Re: squeeze update of wordpress?

[Guido Günther <agx@sigxcpu.org>]

Hi Jan,
On Wed, Aug 12, 2015 at 03:24:46PM +0200, Jan Ingvoldstad wrote:
> On 08/12/2015 03:00 PM, Guido Günther wrote:
> >Hello dear maintainers,
> >
> >the Debian LTS team would like to fix the security issues which are
> >currently open in the Squeeze version of wordpress:
> >https://security-tracker.debian.org/tracker/CVE-2015-5622
> 
> Just as a bit of information regarding this package:
> 
> There should be plenty of other security issues in the Squeeze version, and
> not easily maintainable, since security support for 3.6 was abandoned by
> WordPress in October 2013:
> 
> https://security-tracker.debian.org/tracker/source-package/wordpress
> 
> There has also been a somewhat lengthy discussion about WP in the backports
> mailing list, from this message and onwards:
> 
> https://lists.debian.org/debian-backports/2015/06/msg00005.html
> 
> I suspect that Craig will suggest tracking the version in Wheezy for
> simplicity's sake, as the internal changes since 3.6 may be too much to
> easily backport security updates for.

Yeah, there are several other CVEs affecting wordpress (also in squeeze)
currently. I see two possible solutions: marking wordpress as
end-of-life or piggy backing on another version since backporting will
become really time consuming. In contrast to other things like openssl,
ruby, nss this is rather a leave package that has little
potential of breaking other things we ship.

I'd be glad to hear opinions on this.
Cheers,
 -- Guido