Bug#987084: unblock: wordpress/5.7.1+dfsg1-1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#987084: unblock: wordpress/5.7.1+dfsg1-1
From: Craig Small <csmall@debian.org>
Date: Sat, 17 Apr 2021 09:41:48 +1000
Message-id: <[🔎] 161861650833.467449.445951729401465016.reportbug@floyd.dropbear.xyz>
Reply-to: Craig Small <csmall@debian.org>, 987084@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Please unblock package wordpress

Currently Wordpress in Bullseye is 5.6.1 and is vulnerable to CVE-2021-29450
reported in bug #987065

There are really three options here, either
 a) Bullseye gets upgraded to 5.6.3 [1]; or
 b) Bullseye gets 5.6.1 that only has the patch
 c) WordPress in 5.7.1 in Sid is unblocked and put into Bullseye

My preference is to have Bullseye use 5.7.1, i.e. unblock from Sid,
hence this email.

This will make the inevitable security updates easier during the life of Bullseye
and will slow down "why is this version so old" emails I'll get.

I was hoping to get 5.7 into Bullseye anyway but missed the freeze.
With this security bug, there needs to be an update, it just comes
down to which one to do.

Patching only the change initially sounds good, but the issue is any
subsequent patches (and there will be security bugs in future) become
very difficult to do. Upstream may also assume a bug is not a bug due to
some previous fix (e.g. a change in 5.6.2 we don't put stops some
future security issue.

The issue of patching future WordPress 5.6.1+ versions is easy to see
by looking at upstreams source repository[2], there are two security
updates here.

So, 768f1d8 looks like a good contender for a PHP8 related problem
which is CVE-2021-29447[3] but where is the fix for CVE-2021-29450 [4]?
It's probably buried in c937087 "Grouped merges for 5.6.3"

This sort of thing happens all the time, its why for example Buster we
track 5.0.x [5] and Buster has 5.0.11 not 5.0.4+something.

[ Reason ]
To fix security bug CVE-2021-29450 [4] and to ensure that subsequent
security issues are properly handled for Bullseye.

[ Impact ]
Bullseye WordPress users will remain vulnerable OR we have to do some
special upload of 5.6.3 OR some patched thing which is almost but not
quite anything tested anywhere.

[ Tests ]
There are two sets of changes here. WordPress 5.7 has been out for
about a month with no reported issues, so its been tested on various
systems out there including my own.

WordPress 5.7.1 is new. Upstream have automated tests, I have run
this version on my on systems and not had any issues.

[ Risks ]
The change from 5.6.1 to 5.7.1 is big, about 20MB of data but that
would include things like minimised and unminimised javascript.

I'm not sure of the mix of upstream WordPress websites between
5.6.x and 5.7.x but I'd expect most track the latest upstream
meaning 5.7.1 would be used *way* more than 5.6.3

Nobody would be using the patched 5.6.1 option before its released.

[ Checklist ]
  [Y] all changes are documented in the d/changelog
  [Y] I reviewed all changes and I approve them
  [N] attach debdiff against the package in testing

[ Other info ]
I can provide the 25M debdiff if required, but I don't think it will be
useful.

1: https://wordpress.org/support/wordpress-version/version-5-6-3/
2: https://github.com/WordPress/WordPress/commits/5.6-branch
3: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-rv47-pc52-qrhh
4: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pmmh-2f36-wvhq
5: https://metadata.ftp-master.debian.org/changelogs//main/w/wordpress/wordpress_5.0.11+dfsg1-0+deb10u1_changelog
unblock wordpress/5.7.1+dfsg1-1


-----BEGIN PGP SIGNATURE-----

iQJGBAEBCgAwFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAmB6ILMSHGNzbWFsbEBk
ZWJpYW4ub3JnAAoJEAIhZsD/PITji3cQAIkBX6K8JxFd2ZF4hTcX24vcZw8ByoDO
x2Iq8NIF7T2UPc2kAOLZYlROC2TgvTwTNw32eJ/HZ1lmjCmzuZT43fWJUk1dMXqu
Ef6kbu5qBivvTUTtY+DzNRDtVC3VvAWob6DKj4fzlM0ZaGNFxIYQXAU9DgwHi0KC
53HUx7XttTdb9NJonRKJ1bOf05Q+dwwZWZFLzE7lnXmq/TqofrPCl/wZ2irUsISt
vLp2QUZCAZiSrn/Gg4ZjRvgIPGtqSWFKmGFnwhk1RKTYYQuhptyVOa1O90zDpABP
WLmLpK8u+bCwVpogvEJ9NRIH39oHd5N75d3nBXs52SCfNmRbDoSFMJ1IRUp7E8iu
63JVYNuV2NuVOIRprfX/mW+I+9Dvg+wabggV2VVnUOwqY+bIpdD0ir4VfrACAua2
I+W0o9QetX8Gwm3WVTzszg3h6PJCwlDWvnVuJWwevr91PO9Pv17waDY64Qxhq2fy
gl+g2eL5yHdfEqS+rPQmBNvLrkQAl9DOj67yI3JKE5v+gY4BLOVI9RDWZ0R3x0Or
VVYDmKiiSov2PvC4eAiKQqxskqdix4beN9KEc0w+gP/CbPqGdHJo87jEPc5GhLov
vcSmTHkLdsDQSipmEWxQ3OBgyeUfepYhKsAGCBT86gQuf5uYeeBCdbAacWQsrt3d
qxKYzq4kIora
=GwCm
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Bug#987084: unblock: wordpress/5.7.1+dfsg1-1
  - From: Sébastien Delafond <seb@debian.org>
- Bug#987084: marked as done (unblock: wordpress/5.7.1+dfsg1-1)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#987081: unblock: puppet-module-puppetlabs-haproxy/2.1.0-3
Next by Date: Bug#987086: unblock: lxpanel/0.10.1-2
Previous by thread: Processed: Re: Bug#987081: unblock: puppet-module-puppetlabs-haproxy/2.1.0-3
Next by thread: Bug#987084: unblock: wordpress/5.7.1+dfsg1-1
Index(es):
- Date
- Thread