> If you are able, I suggest posting a debdiff for this issue. Although I've privately packaged quite a few RPMs, I'm relatively new to debian/ubuntu packaging and am not prepared to generate an updated package with a debdiff at this point.
After further research, it looks like the vulnerability fixed by 3.0.6 requires authentication (a "contributor" level account) and results in the ability to publish posts for semi-trusted users that should not have that ability [1]. This is probably a small impact for most sites due to the requirement to have a contributor-level account, but is an escalation of privilege. I think the larger questions are still worth answering, if there is an active community maintainer for this package willing to do so: 1) Is there a maintainer that believes that upstream is still supporting 3.0.x? 2) Was WP held back for Onieric for a technical or policy reason, or simply because there was no community maintainer to do the work? [1] http://codex.wordpress.org/Version_3.0.6 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/883955 Title: Wordpress is out of date, possibly vulnerable to exploitation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wordpress/+bug/883955/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
