Package: tech-ctte Hi, I've added a bit of information on a bug report assigned to tech-ctte. However I received a bounce from the mailinglist manager telling me "You are not subscribed to this list, so your submission was rejected. Please subscribe to the list first and then repost your message." The Technical Committee web page mentions that you need to be subscribed OR PGP-sign your message to get through. As my message was in fact signed, I think there's a configuration error somewhere. I've temporarly subscribed now to the list to be able to report this issue. The message itself is attached. thanks, Thijs
--- Begin Message ---
- To: thijs@debian.org
- Subject: Re: Bug#413269: Wordpress in etch
- From: debian-ctte-request@lists.debian.org
- Date: Wed, 7 Mar 2007 05:48:31 -0600 (CST)
- Message-id: <20070307114831.C2B422E910@murphy.debian.org>
- In-reply-to: <1173268006.5372.49.camel@darwin.os9.nl>
- References: <1173268006.5372.49.camel@darwin.os9.nl>
You are not subscribed to this list, so your submission was rejected. Please subscribe to the list first and then repost your message. A copy of your submission is included below. --------------------------------------------------------------------------- --=-uZPD9PFmCCPPW/OGE6+V Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi, I'd like to add a bit of information here. Recently, Wordpress 2.1.1 has been compromised and an exploit added to the code. http://wordpress.org/development/2007/03/upgrade-212/ This can happen. However, upstream solves this by advising everyone to "just upgrade to 2.1.2". Otherwise it stays vague about what is affected: they list "past 3-4 days" as the window, they do not tell the (md5 or sha1) checksums of the trusted version, nor do they give the exploit code that was added. They produce no way for me to check whether an existing installation is affected or not. "Just upgrade". I'm therefore not convinced that they take security seriously in a way other than "upgrade to this new fixed version, which contains some other fixes too", which is exactly not what Debian needs. Thijs --=-uZPD9PFmCCPPW/OGE6+V Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQBF7qYlJdKMxZV9WM8RAgXdAKDS5ed3aicuTFu9GQXl43qNLgFHNQCfUta7 c59un5HI42qN7rzweAYdJ7c= =7RB2 -----END PGP SIGNATURE----- --=-uZPD9PFmCCPPW/OGE6+V--
--- End Message ---
Attachment:
signature.asc
Description: This is a digitally signed message part