[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Technical committee resolution

Don Armstrong wrote:
> On Sat, 29 Mar 2008, Joey Hess wrote:
> > Well, just to pick an example, if the TC had chosen you to deal with
> > the wordpress-in-stable issue, and you had personally decided it
> > needed to be in stable, and had done whatever work was initially
> > needed to get it into stable with security support, you'd still be
> > responsible for its security now, and the several security holes it
> > has now would be a problem that you'd be aware of, and at least be
> > worrying about if nothing else.
> The package in question, as problematic as it is, has an active
> maintainer who claimed that he would do exactly this. According to the
> list of open bugs that I can see, the security issues that are
> currently affecting the stable version are supposedly minor. [If
> they're not, someone who knows more about the CVEs in question that I
> do should file more bugs and/or adjust severities appropriately.]

By bringing an issue to the tech ctte, both sides of the issue have to
give up some control, and thus reposibility. So in this case it's not
just wordpresses's maintenance, but also the security support work that
the security team would notmally handle (ie, writing DSAs and pushing
out fixes) that the tech ctte delegate would be responsible for.

FWIW, at least these security holes seem pretty bad:

CVE-2007-3543, CVE-2007-3544 remote upload and execution of php code
CVE-2007-4154 7 varieties of SQL injection
CVE-2008-0196 directory traversal via "..", and arbitrary file modification
CVE-2007-1599, CVE-2007-3639 redirect authenticated users to other sites
  and obtain potentially sensative information

see shy jo

Attachment: signature.asc
Description: Digital signature

Reply to: