[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#413926: Wordpress removal comments

Hi -ctte and bug followers,

I released the last (and only) two security advisories for wordpress,
DTSA-33-1[0] and DTSA-34-1[1], so I thought it may be useful for me to
comment on this bug.

(After writing this mail, I realise it's rather long... so there's a
short summary at the end, marked by [summary])

First, I'd like to give my general opinion of Wordpress: it's security
support from upstream, and the responsiveness of upstream and the Debian
maintainer for security issues.

Upstream has committed to supporting Wordpress 2.0.x for just security
updates until 2010:
  "As a reminder, we’ve committed to proving security updates to 2.0
  through 2010, but all new features and development are going into the
  newer branch, which is at this time 2.1."
This is the way we apply fixes for security in Debian, and has meant
that the updates I've issued have been drop in replacements using the
vanilla versions from upstream. (To avoid doubt, the packages released
were created by the maintainer, and are simply use the new upstream

Both upstream and the maintainer are nice and responsive to all issues.
Upstream has responded very well to queries and comments, and the
maintainer is quick to answer questions and help check which
vulnerabilities affect which versions of Wordpress.

Secondly some general comments, partially from the issues raised in this
bug report.

Wordpress isn't the most secure package in Debian, but it's certainly
not the worst in comparison to other packages. Below is the "Top 20
packages in Debian, sorted by number of CVE-IDs assigned to them":

Position    CVE-IDs     Package
--------    -------     -------
1           285         linux-2.6
2           173         mozilla
3           148         mozilla-firefox
4           131         kernel-source-2.4.27
5           109         firefox
6           103         ethereal
7           91          php4
8           86          xulrunner
9           68          thunderbird
10          63          phpbb2
11          62          mozilla-thunderbird
12          58          php5
13          48          iceweasel
14          46          bugzilla
15          46          apache2
16          45          phpmyadmin
17          43          wordpress
18          37          moodle
19          35          squid
20          35          mantis

Wordpress here comes in at number 17: lower than mozilla products, which
are a complete PAIN to provide support for, and phpbb2 which is rather
infamous for it's (lack of) security.

The fixes that have come in from upstream and the packages from the
maintainer are fairly clean, and haven't been modified for the security
announcement (apart from a changelog entry, and a rebuild to check it's
all ok).
The time taken to do these has been very low compared to most other
fixes that have had to be implemented, which is also aided by thsi being
arch-indep so not requiring the buildds to play with it.
Each additional package release is a little bit more work, but
(certainly using the unembargoed queue) takes less than 10 minutes per
package from getting the source provided by the maintainer, and
releasing the advisory.

Now, I'm not a member of the stable security team, so I can't comment on
how they wish to work. If Wordpress is dropped from etch, I'm happy to
see it continue in Lenny/volitile, as it's been very easy to provide
security support for it from my PoV. If it continues, I'm happy to
prepare advisories and updates through security.debian.org (providing
lenny updates myself, and etch in collaboration with team@s.d.o).

Ultimately, IMO it's an issue for the stable security team.

Hope this helps,

* Upstream are very helpful, want to work with us, and release new
  versions in a way which is very compatable with Debain Security
* Both upstream and the maintainer are responsive and handle security
  issues in a timely manner.
* Wordpress isn't the most secure application out there, but it's not
  too bad.
* The actual fixes aren't a problem, and are simple to understand. The
  regularity of them may be an issue, but could be helped by the
  maintainer preparing packages/DSA texts.

[0] http://lists.alioth.debian.org/pipermail/secure-testing-announce/2007-February/000032.html
[1] http://lists.alioth.debian.org/pipermail/secure-testing-announce/2007-March/000033.html
<mooch> If stockhom sees my banana, he will want to eat it

Attachment: signature.asc
Description: Digital signature

Reply to: