Bug#413926: marked as done (wordpress: Should not ship with Etch)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Mon,  9 Apr 2007 23:09:54 -0600 (MDT)
with message-id <20070410050954.BC2F4584F1@rover.gag.com>
and subject line decided
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: wordpress: Should not ship with Etch
• From: Moritz Muehlenhoff <jmm@debian.org>
• Date: Sat, 03 Mar 2007 21:15:33 +0100
• Message-id: <20070303201533.5011.3119.reportbug@localhost.localdomain>

Package: wordpress
Severity: serious

On behalf of the Security Team I'm requesting the removal of Wordpress
from Etch. There's a steady flow of security issues being found in
Wordpress and we don't believe it's sanely maintainable over the
course of 30-36 months. (Etch life-time)

As an example, the versions fixing vulnerabilities of the last four
months only:

  wordpress (2.1.1-1) unstable; urgency=high
  .
    * New upstream security release
    * Updated copyright with new download link
    * [8]http://wordpress.org/development/2007/02/new-releases
    * [9]http://trac.wordpress.org/milestone/2.1.1
    * [10]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1049

  wordpress (2.0.8-1) testing-security; urgency=high
  .
    [Neil McGovern]
    * Non-maintainer upload by security team.
    * Fixes for CVE-2007-0539 and CVE-2007-0541
    [Kai Hendry]
    * New upstream release
    * Security fix, urgency high for etch

  wordpress (2.0.7-1) unstable; urgency=low
  .
    * New upstream release
    * New upstream available (security fix) (Closes: #407116)

  wordpress (2.0.6-1) unstable; urgency=high
  .
    * New upstream release
    * Security fix, urgency high.
    * FrSIRT/ADV-2006-5191, CVE-2006-6808: WordPress "get_file_description()"
      Function Client-Side Cross Site Scripting Vulnerability.
      (Closes: #405299, #405691)

  wordpress (2.0.5-0.1) unstable; urgency=medium
  .
    * NMU on maintainer's request.
    * Security fix, urgency medium.
    * readme.html: s/license.txt/copyright/. (Closes: #382283)
    * New upstream release, which fixes:
      - CVE-2006-4208: Directory traversal vulnerability in WP-DB-Backup
        plugin for WordPress. (Closes: #384800)

Even more worrying, their infrastructure was hacked and they had a
compromised tarball up for download:

http://wordpress.org/development/2007/03/upgrade-212/

Cheers,
        Moritz

-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-686
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)

--- End Message ---

--- Begin Message ---

• To: 413926-done@bugs.debian.org
• Subject: decided
• From: bdale@gag.com (Bdale Garbee)
• Date: Mon, 9 Apr 2007 23:09:54 -0600 (MDT)
• Message-id: <20070410050954.BC2F4584F1@rover.gag.com>

Closing this bug as the question decided by the TC has now been documented on
the TC web page.

Bdale

--- End Message ---