Bug#999568: marked as done (wordpress: WordPress package should not ship separate root store)

Mon, 20 Dec 2021 03:06:20 -0800 

Your message dated Mon, 20 Dec 2021 11:04:16 +0000
with message-id <[email protected]>
and subject line Bug#999568: fixed in wordpress 5.8.2+dfsg1-1
has caused the Debian Bug report #999568,
regarding wordpress: WordPress package should not ship separate root store
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
999568: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=999568
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: wordpress
Version: 5.8.1+dfsg1-1
Severity: normal

Dear Maintainer,

It seems this package includes a WordPress-provided root store, which like 
Debian's is based on Mozilla, but which includes a workaround for an issue from 
six years ago concerning 1024-bit roots 
(<https://core.trac.wordpress.org/ticket/54207>).

I can't say I've bothered looking for any Debian policies which may apply to 
this, but it seems to me that no package should use a non-system root store 
unless there is a very good reason to. I'm not convinced that this six year old 
issue is such a reason; the workaround was only needed for OpenSSL 1.0.1g, a 
version which predates Stretch. I cannot really see that there is anything 
otherwise unique to WordPress that would justify not just using the 
Debian-provided system root store.

As one example, the recently released 5.8.2 included one security fix which was 
directly caused by this practice (related to the recent Let's Encrypt root 
expiry): <https://core.trac.wordpress.org/ticket/54207>. In Debian, this issue 
was already sorted a month ago in #995432.

To solve this, I suggest one of the following:

1. Remove /usr/share/wordpress/wp-includes/certificates/ca-bundle.crt from the 
package and make it a symlink to /etc/ssl/certs/ca-certificates.crt
(ca-certificates is already a dependency)

or

2. Remove /usr/share/wordpress/wp-includes/certificates/ and patch 
/usr/share/wordpress/wp-includes/class-http.php to read 
/etc/ssl/certs/ca-certificates.crt (see lines 14 and 137 in 5.3.1)


Cheers

-- System Information:
Debian Release: 10.11
  APT prefers oldstable
  APT policy: (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.8.0-0.bpo.2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/bash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages wordpress depends on:
ii  apache2 [httpd]                             2.4.48-3~bpo10+1
ii  ca-certificates                             20210119
ii  default-mysql-client                        1.0.5
ii  libjs-cropper                               1.2.2-1
ii  libjs-underscore                            1.9.1~dfsg-1+deb10u1
ii  mariadb-client-10.3 [virtual-mysql-client]  1:10.3.31-0+deb10u1
ii  php                                         2:7.3+69
ii  php-gd                                      2:7.3+69
ii  php-getid3                                  1.9.20+dfsg-1
ii  php-mysql                                   2:7.3+69
ii  php7.3 [php]                                7.3.31-1~deb10u1
ii  php7.3-gd [php-gd]                          7.3.31-1~deb10u1
ii  php7.3-mysql [php-mysqlnd]                  7.3.31-1~deb10u1

Versions of packages wordpress recommends:
ii  wordpress-l10n                   5.8.1+dfsg1-1
ii  wordpress-theme-twentytwentyone  5.8.1+dfsg1-1

Versions of packages wordpress suggests:
ii  mariadb-server-10.3 [virtual-mysql-server]  1:10.3.31-0+deb10u1
pn  php-ssh2                                    <none>

-- Configuration Files:
/etc/wordpress/htaccess [Errno 2] No such file or directory: 
'/etc/wordpress/htaccess'

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: wordpress
Source-Version: 5.8.2+dfsg1-1
Done: Craig Small <[email protected]>

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Craig Small <[email protected]> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 20 Dec 2021 21:48:50 +1100
Source: wordpress
Architecture: source
Version: 5.8.2+dfsg1-1
Distribution: unstable
Urgency: medium
Maintainer: Craig Small <[email protected]>
Changed-By: Craig Small <[email protected]>
Closes: 999568 1001462 1001623
Changes:
 wordpress (5.8.2+dfsg1-1) unstable; urgency=medium
 .
   [ Debian Janitor ]
   * Trim trailing whitespace.
   * Remove 1 obsolete maintscript entry.
   * Fix day-of-week for changelog entry 2.6.2-1.
   * Update standards version to 4.6.0, no changes needed.
 .
   [ Craig Small ]
   * New upstream release Closes: #1001462
   * Don't install ca-certificates.crt but link it Closes: #999568
   * Fix updater to complain less
   * Stop auto-updates Closes: #1001623
   * Added local/apache-wordpress for AppArmor local configs
Checksums-Sha1:
 8156a2eb3a6b4d53a74e229254b947bb5175547b 2392 wordpress_5.8.2+dfsg1-1.dsc
 eb7a50bb4ed17583cffa96751c20db2a1b881f3a 11015764 
wordpress_5.8.2+dfsg1.orig.tar.xz
 179d365d249acd22392bee0255169a1db78b93b9 6825348 
wordpress_5.8.2+dfsg1-1.debian.tar.xz
 069854759114b9f08f1305004c5b0db3f694de79 7366 
wordpress_5.8.2+dfsg1-1_amd64.buildinfo
Checksums-Sha256:
 971d7c1dc15fd975ee2b9459798b543114cd298c68d24dc78bf976f107762130 2392 
wordpress_5.8.2+dfsg1-1.dsc
 f16e9b22d68274755b1878c698daf97cf66e6392d7d1f9fab07f6190b72fe5dc 11015764 
wordpress_5.8.2+dfsg1.orig.tar.xz
 7392b8c269e00ac68707106190f7bde2b7160517751bc501dd9e6601b36a1e54 6825348 
wordpress_5.8.2+dfsg1-1.debian.tar.xz
 246e79331f7406917f81372b49c6fe7aa770f83d8b7ed7ca9e7bf7c60ba0b017 7366 
wordpress_5.8.2+dfsg1-1_amd64.buildinfo
Files:
 c597329e835c24b6c38d0fed41fa5323 2392 web optional wordpress_5.8.2+dfsg1-1.dsc
 e3c116204db8191db046dec7952020ee 11015764 web optional 
wordpress_5.8.2+dfsg1.orig.tar.xz
 df5f8d3eadd72c8ec95dec22c00fc187 6825348 web optional 
wordpress_5.8.2+dfsg1-1.debian.tar.xz
 e6fe1ba0ef77517c20df8478a542a29a 7366 web optional 
wordpress_5.8.2+dfsg1-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAmHAYMMACgkQAiFmwP88
hONgOQ//ZMwXLl53TnbeTZR493+dpMqx9P46dEluATxwDPUtlUeyFp/Uw6HPwU44
F48/GyYkgnOGzTgolgVJkeqpvfuNixkYH+bVSGpBn/kE7y3xuR/7qhjXMn4c5aT5
/mx+myULYttUkD1MRkCICDuPw0FRGlTVZlPmDFgzLxcGacuVpVmj19ZjozTlZoho
X0Qd+QjpRWZ66tavoUZyWRp1ogYjpCh+qsU1WvSHsWHZB77Ns3Bgb6mr2MNLcOGi
seYkn9Tbv0wriA3SHfOIxKA1NyQV2FE9vwQhLbJ9GDtrLyed35Cg9OkyRTv5mBJU
iDuVnkQUoI8Yyd16+m6fr/fLBG9z3n0YyQM9r42fvbSz3dNZPNJa5UZoX+177ZUp
EdevN5/KZ7ISY16y4Wek83nuhULlxmZge+8ynIc2XOQ588/Z4E6oN8GiaRsduHk4
ut2KhyPgOJU8P5H2fkV/6Ly1HUhcCtstCVU+pGbcvbw5mJdIyPatVv7dTvyyaKDF
3zuOKg8Vmn1COMYDylzpmIYrrIcVyBjdnzlbRCXgKUJHukgzas1FHO/R2Y8E+8Wo
J0qviQFqk6EPbjkcMPpa0x1lr2UQo12sn0tna2tnzwAqXO01Kh9GMnDbM0PjyhyD
s5LucpSV33b+j5gIHZfVDG0RNo/RK9/0cH/xWlX5aSa8/TLOYks=
=urJe
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to