Hi Salvatore, Thanks for the bug report. I'll look into it today and yes its good we finally have CVE IDs to work with.
On Sat, 2 May 2020 at 06:21, Salvatore Bonaccorso <car...@debian.org> wrote: > example CVE-2020-11030 lists via the GHSA as affected versions 5.2 to > 5.4, and patched in 5.4.1, 5.3.3 and 5.2.6. Is this correct so which > would mean buster and stretch are not affected? > [...] > CVE-2020-11030: > | to add content. This has been patched in version 5.4.1, along with all > | the previously affected versions via a minor release (5.3.3, 5.2.6, > | 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, > | 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). > The github entry is definitely confusing. "This affects 5.2-5.4" and > "fixed in 5.0.9 and 4.7.17" (why fix something no affected? So WordPress pull in changes into the old branches with a single commit[1] which then references 6 SVN commits. My gut feel is with 6 CVEs and 6 referenced commits it is a good chance 5.0.x is impacted by all 6, but sometimes they have multiple commits for one bug, or one commit fixes multiple bugs. The trick comes down to how understandable the SVN commits are. It's a bit of a jigsaw puzzle. So for CVE-2020-11030, the 5.0x fix is probably [2] because it mentions the block editor and changes the search file. It's not an exact science. The actual code fix is easy, I just pull in [1] into the Debian repository for buster. It's the referencing and checking the version is impacted that takes the time. - Craig 1: https://github.com/WordPress/wordpress-develop/commit/e65e7a3bd96df6675a9a3caa54f5945885379f09 2: https://core.trac.wordpress.org/changeset/47636
