Re: [SECURITY] [DSA 2670-1] wordpress security update
Hi, On Tue, 06 Nov 2012, Dominic Hargreaves wrote: On Fri, May 11, 2012 at 10:41:14PM +0200, Yves-Alexis Perez wrote: Several vulnerabilities were identified in Wordpress, a web blogging tool. As the CVEs were allocated from releases announcements and specific fixes are usually not identified, it has been decided to upgrade the Wordpress package to the latest upstream version instead of backporting the patches. For the stable distribution (squeeze), those problems have been fixed in version 3.3.2+dfsg-1~squeeze1. Hi all, Thanks for doing this! Do we have any idea whether the issues alluded to in http://wordpress.org/news/2012/06/wordpress-3-4-1/ and http://wordpress.org/news/2012/09/wordpress-3-4-2/ apply to 3.3 too? I don't know, I did not investigate. Are there any plans to further upgrade squeeze in this manner? I leave this to Yves-Alexis... It would be nice to formalize this approach with the security team. Cheers, -- Raphaël Hertzog ◈ Debian Developer Get the Debian Administrator's Handbook: → http://debian-handbook.info/get/ -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121107083306.gb9...@x230-buxy.home.ouaza.com
Re: [SECURITY] [DSA 2670-1] wordpress security update
On Wed, November 7, 2012 09:33, Raphael Hertzog wrote: Are there any plans to further upgrade squeeze in this manner? I leave this to Yves-Alexis... It would be nice to formalize this approach with the security team. I think we should do this only when it has been shown that applying the fixes to the current version in stable(-security) is infeasible. Suppose now a simple XSS is discovered, I would be very much in favour to just apply that fix. Speaking as users of the wordpress packages, we've had quite some trouble with migrating our blog platform to 3.3.x after we've installed 'just a security update' on our Squeeze system. In general, it should be expected that Debian security updates can be installed as quickly and non-invasively as possible. In that sense I hope we can formalize it to we'll upgrade to a new major upstream branch only when there are no other options rather than for wordpress we'll always track upstream releases. Cheers, Thijs -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/9f69a31b83ecdaa3a209326500e26b9c.squir...@aphrodite.kinkhorst.nl
Re: [SECURITY] [DSA 2670-1] wordpress security update
On Wed, 07 Nov 2012, Thijs Kinkhorst wrote: I think we should do this only when it has been shown that applying the fixes to the current version in stable(-security) is infeasible. Suppose now a simple XSS is discovered, I would be very much in favour to just apply that fix. I would as well. The trouble is that contrary to Django (for example), upstream is not pointing out which commits are security relevant and which versions are affected or not. And there's zero support for older versions. So we're on our own (and I'm not going to do all those investigations by myself). Cheers, -- Raphaël Hertzog ◈ Debian Developer Get the Debian Administrator's Handbook: → http://debian-handbook.info/get/ -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121107093915.ga14...@x230-buxy.home.ouaza.com
Re: [SECURITY] [DSA 2670-1] wordpress security update
On Wed, Nov 07, 2012 at 10:39:15AM +0100, Raphael Hertzog wrote: On Wed, 07 Nov 2012, Thijs Kinkhorst wrote: I think we should do this only when it has been shown that applying the fixes to the current version in stable(-security) is infeasible. Suppose now a simple XSS is discovered, I would be very much in favour to just apply that fix. I would as well. The trouble is that contrary to Django (for example), upstream is not pointing out which commits are security relevant and which versions are affected or not. And there's zero support for older versions. So we're on our own (and I'm not going to do all those investigations by myself). Mmm. I see a similar problem developing with Movable Type (which I am the sole maintainer for at the moment). I don't know what the answer is. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121107120255.gu4...@urchin.earth.li
Re: [SECURITY] [DSA 2670-1] wordpress security update
On Fri, May 11, 2012 at 10:41:14PM +0200, Yves-Alexis Perez wrote: Several vulnerabilities were identified in Wordpress, a web blogging tool. As the CVEs were allocated from releases announcements and specific fixes are usually not identified, it has been decided to upgrade the Wordpress package to the latest upstream version instead of backporting the patches. For the stable distribution (squeeze), those problems have been fixed in version 3.3.2+dfsg-1~squeeze1. Hi all, Thanks for doing this! Do we have any idea whether the issues alluded to in http://wordpress.org/news/2012/06/wordpress-3-4-1/ and http://wordpress.org/news/2012/09/wordpress-3-4-2/ apply to 3.3 too? Are there any plans to further upgrade squeeze in this manner? Cheers, Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121106165517.gp4...@urchin.earth.li
Re: [SECURITY] [DSA 2670-1] wordpress security update
Marc Gorzala m...@gorzala.de (11/05/2012): auf c nutzen wir ja kein debian-wordpress Please set proper To/Cc fields and leave this list alone, thanks already. Mraw, KiBi. signature.asc Description: Digital signature
Re: [SECURITY] [DSA 2670-1] wordpress security update
Am 11.05.2012 23:01, schrieb Marc Gorzala: alle Maschinen aktualisiert. auf b ist wordpress immer noch drauf. wahrscheinlich unötiger Weise. Ich schaue morgen mal nach ob es doch genutzt wird. auf c schien das update schon eingespielt, von dir? auf c nutzen wir ja kein debian-wordpress gruß marc Am 11.05.2012 22:41, schrieb Yves-Alexis Perez: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2670-1 secur...@debian.org http://www.debian.org/security/ Yves-Alexis Perez May 11, 2012 http://www.debian.org/security/faq - - Package : wordpress Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-3122 CVE-2011-3125 CVE-2011-3126 CVE-2011-3127 CVE-2011-3128 CVE-2011-3129 CVE-2011-3130 CVE-2011-4956 CVE-2011-4957 CVE-2012-2399 CVE-2012-2400 CVE-2012-2401 CVE-2012-2402 CVE-2012-2403 CVE-2012-2404 Debian Bug : 670124 Several vulnerabilities were identified in Wordpress, a web blogging tool. As the CVEs were allocated from releases announcements and specific fixes are usually not identified, it has been decided to upgrade the Wordpress package to the latest upstream version instead of backporting the patches. This means extra care should be taken when upgrading, especially when using third-party plugins or themes, since compatibility may have been impacted along the way. We recommend that users check their install before doing the upgrade. For the stable distribution (squeeze), those problems have been fixed in version 3.3.2+dfsg-1~squeeze1. For the testing distribution (wheezy) and the unstable distribution (sid), those problems have been fixed in version 3.3.2+dfsg-1. We recommend that you upgrade your wordpress packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJPrXyJAAoJEL97/wQC1SS+4EcH/1nAhgTx17pMJF7JbWFNG2ZY /xSD6v4MDj3pLiZrntRx4c3y+Kbx91QKBN6KgqDxyHjDLoZgoNVVGwyozGjS2VBn m2OwnjzLUJVqd77R+mUj5h3yEVS1d4O+VcYRcpugPTaD17d90rlPGL2HkZXnQAk1 OjOKGns+yiapuLpcHmNz5cjwvJxaNe355aZlwSUjFWumqtGjQcgyJeKy1XGW0s2o h9YnLXGRNwtihXz0P+5qx7Qwcri3PXLn1Uapp2RSJStkNfiRjSJoqUkb5wqvhT7x O6GhUWShBF6pZ11uvOySY2yU5jPOQDufSUn6T4R5CL4hYJ6Bif6iqkHznPubHeE= =M38G -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4fad7e4c.3030...@gorzala.de
Re: [SECURITY] [DSA 2670-1] wordpress security update
alle Maschinen aktualisiert. auf b ist wordpress immer noch drauf. wahrscheinlich unötiger Weise. Ich schaue morgen mal nach ob es doch genutzt wird. auf c schien das update schon eingespielt, von dir? gruß marc Am 11.05.2012 22:41, schrieb Yves-Alexis Perez: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2670-1 secur...@debian.org http://www.debian.org/security/ Yves-Alexis Perez May 11, 2012 http://www.debian.org/security/faq - - Package: wordpress Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-3122 CVE-2011-3125 CVE-2011-3126 CVE-2011-3127 CVE-2011-3128 CVE-2011-3129 CVE-2011-3130 CVE-2011-4956 CVE-2011-4957 CVE-2012-2399 CVE-2012-2400 CVE-2012-2401 CVE-2012-2402 CVE-2012-2403 CVE-2012-2404 Debian Bug : 670124 Several vulnerabilities were identified in Wordpress, a web blogging tool. As the CVEs were allocated from releases announcements and specific fixes are usually not identified, it has been decided to upgrade the Wordpress package to the latest upstream version instead of backporting the patches. This means extra care should be taken when upgrading, especially when using third-party plugins or themes, since compatibility may have been impacted along the way. We recommend that users check their install before doing the upgrade. For the stable distribution (squeeze), those problems have been fixed in version 3.3.2+dfsg-1~squeeze1. For the testing distribution (wheezy) and the unstable distribution (sid), those problems have been fixed in version 3.3.2+dfsg-1. We recommend that you upgrade your wordpress packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJPrXyJAAoJEL97/wQC1SS+4EcH/1nAhgTx17pMJF7JbWFNG2ZY /xSD6v4MDj3pLiZrntRx4c3y+Kbx91QKBN6KgqDxyHjDLoZgoNVVGwyozGjS2VBn m2OwnjzLUJVqd77R+mUj5h3yEVS1d4O+VcYRcpugPTaD17d90rlPGL2HkZXnQAk1 OjOKGns+yiapuLpcHmNz5cjwvJxaNe355aZlwSUjFWumqtGjQcgyJeKy1XGW0s2o h9YnLXGRNwtihXz0P+5qx7Qwcri3PXLn1Uapp2RSJStkNfiRjSJoqUkb5wqvhT7x O6GhUWShBF6pZ11uvOySY2yU5jPOQDufSUn6T4R5CL4hYJ6Bif6iqkHznPubHeE= =M38G -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4fad7e13.5050...@gorzala.de