Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Please unblock package wordpress Currently Wordpress in Bullseye is 5.6.1 and is vulnerable to CVE-2021-29450 reported in bug #987065 There are really three options here, either a) Bullseye gets upgraded to 5.6.3 [1]; or b) Bullseye gets 5.6.1 that only has the patch c) WordPress in 5.7.1 in Sid is unblocked and put into Bullseye My preference is to have Bullseye use 5.7.1, i.e. unblock from Sid, hence this email. This will make the inevitable security updates easier during the life of Bullseye and will slow down "why is this version so old" emails I'll get. I was hoping to get 5.7 into Bullseye anyway but missed the freeze. With this security bug, there needs to be an update, it just comes down to which one to do. Patching only the change initially sounds good, but the issue is any subsequent patches (and there will be security bugs in future) become very difficult to do. Upstream may also assume a bug is not a bug due to some previous fix (e.g. a change in 5.6.2 we don't put stops some future security issue. The issue of patching future WordPress 5.6.1+ versions is easy to see by looking at upstreams source repository[2], there are two security updates here. So, 768f1d8 looks like a good contender for a PHP8 related problem which is CVE-2021-29447[3] but where is the fix for CVE-2021-29450 [4]? It's probably buried in c937087 "Grouped merges for 5.6.3" This sort of thing happens all the time, its why for example Buster we track 5.0.x [5] and Buster has 5.0.11 not 5.0.4+something. [ Reason ] To fix security bug CVE-2021-29450 [4] and to ensure that subsequent security issues are properly handled for Bullseye. [ Impact ] Bullseye WordPress users will remain vulnerable OR we have to do some special upload of 5.6.3 OR some patched thing which is almost but not quite anything tested anywhere. [ Tests ] There are two sets of changes here. WordPress 5.7 has been out for about a month with no reported issues, so its been tested on various systems out there including my own. WordPress 5.7.1 is new. Upstream have automated tests, I have run this version on my on systems and not had any issues. [ Risks ] The change from 5.6.1 to 5.7.1 is big, about 20MB of data but that would include things like minimised and unminimised javascript. I'm not sure of the mix of upstream WordPress websites between 5.6.x and 5.7.x but I'd expect most track the latest upstream meaning 5.7.1 would be used *way* more than 5.6.3 Nobody would be using the patched 5.6.1 option before its released. [ Checklist ] [Y] all changes are documented in the d/changelog [Y] I reviewed all changes and I approve them [N] attach debdiff against the package in testing [ Other info ] I can provide the 25M debdiff if required, but I don't think it will be useful. 1: https://wordpress.org/support/wordpress-version/version-5-6-3/ 2: https://github.com/WordPress/WordPress/commits/5.6-branch 3: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-rv47-pc52-qrhh 4: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pmmh-2f36-wvhq 5: https://metadata.ftp-master.debian.org/changelogs//main/w/wordpress/wordpress_5.0.11+dfsg1-0+deb10u1_changelog unblock wordpress/5.7.1+dfsg1-1 -----BEGIN PGP SIGNATURE----- iQJGBAEBCgAwFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAmB6ILMSHGNzbWFsbEBk ZWJpYW4ub3JnAAoJEAIhZsD/PITji3cQAIkBX6K8JxFd2ZF4hTcX24vcZw8ByoDO x2Iq8NIF7T2UPc2kAOLZYlROC2TgvTwTNw32eJ/HZ1lmjCmzuZT43fWJUk1dMXqu Ef6kbu5qBivvTUTtY+DzNRDtVC3VvAWob6DKj4fzlM0ZaGNFxIYQXAU9DgwHi0KC 53HUx7XttTdb9NJonRKJ1bOf05Q+dwwZWZFLzE7lnXmq/TqofrPCl/wZ2irUsISt vLp2QUZCAZiSrn/Gg4ZjRvgIPGtqSWFKmGFnwhk1RKTYYQuhptyVOa1O90zDpABP WLmLpK8u+bCwVpogvEJ9NRIH39oHd5N75d3nBXs52SCfNmRbDoSFMJ1IRUp7E8iu 63JVYNuV2NuVOIRprfX/mW+I+9Dvg+wabggV2VVnUOwqY+bIpdD0ir4VfrACAua2 I+W0o9QetX8Gwm3WVTzszg3h6PJCwlDWvnVuJWwevr91PO9Pv17waDY64Qxhq2fy gl+g2eL5yHdfEqS+rPQmBNvLrkQAl9DOj67yI3JKE5v+gY4BLOVI9RDWZ0R3x0Or VVYDmKiiSov2PvC4eAiKQqxskqdix4beN9KEc0w+gP/CbPqGdHJo87jEPc5GhLov vcSmTHkLdsDQSipmEWxQ3OBgyeUfepYhKsAGCBT86gQuf5uYeeBCdbAacWQsrt3d qxKYzq4kIora =GwCm -----END PGP SIGNATURE-----
