Bug#413269: wordpress: Should not ship with Etch

Sat, 03 Mar 2007 12:22:05 -0800 

Package: wordpress
Severity: serious

On behalf of the Security Team I'm requesting the removal of Wordpress
from Etch. There's a steady flow of security issues being found in
Wordpress and we don't believe it's sanely maintainable over the
course of 30-36 months. (Etch life-time)

As an example, the versions fixing vulnerabilities of the last four
months only:

  wordpress (2.1.1-1) unstable; urgency=high
  .
    * New upstream security release
    * Updated copyright with new download link
    * [8]http://wordpress.org/development/2007/02/new-releases
    * [9]http://trac.wordpress.org/milestone/2.1.1
    * [10]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1049

  wordpress (2.0.8-1) testing-security; urgency=high
  .
    [Neil McGovern]
    * Non-maintainer upload by security team.
    * Fixes for CVE-2007-0539 and CVE-2007-0541
    [Kai Hendry]
    * New upstream release
    * Security fix, urgency high for etch

  wordpress (2.0.7-1) unstable; urgency=low
  .
    * New upstream release
    * New upstream available (security fix) (Closes: #407116)

  wordpress (2.0.6-1) unstable; urgency=high
  .
    * New upstream release
    * Security fix, urgency high.
    * FrSIRT/ADV-2006-5191, CVE-2006-6808: WordPress "get_file_description()"
      Function Client-Side Cross Site Scripting Vulnerability.
      (Closes: #405299, #405691)

  wordpress (2.0.5-0.1) unstable; urgency=medium
  .
    * NMU on maintainer's request.
    * Security fix, urgency medium.
    * readme.html: s/license.txt/copyright/. (Closes: #382283)
    * New upstream release, which fixes:
      - CVE-2006-4208: Directory traversal vulnerability in WP-DB-Backup
        plugin for WordPress. (Closes: #384800)

Even more worrying, their infrastructure was hacked and they had a
compromised tarball up for download:

http://wordpress.org/development/2007/03/upgrade-212/

Cheers,
        Moritz

-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-686
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to