Hi Jan, On Wed, Aug 12, 2015 at 03:24:46PM +0200, Jan Ingvoldstad wrote: > On 08/12/2015 03:00 PM, Guido Günther wrote: > >Hello dear maintainers, > > > >the Debian LTS team would like to fix the security issues which are > >currently open in the Squeeze version of wordpress: > >https://security-tracker.debian.org/tracker/CVE-2015-5622 > > Just as a bit of information regarding this package: > > There should be plenty of other security issues in the Squeeze version, and > not easily maintainable, since security support for 3.6 was abandoned by > WordPress in October 2013: > > https://security-tracker.debian.org/tracker/source-package/wordpress > > There has also been a somewhat lengthy discussion about WP in the backports > mailing list, from this message and onwards: > > https://lists.debian.org/debian-backports/2015/06/msg00005.html > > I suspect that Craig will suggest tracking the version in Wheezy for > simplicity's sake, as the internal changes since 3.6 may be too much to > easily backport security updates for.
Yeah, there are several other CVEs affecting wordpress (also in squeeze) currently. I see two possible solutions: marking wordpress as end-of-life or piggy backing on another version since backporting will become really time consuming. In contrast to other things like openssl, ruby, nss this is rather a leave package that has little potential of breaking other things we ship. I'd be glad to hear opinions on this. Cheers, -- Guido
