Don Armstrong wrote: > On Sat, 29 Mar 2008, Joey Hess wrote: > > Well, just to pick an example, if the TC had chosen you to deal with > > the wordpress-in-stable issue, and you had personally decided it > > needed to be in stable, and had done whatever work was initially > > needed to get it into stable with security support, you'd still be > > responsible for its security now, and the several security holes it > > has now would be a problem that you'd be aware of, and at least be > > worrying about if nothing else. > > The package in question, as problematic as it is, has an active > maintainer who claimed that he would do exactly this. According to the > list of open bugs that I can see, the security issues that are > currently affecting the stable version are supposedly minor. [If > they're not, someone who knows more about the CVEs in question that I > do should file more bugs and/or adjust severities appropriately.] By bringing an issue to the tech ctte, both sides of the issue have to give up some control, and thus reposibility. So in this case it's not just wordpresses's maintenance, but also the security support work that the security team would notmally handle (ie, writing DSAs and pushing out fixes) that the tech ctte delegate would be responsible for. FWIW, at least these security holes seem pretty bad: CVE-2007-3543, CVE-2007-3544 remote upload and execution of php code CVE-2007-4154 7 varieties of SQL injection CVE-2008-0196 directory traversal via "..", and arbitrary file modification CVE-2007-1599, CVE-2007-3639 redirect authenticated users to other sites and obtain potentially sensative information -- see shy jo
Attachment:
signature.asc
Description: Digital signature