tags 605603 patch thanks Hi,
>This looks worthy of an update for squeeze. Note that the other updates >in 3.0.2 also include various security hardening issues so it may be >most appropriate to upload 3.0.2 itself for squeeze. However, you know, we are in freeze and 3.0.1 and 3.0.2 diff is about 2000 lines. In generally, it's too much changes at this time. I hope there is someone who can check its worth and benefit and negotiate with release team. Anyway, proposed smallest patch to 3.0.1 is below. Please check it. diff -Nru wordpress-3.0.1/debian/changelog wordpress-3.0.1/debian/changelog --- wordpress-3.0.1/debian/changelog 2010-09-02 17:34:46.000000000 +0900 +++ wordpress-3.0.1/debian/changelog 2010-12-02 15:08:22.000000000 +0900 @@ -1,3 +1,11 @@ +wordpress (3.0.1-2.1) unstable; urgency=high + + * Non-maintainer upload. + * add debian/patches/fix_SQLinjection_r16625.patch from upstream SVN + to fix vulnerability (Closes: #605603) + + -- Hideki Yamane <henr...@debian.org> Thu, 02 Dec 2010 15:06:20 +0900 + wordpress (3.0.1-2) unstable; urgency=low * [e8a913f] Remove swfupload.swf from the binary package, as it cannot diff -Nru wordpress-3.0.1/debian/patches/fix_SQLinjection_r16625.patch wordpress-3.0.1/debian/patches/fix_SQLinjection_r16625.patch --- wordpress-3.0.1/debian/patches/fix_SQLinjection_r16625.patch 1970-01-01 09:00:00.000000000 +0900 +++ wordpress-3.0.1/debian/patches/fix_SQLinjection_r16625.patch 2010-12-02 15:06:03.000000000 +0900 @@ -0,0 +1,13 @@ +Index: wordpress-3.0.1/wp-includes/comment.php +=================================================================== +--- wordpress-3.0.1.orig/wp-includes/comment.php 2010-12-02 15:05:30.619404571 +0900 ++++ wordpress-3.0.1/wp-includes/comment.php 2010-12-02 15:05:59.092116965 +0900 +@@ -1654,7 +1654,7 @@ + trackback($tb_ping, $post_title, $excerpt, $post_id); + $pinged[] = $tb_ping; + } else { +- $wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET to_ping = TRIM(REPLACE(to_ping, '$tb_ping', '')) WHERE ID = %d", $post_id) ); ++ $wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET to_ping = TRIM(REPLACE(to_ping, %s, '')) WHERE ID = %d", $tb_ping, $post_id) ); + } + } + } diff -Nru wordpress-3.0.1/debian/patches/series wordpress-3.0.1/debian/patches/series --- wordpress-3.0.1/debian/patches/series 2010-09-02 17:34:46.000000000 +0900 +++ wordpress-3.0.1/debian/patches/series 2010-12-02 15:05:22.000000000 +0900 @@ -7,3 +7,4 @@ 010disabling_update_note.patch manifest.patch mu.patch +fix_SQLinjection_r16625.patch -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org