Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package wordpress WordPress 5.0.3 has a security bug #924546 which was fixed in upstream version 5.1.1 [1] Sid has 5.1.1 which has this fix, however it also has all the non-security fixes of 5.1 as well. For stretch, there is a patch ready to go for 4.7.5, seen at [2] that covers only the security fixes. If Buster was released, I'd prepare a security patch that would be almost-identical to the Stretch fix, taken from [3] which is where upstream tracks 5.0.x releases, using changeset 44835 and 44844. So, we have a few options: 1) Update Buster WordPress 5.0.3 to 5.0.4 which is the security fixes 2) Make a security release for Buster, effectively what (1) is with different version numbers 3) Update Buster to follow Sid, which is a major update, 5.1.1 4) Do nothing and wait until Buster is released and then fix it. I haven't prepared differences yet because depending on the answer you get a different debdiff. - Craig 1: https://wordpress.org/news/2019/03/wordpress-5-1-1-security-and-maintenance-release/ 2: https://salsa.debian.org/debian/wordpress/commit/a903dc48fb4177b15642c2c50912de50adb77c73 3: https://core.trac.wordpress.org/log/branches/5.0 unblock wordpress/5.0.3+dfsg1-1 -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-2-amd64 (SMP w/6 CPU cores) Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8), LANGUAGE=en_AU:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled