Hi, this seems to describe the details of the vulnerability fixed in Wordpress 1.5.1 and it roughly matches the description by "io_error": http://www.mindblaze.net/articles/information-technology/security-breach-in-wordpress-15-rss-feeds-enclosures/
However, I think that upstream's reaction renders Wordpress unusable for a stable release. There have been several Wordpress security issues until now and if they only provide fixed new upstream versions without giving details the Security team cannot provide support for it. So I'd like suggest to remove Wordpress from Sarge and support it through volatile.debian.net instead. Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]