** Description changed:
+ Sponsorship
+ -----------
+ git-buildpackage from the ubuntu/* branches at
+ https://git.launchpad.net/~jbicha/ubuntu/+source/wordpress/
+
Impact
------
Update 17.04 from 4.7.3 to 4.7.5
Update 16.10 from 4.6.1 to 4.6.6
Update 16.04 LTS from 4.4.2 to 4.4.10
- Update 14.04 LTS from 3.8.2 to 3.8.21
to fix numerous critical security bugs.
wordpress 4.7.5-1 was auto-synced from Debian to Ubuntu 17.10 Alpha
"artful"
Changes for Ubuntu 17.04
------------------------
https://wordpress.org/news/2017/04/wordpress-4-7-4/
https://wordpress.org/news/2017/05/wordpress-4-7-5/
https://codex.wordpress.org/Version_4.7.4
https://codex.wordpress.org/Version_4.7.5
You can change the codex URL to a different version number if you really
want to see all the individual security fixes.
Testing Done
------------
+ I have successfully test-built each package
Regression Potential
--------------------
WordPress maintains separate branches to backport security fixes. I suspect
that the older the branch gets, the more likely it is that something will break.
WordPress still uses trac/svn, but there's this handy read-only copy
that is easier to examine:
- https://github.com/WordPress/WordPress/commits/3.8-branch
+ https://github.com/WordPress/WordPress/commits/4.4-branch
+
+ WordPress only officially recommends the latest stable series (currently 4.7)
+ https://wordpress.org/download/release-archive/
Other Info
----------
On one hand, I hope right now no one actually uses the Ubuntu package on a
live web server. I mean, if they are using the development version of Ubuntu,
it might actually work but otherwise, it's not really received any security
support at all.
Similarly, I guess there's a concern that if we start providing security
updates, then people will start thinking that Ubuntu's 'wordpress'
package is safe to use, which is fine as long as someone from the
community will indeed package these updates from now on. Otherwise,
maybe doing these security updates is not really helping anyone?
- Since 14.04's wordpress is in unseeded universe after 3 years, it's not
- supported any more, but since WordPress still provided a release for it,
- I figure it's not that much extra effort to do that update too.
+ WordPress also maintains a 3.8 branch (with a 3.8.21 release this week
+ corresponding with 4.7.5) that we could use for Ubuntu 14.04 LTS. I
+ could prepare that one too, but I don't think it's worth spending much
+ time testing that version.
** Also affects: wordpress (Ubuntu Zesty)
Importance: Undecided
Status: New
** Also affects: wordpress (Ubuntu Yakkety)
Importance: Undecided
Status: New
** Also affects: wordpress (Ubuntu Xenial)
Importance: Undecided
Status: New
** Changed in: wordpress (Ubuntu)
Status: New => Confirmed
** Changed in: wordpress (Ubuntu Xenial)
Status: New => Confirmed
** Changed in: wordpress (Ubuntu Xenial)
Importance: Undecided => High
** Changed in: wordpress (Ubuntu Yakkety)
Status: New => Confirmed
** Changed in: wordpress (Ubuntu Yakkety)
Importance: Undecided => High
** Changed in: wordpress (Ubuntu Zesty)
Status: New => Confirmed
** Changed in: wordpress (Ubuntu Zesty)
Importance: Undecided => High
** Description changed:
Sponsorship
-----------
git-buildpackage from the ubuntu/* branches at
https://git.launchpad.net/~jbicha/ubuntu/+source/wordpress/
Impact
------
Update 17.04 from 4.7.3 to 4.7.5
Update 16.10 from 4.6.1 to 4.6.6
Update 16.04 LTS from 4.4.2 to 4.4.10
to fix numerous critical security bugs.
wordpress 4.7.5-1 was auto-synced from Debian to Ubuntu 17.10 Alpha
"artful"
Changes for Ubuntu 17.04
------------------------
https://wordpress.org/news/2017/04/wordpress-4-7-4/
https://wordpress.org/news/2017/05/wordpress-4-7-5/
https://codex.wordpress.org/Version_4.7.4
https://codex.wordpress.org/Version_4.7.5
You can change the codex URL to a different version number if you really
want to see all the individual security fixes.
+ The changelog entries were produced by tweaking the changelog from
+ https://tracker.debian.org/media/packages/w/wordpress/changelog-4.7.5%2Bdfsg-1
+
+ For Xenial, I also used
+
https://tracker.debian.org/media/packages/w/wordpress/changelog-4.1%2Bdfsg-1%2Bdeb8u13
+
+ and filled in the descriptions for these 2 that didn't apply to the Debian
security update but apply to Xenial
+ https://security-tracker.debian.org/tracker/CVE-2016-6896
+ https://security-tracker.debian.org/tracker/CVE-2016-6897
+
Testing Done
------------
- I have successfully test-built each package
+ I have successfully test-built each package.
Regression Potential
--------------------
WordPress maintains separate branches to backport security fixes. I suspect
that the older the branch gets, the more likely it is that something will break.
WordPress still uses trac/svn, but there's this handy read-only copy
that is easier to examine:
https://github.com/WordPress/WordPress/commits/4.4-branch
WordPress only officially recommends the latest stable series (currently 4.7)
https://wordpress.org/download/release-archive/
Other Info
----------
On one hand, I hope right now no one actually uses the Ubuntu package on a
live web server. I mean, if they are using the development version of Ubuntu,
it might actually work but otherwise, it's not really received any security
support at all.
Similarly, I guess there's a concern that if we start providing security
updates, then people will start thinking that Ubuntu's 'wordpress'
package is safe to use, which is fine as long as someone from the
community will indeed package these updates from now on. Otherwise,
maybe doing these security updates is not really helping anyone?
WordPress also maintains a 3.8 branch (with a 3.8.21 release this week
corresponding with 4.7.5) that we could use for Ubuntu 14.04 LTS. I
could prepare that one too, but I don't think it's worth spending much
time testing that version.
** Information type changed from Public to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1691520
Title:
Wordpress May 2017 security updates
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/wordpress/+bug/1691520/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
