--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: wordpress: Should not ship with Etch
- From: Moritz Muehlenhoff <jmm@debian.org>
- Date: Sat, 03 Mar 2007 21:15:33 +0100
- Message-id: <20070303201533.5011.3119.reportbug@localhost.localdomain>
Package: wordpress
Severity: serious
On behalf of the Security Team I'm requesting the removal of Wordpress
from Etch. There's a steady flow of security issues being found in
Wordpress and we don't believe it's sanely maintainable over the
course of 30-36 months. (Etch life-time)
As an example, the versions fixing vulnerabilities of the last four
months only:
wordpress (2.1.1-1) unstable; urgency=high
.
* New upstream security release
* Updated copyright with new download link
* [8]http://wordpress.org/development/2007/02/new-releases
* [9]http://trac.wordpress.org/milestone/2.1.1
* [10]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1049
wordpress (2.0.8-1) testing-security; urgency=high
.
[Neil McGovern]
* Non-maintainer upload by security team.
* Fixes for CVE-2007-0539 and CVE-2007-0541
[Kai Hendry]
* New upstream release
* Security fix, urgency high for etch
wordpress (2.0.7-1) unstable; urgency=low
.
* New upstream release
* New upstream available (security fix) (Closes: #407116)
wordpress (2.0.6-1) unstable; urgency=high
.
* New upstream release
* Security fix, urgency high.
* FrSIRT/ADV-2006-5191, CVE-2006-6808: WordPress "get_file_description()"
Function Client-Side Cross Site Scripting Vulnerability.
(Closes: #405299, #405691)
wordpress (2.0.5-0.1) unstable; urgency=medium
.
* NMU on maintainer's request.
* Security fix, urgency medium.
* readme.html: s/license.txt/copyright/. (Closes: #382283)
* New upstream release, which fixes:
- CVE-2006-4208: Directory traversal vulnerability in WP-DB-Backup
plugin for WordPress. (Closes: #384800)
Even more worrying, their infrastructure was hacked and they had a
compromised tarball up for download:
http://wordpress.org/development/2007/03/upgrade-212/
Cheers,
Moritz
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-686
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
--- End Message ---