Hi -ctte and bug followers, I released the last (and only) two security advisories for wordpress, DTSA-33-1[0] and DTSA-34-1[1], so I thought it may be useful for me to comment on this bug. (After writing this mail, I realise it's rather long... so there's a short summary at the end, marked by [summary]) First, I'd like to give my general opinion of Wordpress: it's security support from upstream, and the responsiveness of upstream and the Debian maintainer for security issues. Upstream has committed to supporting Wordpress 2.0.x for just security updates until 2010: "As a reminder, we’ve committed to proving security updates to 2.0 through 2010, but all new features and development are going into the newer branch, which is at this time 2.1." http://wordpress.org/development/2007/02/new-releases/ This is the way we apply fixes for security in Debian, and has meant that the updates I've issued have been drop in replacements using the vanilla versions from upstream. (To avoid doubt, the packages released were created by the maintainer, and are simply use the new upstream version) Both upstream and the maintainer are nice and responsive to all issues. Upstream has responded very well to queries and comments, and the maintainer is quick to answer questions and help check which vulnerabilities affect which versions of Wordpress. Secondly some general comments, partially from the issues raised in this bug report. Wordpress isn't the most secure package in Debian, but it's certainly not the worst in comparison to other packages. Below is the "Top 20 packages in Debian, sorted by number of CVE-IDs assigned to them": Position CVE-IDs Package -------- ------- ------- 1 285 linux-2.6 2 173 mozilla 3 148 mozilla-firefox 4 131 kernel-source-2.4.27 5 109 firefox 6 103 ethereal 7 91 php4 8 86 xulrunner 9 68 thunderbird 10 63 phpbb2 11 62 mozilla-thunderbird 12 58 php5 13 48 iceweasel 14 46 bugzilla 15 46 apache2 16 45 phpmyadmin 17 43 wordpress 18 37 moodle 19 35 squid 20 35 mantis Wordpress here comes in at number 17: lower than mozilla products, which are a complete PAIN to provide support for, and phpbb2 which is rather infamous for it's (lack of) security. The fixes that have come in from upstream and the packages from the maintainer are fairly clean, and haven't been modified for the security announcement (apart from a changelog entry, and a rebuild to check it's all ok). The time taken to do these has been very low compared to most other fixes that have had to be implemented, which is also aided by thsi being arch-indep so not requiring the buildds to play with it. Each additional package release is a little bit more work, but (certainly using the unembargoed queue) takes less than 10 minutes per package from getting the source provided by the maintainer, and releasing the advisory. Now, I'm not a member of the stable security team, so I can't comment on how they wish to work. If Wordpress is dropped from etch, I'm happy to see it continue in Lenny/volitile, as it's been very easy to provide security support for it from my PoV. If it continues, I'm happy to prepare advisories and updates through security.debian.org (providing lenny updates myself, and etch in collaboration with team@s.d.o). Ultimately, IMO it's an issue for the stable security team. Hope this helps, Neil [summary] * Upstream are very helpful, want to work with us, and release new versions in a way which is very compatable with Debain Security practices. * Both upstream and the maintainer are responsive and handle security issues in a timely manner. * Wordpress isn't the most secure application out there, but it's not too bad. * The actual fixes aren't a problem, and are simple to understand. The regularity of them may be an issue, but could be helped by the maintainer preparing packages/DSA texts. [0] http://lists.alioth.debian.org/pipermail/secure-testing-announce/2007-February/000032.html [1] http://lists.alioth.debian.org/pipermail/secure-testing-announce/2007-March/000033.html -- <mooch> If stockhom sees my banana, he will want to eat it
Attachment:
signature.asc
Description: Digital signature