tags 605603 patch
thanks
Hi,
>This looks worthy of an update for squeeze. Note that the other updates
>in 3.0.2 also include various security hardening issues so it may be
>most appropriate to upload 3.0.2 itself for squeeze.
However, you know, we are in freeze and 3.0.1 and 3.0.2 diff is about 2000
lines. In generally, it's too much changes at this time. I hope there is
someone who can check its worth and benefit and negotiate with release team.
Anyway, proposed smallest patch to 3.0.1 is below. Please check it.
diff -Nru wordpress-3.0.1/debian/changelog wordpress-3.0.1/debian/changelog
--- wordpress-3.0.1/debian/changelog 2010-09-02 17:34:46.000000000 +0900
+++ wordpress-3.0.1/debian/changelog 2010-12-02 15:08:22.000000000 +0900
@@ -1,3 +1,11 @@
+wordpress (3.0.1-2.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * add debian/patches/fix_SQLinjection_r16625.patch from upstream SVN
+ to fix vulnerability (Closes: #605603)
+
+ -- Hideki Yamane <henr...@debian.org> Thu, 02 Dec 2010 15:06:20 +0900
+
wordpress (3.0.1-2) unstable; urgency=low
* [e8a913f] Remove swfupload.swf from the binary package, as it cannot
diff -Nru wordpress-3.0.1/debian/patches/fix_SQLinjection_r16625.patch
wordpress-3.0.1/debian/patches/fix_SQLinjection_r16625.patch
--- wordpress-3.0.1/debian/patches/fix_SQLinjection_r16625.patch
1970-01-01 09:00:00.000000000 +0900
+++ wordpress-3.0.1/debian/patches/fix_SQLinjection_r16625.patch
2010-12-02 15:06:03.000000000 +0900
@@ -0,0 +1,13 @@
+Index: wordpress-3.0.1/wp-includes/comment.php
+===================================================================
+--- wordpress-3.0.1.orig/wp-includes/comment.php 2010-12-02
15:05:30.619404571 +0900
++++ wordpress-3.0.1/wp-includes/comment.php 2010-12-02 15:05:59.092116965
+0900
+@@ -1654,7 +1654,7 @@
+ trackback($tb_ping, $post_title, $excerpt, $post_id);
+ $pinged[] = $tb_ping;
+ } else {
+- $wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET to_ping =
TRIM(REPLACE(to_ping, '$tb_ping', ''))
WHERE ID = %d", $post_id) );
++ $wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET to_ping =
TRIM(REPLACE(to_ping, %s, '')) WHERE ID
= %d", $tb_ping, $post_id) );
+ }
+ }
+ }
diff -Nru wordpress-3.0.1/debian/patches/series
wordpress-3.0.1/debian/patches/series
--- wordpress-3.0.1/debian/patches/series 2010-09-02 17:34:46.000000000
+0900
+++ wordpress-3.0.1/debian/patches/series 2010-12-02 15:05:22.000000000
+0900
@@ -7,3 +7,4 @@
010disabling_update_note.patch
manifest.patch
mu.patch
+fix_SQLinjection_r16625.patch
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
