Bug#947143: RFS: wordpress/5.3.2+dfsg1-0.1 [NMU] [RC] -- weblog manager

To: DebBug <DebBug@Think-Future.com>
Cc: 947143@bugs.debian.org, csmall@debian.org, 947212@bugs.debian.org
Subject: Bug#947143: RFS: wordpress/5.3.2+dfsg1-0.1 [NMU] [RC] -- weblog manager
From: Markus Koschany <apo@debian.org>
Date: Mon, 23 Dec 2019 18:24:08 +0100
Message-id: <[🔎] 557a8c34-05f6-9076-f5f3-613b5fcbec4a@debian.org>
Reply-to: Markus Koschany <apo@debian.org>, 947143@bugs.debian.org
In-reply-to: <[🔎] 20191223140410.GC27729@think-future.de>
References: <[🔎] 20191221212906.GJ23067@think-future.de> <[🔎] 20191221212906.GJ23067@think-future.de> <[🔎] 20191221220846.GA17009@think-future.de> <[🔎] 20191221212906.GJ23067@think-future.de> <20191221223257.GA573@think-future.de> <[🔎] 20191221212906.GJ23067@think-future.de> <[🔎] 20191223140410.GC27729@think-future.de> <[🔎] 20191221212906.GJ23067@think-future.de>

Hello Niels,

Am 23.12.19 um 15:04 schrieb DebBug:

> Anyone to chime in? Craig? Markus?

There is a bit of confusion here, so I try to explain the situation and
how we should proceed. Thank you for filing bug report #947212 to track
the security issues in Wordpress. This will help to answer those
questions raised by Adam. However there was already #946905 that you
could have been used as well.

You have only recently added me to CC, presumably because I have done
some security uploads in the past for Wordpress. I don't know what you
have discussed with Craig and if he wants to review your work and
sponsor it later. Then you actually don't need to open a sponsorship
request on debian-mentors.

Sponsorship requests are either of severity normal or important. Here it
would be ok to use important but the severity is merely an indicator and
it doesn't automatically guarantee that a bug is prioritized. Security
related bugs like #947212/#946905 are either of severity important or
grave.

Version 5.3.2 seems to fix a couple of security vulnerabilities. No CVE
has been assigned yet. This version should be uploaded to unstable.

If you want to fix Wordpress in Buster and Stretch as well, then you
have to go a different route. The security team is responsible for that.
As previously discussed I recommend to base security updates on upstream
releases for specific Wordpress branches.

https://wordpress.org/download/releases/

Buster should be updated to version 5.0.8 and Stretch to 4.7.16. In both
cases you would base your work on the Wordpress packages in Buster and
Stretch. The changes to the debian files should be minimal, you would
merely rebase existing patches and repack the tarball to make it
compliant with the DFSG.

In short:

Version 5.3.2 -> unstable
Did Craig agree with the upload?
If there is simply no response because of the holiday season we could do
a NMU with a delay of 5 to 10 days. I assume you haven't made any major
changes to the package.

After that:
Version 5.0.8 -> buster-security
Version 4.7.16 -> stretch-security

You can already prepare the packages, then we contact the security team
and ask for approval.

Regards,

Markus

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Bug#947143: Bug#947212: Bug#947143: RFS: wordpress/5.3.2+dfsg1-0.1 [NMU] [RC] -- weblog manager
  - From: Craig Small <csmall@debian.org>

References:
- Bug#947143: RFS: wordpress/5.3.2+dfsg1-0.1 [NMU] -- weblog manager
  - From: DebBug <DebBug@Think-Future.com>
- Bug#947143: RFS: wordpress/5.3.2+dfsg1-0.1 [NMU] [RC] -- weblog manager
  - From: debbug@Think-Future.com
- Bug#947143: RFS: wordpress/5.3.2+dfsg1-0.1 [NMU] [RC] -- weblog manager
  - From: DebBug <DebBug@Think-Future.com>

Prev by Date: Bug#947143: RFS: wordpress/5.3.2+dfsg1-0.1 [NMU] [RC] -- weblog manager
Next by Date: Bug#947178: RFS: dmidecode/3.2-3 -- SMBIOS/DMI table decoder
Previous by thread: Bug#947143: RFS: wordpress/5.3.2+dfsg1-0.1 [NMU] [RC] -- weblog manager
Next by thread: Bug#947143: Bug#947212: Bug#947143: RFS: wordpress/5.3.2+dfsg1-0.1 [NMU] [RC] -- weblog manager
Index(es):
- Date
- Thread