[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Technical committee resolution

On Fri, Apr 04, 2008 at 06:26:06PM +0800, Paul Wise wrote:
> On Fri, Apr 4, 2008 at 6:01 PM, Josip Rodin <joy@entuzijast.net> wrote:
> 
> >  http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=wordpress;dist=stable
> >  shows zero RC bugs, and I found two DSA-s for it, 1258 and 1502.
> >  The remaining filed bugs which relate to security are explicitly marked by
> >  the maintainers as too minor to warrant updates, so it doesn't look like
> >  the security team is particularly burdened.
> 
> There are a number of open CVEs, some of them are not fixed in etch
> security updates:
> 
> http://security-tracker.debian.net/tracker/binary-package/wordpress

Yes, and...? Can you re-read my second sentence above? :)
I've read through that list as well (thanks for the link) and it seems that
most of them do seem to fit in the category of too minor to warrant updates
- the program is vulnerable if you already have an existing attack vector,
such as SQL injections, which are fixed, or admin privileges.
Only the latest one seems to be available to all, with the precondition
that the site allows random people to register (which should be sufficiently
more common than sites which have random admins).

In any case, I don't see any major burdens caused by the decision that
would make it a mistake.

-- 
     2. That which causes joy or happiness.
Reply to: