Re: Fwd: jessie backport for Wordpress
On Wed, Jun 03, 2015 at 10:36:58AM +0200, Martin Steigerwald wrote:
> Am Dienstag, 2. Juni 2015, 23:12:54 schrieb Rodrigo Campos:
> So according to this wordpress 4.2 would neither be something for backports
> nor for stable. And now what?
>
> Handle it like virus killer signatures? I think there is some suite for
> often updated things like that. Or backport security fixes from 4.2 to 4.1?
> Handle it like iceweasel with updating to major versions due to upstream
> security fix support policy? Only provide limited security support?
>
> Craig is wordpress package maintainer. Craig, what do you think?
For me 4.1.5 should be used, not 4.2. The security patches are
backported into 4.1 but there are some limits to this. The point is that
4.1.5 is almost equivalent to the patched 4.1 in Debian.
I raised a bug for proposed updates, not heard anything yet.
The big difference is database changes are linked to the upstream
version. So even though the code for 4.1 deb8u2 is almost the same as
4.1.5, the database fixes are different.
> > It seems the fix is backported to jessie, as security fixes usually are.
> > Which fix do you refer to ? The jessie version has a fix for
> > CVE-2014-2053 and a memleak (see the changelog for the jessie version).
> > Do you refer to any of those fixes ?
Yes this is patched in jessie. The point is that the newer php-getid3
is stuck in sid and doesn't appear to be moving to testing.
--
Craig Small (@smallsees) http://enc.com.au/ csmall at : enc.com.au
Debian GNU/Linux http://www.debian.org/ csmall at : debian.org
GPG fingerprint: 5D2F B320 B825 D939 04D2 0519 3938 F96B DF50 FEA5
Reply to: