[Bug 1691520] Re: Wordpress May 2017 security updates
[Expired for wordpress (Ubuntu Zesty) because there has been no activity for 60 days.] ** Changed in: wordpress (Ubuntu Zesty) Status: Incomplete => Expired -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1691520 Title: Wordpress May 2017 security updates To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wordpress/+bug/1691520/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1691520] Re: Wordpress May 2017 security updates
[Expired for wordpress (Ubuntu) because there has been no activity for 60 days.] ** Changed in: wordpress (Ubuntu) Status: Incomplete => Expired -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1691520 Title: Wordpress May 2017 security updates To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wordpress/+bug/1691520/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1691520] Re: Wordpress May 2017 security updates
[Expired for wordpress (Ubuntu Xenial) because there has been no activity for 60 days.] ** Changed in: wordpress (Ubuntu Xenial) Status: Incomplete => Expired -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1691520 Title: Wordpress May 2017 security updates To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wordpress/+bug/1691520/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1691520] Re: Wordpress May 2017 security updates
[Expired for wordpress (Ubuntu Yakkety) because there has been no activity for 60 days.] ** Changed in: wordpress (Ubuntu Yakkety) Status: Incomplete => Expired -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1691520 Title: Wordpress May 2017 security updates To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wordpress/+bug/1691520/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1691520] Re: Wordpress May 2017 security updates
Hey Jeremy - I'm going to unsubscribe ubuntu-security-sponsors to get these updates out of our reports. Once you've been able to test the updates, please detail your testing, re-subscribe ubuntu-security- sponsors, and set the status to NEW. Thanks! ** Changed in: wordpress (Ubuntu) Status: Confirmed => Incomplete ** Changed in: wordpress (Ubuntu Xenial) Status: Confirmed => Incomplete ** Changed in: wordpress (Ubuntu Yakkety) Status: Confirmed => Incomplete ** Changed in: wordpress (Ubuntu Zesty) Status: Confirmed => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1691520 Title: Wordpress May 2017 security updates To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wordpress/+bug/1691520/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1691520] Re: Wordpress May 2017 security updates
Unsubscribing ~ubuntu-sponsors as there's nothing left to sponsor. Please feel free to resubscribe ~ubuntu-sponsors if this was done in error. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1691520 Title: Wordpress May 2017 security updates To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wordpress/+bug/1691520/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1691520] Re: Wordpress May 2017 security updates
Not really. I haven't worked on this recently but I had trouble getting the WordPress package to work earlier. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1691520 Title: Wordpress May 2017 security updates To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wordpress/+bug/1691520/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1691520] Re: Wordpress May 2017 security updates
Hi Jeremy, any progress on getting these tested? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1691520 Title: Wordpress May 2017 security updates To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wordpress/+bug/1691520/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1691520] Re: Wordpress May 2017 security updates
Steve, thanks for checking in. I haven't been able to verify the proposed fixes yet because I wasn't able to get the WordPress package working on 16.04 LTS. (The site loads now but not the theme. Maybe it's a permission problem with the sample Apache config file.) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1691520 Title: Wordpress May 2017 security updates To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wordpress/+bug/1691520/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1691520] Re: Wordpress May 2017 security updates
Jeremy Bicha: any progress on testing these packages? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1691520 Title: Wordpress May 2017 security updates To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wordpress/+bug/1691520/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1691520] Re: Wordpress May 2017 security updates
Thanks for the branches! Changes look good. I've uploaded the packages to the security team PPA here: https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/+packages Once the builds complete, please perform upgrade testing and then update this bug report with the testing that you performed. I will then release the packages as security updates. Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1691520 Title: Wordpress May 2017 security updates To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wordpress/+bug/1691520/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1691520] Re: Wordpress May 2017 security updates
Debian put out a fix today for https://security- tracker.debian.org/tracker/CVE-2017-8295 but that seems a low enough priority to me (and not yet fixed in WordPress core) to wait until the next WordPress security release. ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-8295 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1691520 Title: Wordpress May 2017 security updates To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wordpress/+bug/1691520/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1691520] Re: Wordpress May 2017 security updates
** Description changed: + Sponsorship + --- + git-buildpackage from the ubuntu/* branches at + https://git.launchpad.net/~jbicha/ubuntu/+source/wordpress/ + Impact -- Update 17.04 from 4.7.3 to 4.7.5 Update 16.10 from 4.6.1 to 4.6.6 Update 16.04 LTS from 4.4.2 to 4.4.10 - Update 14.04 LTS from 3.8.2 to 3.8.21 to fix numerous critical security bugs. wordpress 4.7.5-1 was auto-synced from Debian to Ubuntu 17.10 Alpha "artful" Changes for Ubuntu 17.04 https://wordpress.org/news/2017/04/wordpress-4-7-4/ https://wordpress.org/news/2017/05/wordpress-4-7-5/ https://codex.wordpress.org/Version_4.7.4 https://codex.wordpress.org/Version_4.7.5 You can change the codex URL to a different version number if you really want to see all the individual security fixes. Testing Done + I have successfully test-built each package Regression Potential WordPress maintains separate branches to backport security fixes. I suspect that the older the branch gets, the more likely it is that something will break. WordPress still uses trac/svn, but there's this handy read-only copy that is easier to examine: - https://github.com/WordPress/WordPress/commits/3.8-branch + https://github.com/WordPress/WordPress/commits/4.4-branch + + WordPress only officially recommends the latest stable series (currently 4.7) + https://wordpress.org/download/release-archive/ Other Info -- On one hand, I hope right now no one actually uses the Ubuntu package on a live web server. I mean, if they are using the development version of Ubuntu, it might actually work but otherwise, it's not really received any security support at all. Similarly, I guess there's a concern that if we start providing security updates, then people will start thinking that Ubuntu's 'wordpress' package is safe to use, which is fine as long as someone from the community will indeed package these updates from now on. Otherwise, maybe doing these security updates is not really helping anyone? - Since 14.04's wordpress is in unseeded universe after 3 years, it's not - supported any more, but since WordPress still provided a release for it, - I figure it's not that much extra effort to do that update too. + WordPress also maintains a 3.8 branch (with a 3.8.21 release this week + corresponding with 4.7.5) that we could use for Ubuntu 14.04 LTS. I + could prepare that one too, but I don't think it's worth spending much + time testing that version. ** Also affects: wordpress (Ubuntu Zesty) Importance: Undecided Status: New ** Also affects: wordpress (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: wordpress (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: wordpress (Ubuntu) Status: New => Confirmed ** Changed in: wordpress (Ubuntu Xenial) Status: New => Confirmed ** Changed in: wordpress (Ubuntu Xenial) Importance: Undecided => High ** Changed in: wordpress (Ubuntu Yakkety) Status: New => Confirmed ** Changed in: wordpress (Ubuntu Yakkety) Importance: Undecided => High ** Changed in: wordpress (Ubuntu Zesty) Status: New => Confirmed ** Changed in: wordpress (Ubuntu Zesty) Importance: Undecided => High ** Description changed: Sponsorship --- git-buildpackage from the ubuntu/* branches at https://git.launchpad.net/~jbicha/ubuntu/+source/wordpress/ Impact -- Update 17.04 from 4.7.3 to 4.7.5 Update 16.10 from 4.6.1 to 4.6.6 Update 16.04 LTS from 4.4.2 to 4.4.10 to fix numerous critical security bugs. wordpress 4.7.5-1 was auto-synced from Debian to Ubuntu 17.10 Alpha "artful" Changes for Ubuntu 17.04 https://wordpress.org/news/2017/04/wordpress-4-7-4/ https://wordpress.org/news/2017/05/wordpress-4-7-5/ https://codex.wordpress.org/Version_4.7.4 https://codex.wordpress.org/Version_4.7.5 You can change the codex URL to a different version number if you really want to see all the individual security fixes. + The changelog entries were produced by tweaking the changelog from + https://tracker.debian.org/media/packages/w/wordpress/changelog-4.7.5%2Bdfsg-1 + + For Xenial, I also used + https://tracker.debian.org/media/packages/w/wordpress/changelog-4.1%2Bdfsg-1%2Bdeb8u13 + + and filled in the descriptions for these 2 that didn't apply to the Debian security update but apply to Xenial + https://security-tracker.debian.org/tracker/CVE-2016-6896 + https://security-tracker.debian.org/tracker/CVE-2016-6897 + Testing Done - I have successfully test-built each package + I have successfully test-built each package. Regression Potential WordPress maintains separate branches to backport security fixes. I suspect that the older the branch gets, the more
