Re: squeeze update of wordpress?
On Wed, Aug 12, 2015 at 03:24:46PM +0200, Jan Ingvoldstad wrote:
> On 08/12/2015 03:00 PM, Guido Günther wrote:
> >Hello dear maintainers,
> >the Debian LTS team would like to fix the security issues which are
> >currently open in the Squeeze version of wordpress:
> Just as a bit of information regarding this package:
> There should be plenty of other security issues in the Squeeze version, and
> not easily maintainable, since security support for 3.6 was abandoned by
> WordPress in October 2013:
> There has also been a somewhat lengthy discussion about WP in the backports
> mailing list, from this message and onwards:
> I suspect that Craig will suggest tracking the version in Wheezy for
> simplicity's sake, as the internal changes since 3.6 may be too much to
> easily backport security updates for.
Yeah, there are several other CVEs affecting wordpress (also in squeeze)
currently. I see two possible solutions: marking wordpress as
end-of-life or piggy backing on another version since backporting will
become really time consuming. In contrast to other things like openssl,
ruby, nss this is rather a leave package that has little
potential of breaking other things we ship.
I'd be glad to hear opinions on this.