I've contacted the Debian security team. I hope they will act soon. Thanks for raising this issue. Please test http://static.natalian.org/2007-08-05/wordpress_2.0.11-1_i386.changes if you can.
----- Forwarded message from Kai Hendry <[EMAIL PROTECTED]> ----- From: Kai Hendry <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: [EMAIL PROTECTED]: Wordpress 2.0.x security updates in stable] Date: Tue, 7 Aug 2007 17:38:21 +0100 Reply-To: Kai Hendry <[EMAIL PROTECTED]> I was hoping Micah or Noah would help sponsor an upload the 2.0.11 stable security update of Wordpress. I know Micah is busy and Noah has not responded, so could someone please help out? http://static.natalian.org/2007-08-05/wordpress_2.0.11-1_i386.changes Kind regards, ----- Forwarded message from Kai Hendry <[EMAIL PROTECTED]> ----- From: Kai Hendry <[EMAIL PROTECTED]> To: Micah Anderson <[EMAIL PROTECTED]> Cc: Mark Jaquith <[EMAIL PROTECTED]>, Noah Meyerhans <[EMAIL PROTECTED]> Subject: Wordpress 2.0.x security updates in stable Date: Sun, 5 Aug 2007 11:10:13 +0100 Reply-To: Kai Hendry <[EMAIL PROTECTED]> On 2007-08-04T13:39-0400 Micah Anderson wrote: > This is great info... however, can you help us map this to the state WRT > Debian packages in the various releases? As you have a much clearer > understanding of what Debian package might have adopted what from > upstream I'd much prefer your enlightened view on this, than me trying > to guess based on the version numbers alone. Mark is the release manager for 2.0.x branch, so we're talking about the Debian version in stable. Unless I've misunderstood you? I must agree it can be difficult in Wordpress's trac to track how each CVE is dealt with in each version. > With that said, here are some guesses and questions: > Summary: > . A DSA should be issued for CVE-2007-1230, CVE-2007-2821, CVE-2007-3238 > and the version in proposed-updates should be updated to take these into > account. If you like. Do you want me to draft them? > . The following need to be investigated to see if they apply to the > versions that are currently in stable and unstable: CVE-2007-0540, > CVE-2007-1244, I'm confident CVE-2007-1244 has been fixed in both branches. I don't know much about CVE-2007-0540 yet. > . These don't need any action: CVE-2007-1599 (minor), CVE-2007-2627 > (fixed 2 years ago), CVE-2007-1732 (disputed) > . Needs to be fixed in unstable, but not stable: CVE-2007-3140 I'm confident CVE-2007-3140 is fixed in 2.2.2. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=435848 > > CVE-2007-1244 - This is XSS, not CSRF. It is fixed... likely in [5058] > Not fixed in any debian package (there looks to be a bug ID or commit > number that could be used to fix this though). What versions does this > apply to? Does it need to be fixed in stable? I just looked in 2.0.10 2.0.11 and http://trac.wordpress.org/changeset/5058 'clean_url' is applied there. > > CVE-2007-1599 - This won't be fixed for this version. We are > > discussing the issue. It's not really an exploit so much as a very > > slight Phishing aid, so it's not a huge priority. > What versions does this one apply to? All existing WP versions? Only > 2.x? I'll chase this one up with Mark. > > CVE-2007-1732 - There is no such parameter -- the bug is inadequately > > described. > This should be disputed with Mitre then? > > CVE-2007-2627 - This was fixed almost two years ago: > > http://trac.wordpress.org/changeset/2884/trunk/wp-content/themes/default/searchform.php > Is it safe to say that 2.0.9-1 has this fixed then? What Debian version > that was uploaded contains this fix? Comments Mark? > Sounds like this will need to be pushed into the propoed-updates instead > of the 2.0.10-1 version that is sitting there now. I've just prepared: http://static.natalian.org/2007-08-05/wordpress_2.0.11-1_i386.changes I think I wrongly put stable-security instead of testing-security. Do I need change it or could you please alter that? Noah, will you please sponsor this upload again? There are a bit of diffs on the import functions. If these importers aren't patched, I've been told by upstream they become useless. So I hope it can imaginatively fit under clause 2 of http://release.debian.org/stable/4.0/4.0r1/ when potential users try import their data from another blogging system. Let me know what you think. Thanks for everyone's input here. :) ----- End forwarded message ----- ----- End forwarded message -----
signature.asc
Description: Digital signature
