload vulnerabilit ...)
 	- limesurvey <itp> (bug #472802)
 CVE-2017-1000600 (WordPress version &lt;4.9 contains a CWE-20 Input Validation vulnerabi ...)
-	- wordpress <undetermined>
+	- wordpress 4.9.1+dfsg-1
 	NOTE: https://www.securityfocus.com/bid/105305/references
 	NOTE: https://www.theregister.co.uk/2018/08/20/php_unserialisation_wordpress_vuln/
 	NOTE: https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdf
 	NOTE: https://twitter.com/_s_n_t/status/1030573635617124353
+	NOTE: Wordpress before 4.9 is vulnerable on its own. After 4.9 you need to have
+	NOTE: vulnerable module installed on the site as well. Due to an incomplete fix
+	NOTE: in 4.9 there exists CVE-2018-1000773.
 CVE-2018-16553
 	RESERVED
 CVE-2018-16552 (MicroPyramid Django-CRM 0.2 allows CSRF for /users/create/, /users/##/ ...)