Hi, On Wed, 12 Aug 2015, Guido Günther wrote: > > I suspect that Craig will suggest tracking the version in Wheezy for > > simplicity's sake, as the internal changes since 3.6 may be too much to > > easily backport security updates for. > > Yeah, there are several other CVEs affecting wordpress (also in squeeze) > currently. I see two possible solutions: marking wordpress as > end-of-life or piggy backing on another version since backporting will > become really time consuming. In contrast to other things like openssl, > ruby, nss this is rather a leave package that has little > potential of breaking other things we ship.
Definitely, we have imported newer upstream releases multiple times in the past to fix security issues and we can/should continue doing this (I was a former maintainer of the package). I would suggest backporting the package that Craig has been uploading to newer releases. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/
