I would like to propose that this bug receive the wont-fix status for the moment.
The CVE reports that SSL communication is not forced in the intended situations. After speaking to some wordpress developers on IRC, it was said that SSL was only introduced into wordpress 2.6+. Ubuntu currently contains 2.5 and below and the SSL functionality is not included in this version, therefore the CVE doesnt really apply. Debian has created a patch (shown in the debdiff attached to this bug report) - that backports the SSL functionality and some functions into 2.5. I believe this is not a true security patch, but more of a SRU. There have also been numerous fixes to the SSL implementation in the wordpress 2.6 tree that are not backported in that patch. The first upload into Debian actually broke wordpress functionality, and was fixed in a subsequent upload [1][2]. Wordpress 2.6 should make it into Jaunty - where SSL will be fixed as per upstream. There is also a Debian bug filed for the upgrade [3]. If anyone would like to comment or re-open this bug, please feel free to do so. I am leaving the debdiff for Intrepid (with the Debian patch) attached to this bug in case we would still like to make the debian change. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=497216 [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=497524 [3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=490977 -- [CVE-2008-3747] - wordpress before 2.6.1 ssl problem might allow remote attackers to gain administrative access by sniffing the network for a cookie https://bugs.launchpad.net/bugs/269301 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
