Debian Bug report logs - #672695
wordpress: no sane way for security updates in stable releases

version graph

Package: wordpress; Maintainer for wordpress is Craig Small <csmall@debian.org>; Source for wordpress is src:wordpress.

Reported by: Bernd Zeimetz <bernd@bzed.de>

Date: Sat, 12 May 2012 21:48:02 UTC

Severity: grave

Found in version wordpress/3.3.2+dfsg-1

Done: Moritz Mühlenhoff <jmm@inutil.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#672695; Package wordpress. (Sat, 12 May 2012 21:48:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bernd Zeimetz <bernd@bzed.de>:
New Bug report received and forwarded. Copy sent to debian-devel@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>. (Sat, 12 May 2012 21:48:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Bernd Zeimetz <bernd@bzed.de>
To: submit@bugs.debian.org
Subject: wordpress: no sane way for security updates in stable releases
Date: Sat, 12 May 2012 23:45:17 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package: wordpress
Severity: grave
Version: 3.3.2+dfsg-1

[CC-in d-devel@l.d.o to discuss this]

Hi,

although I think the wordpress maintainer are doing all they can do to keep
wordpress in a good shape in Debian, I do not think that it is possible to
support a stable version with security fixes as we expect it for our releases.
The last security update shows that the wordpress upstream is not interested
in helping by documenting their patches or shipping proper point-releases to
at least some versions.

Being forced to upgrade to a new major version by a stable security support is
nothing we should force our users to. Debian stable is known for (usually)
painfree updates and bugfixes only, not for shipping completely new versions
with a forced migration. Therefore - in my opinion - we should not ship
wordpress in Wheezy, at least not until upstream handles such issues in a sane
way.


Cheers,

Bernd



- -------- Original Message --------
Subject: [SECURITY] [DSA 2670-1] wordpress security update
Resent-Date: Fri, 11 May 2012 20:41:44 +0000 (UTC)
Resent-From: debian-security-announce@lists.debian.org
Date: Fri, 11 May 2012 22:41:14 +0200
From: Yves-Alexis Perez <corsac@debian.org>
Reply-To: debian-security@lists.debian.org
To: debian-security-announce@lists.debian.org

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2670-1                   security@debian.org
http://www.debian.org/security/                         Yves-Alexis Perez
May 11, 2012                           http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : wordpress
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2011-3122 CVE-2011-3125 CVE-2011-3126 CVE-2011-3127
                 CVE-2011-3128 CVE-2011-3129 CVE-2011-3130 CVE-2011-4956
                 CVE-2011-4957 CVE-2012-2399 CVE-2012-2400 CVE-2012-2401
                 CVE-2012-2402 CVE-2012-2403 CVE-2012-2404
Debian Bug     : 670124

Several vulnerabilities were identified in Wordpress, a web blogging
tool.  As the CVEs were allocated from releases announcements and
specific fixes are usually not identified, it has been decided to
upgrade the Wordpress package to the latest upstream version instead
of backporting the patches.

This means extra care should be taken when upgrading, especially when
using third-party plugins or themes, since compatibility may have been
impacted along the way.  We recommend that users check their install
before doing the upgrade.

For the stable distribution (squeeze), those problems have been fixed in
version 3.3.2+dfsg-1~squeeze1.

For the testing distribution (wheezy) and the unstable distribution
(sid), those problems have been fixed in version 3.3.2+dfsg-1.

We recommend that you upgrade your wordpress packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJPrXyJAAoJEL97/wQC1SS+4EcH/1nAhgTx17pMJF7JbWFNG2ZY
/xSD6v4MDj3pLiZrntRx4c3y+Kbx91QKBN6KgqDxyHjDLoZgoNVVGwyozGjS2VBn
m2OwnjzLUJVqd77R+mUj5h3yEVS1d4O+VcYRcpugPTaD17d90rlPGL2HkZXnQAk1
OjOKGns+yiapuLpcHmNz5cjwvJxaNe355aZlwSUjFWumqtGjQcgyJeKy1XGW0s2o
h9YnLXGRNwtihXz0P+5qx7Qwcri3PXLn1Uapp2RSJStkNfiRjSJoqUkb5wqvhT7x
O6GhUWShBF6pZ11uvOySY2yU5jPOQDufSUn6T4R5CL4hYJ6Bif6iqkHznPubHeE=
=M38G
- -----END PGP SIGNATURE-----


- -- 
To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/87ipg2e9hx.fsf@mid.deneb.enyo.de

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCAAGBQJPrtniAAoJEOs2Fxpv+UNf1TMP/RsGS4DGRSe0i6F2dt/QVnvF
Vcbe9UPTnNxfQlN62hDuhvck+v3c4wNwoXW5iblJ9FCJXjCM9Lvl/6aRXnE4E0QH
1TUf2vzDNmI6IUVtD+bdbVopBuqhOpmJOG+96HQua/aPIIhgjw6C4SzcFU+WyE6R
AC2Vm98/spmr73fBn/bXH0NPlcOERoJl8rwORsM+fnevRgnknbWasmwHNeKXJwKT
dN6HnWtEHjRqEqus2JUOJpqL0bYvWLo22WSdZIETuPWVHslMtgDsfWEuEN4bJtq8
aYqYBJ3SCYK4phSYfBpdukFkmOkVhB5mG+PqwG+32Ib9TEufH+guxmMj0Gpt3lMj
KddKDSIFrwUUKESVy0NYRIJLiGPpHW1Tb/dc7HJry7+ls+2+iAvQjDMFuJ1MtO2t
zemN7uKAqL72JBLkvC44i8PXuKvvGaaroC2HGTKpxz9JesZlw/yDzvama268w4bY
RBkCeewPklMsKesJXzWM6NzcFnFr4s1PKO+dGHkCut83tlRY2u8O95agGNeFkxIt
+skWpaAoV5BM7XFcyzzY2s6u6/nDGMaANHJDimci0YCT0fQbZms3KhXYU5eow/tv
U7/ynZvEMrRkaNlKoBSzn1rAgeP9bFsCAtob7xfP2rtB862Va1MzsdXfWfdS+w8a
FLRn9NVg5kWeH01K9kQJ
=UM+T
-----END PGP SIGNATURE-----




Reply sent to Moritz Mühlenhoff <jmm@inutil.org>:
You have taken responsibility. (Sat, 12 May 2012 22:09:04 GMT) Full text and rfc822 format available.

Notification sent to Bernd Zeimetz <bernd@bzed.de>:
Bug acknowledged by developer. (Sat, 12 May 2012 22:09:04 GMT) Full text and rfc822 format available.

Message #10 received at 672695-done@bugs.debian.org (full text, mbox):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: Bernd Zeimetz <bernd@bzed.de>
Cc: 672695-done@bugs.debian.org
Subject: Re: wordpress: no sane way for security updates in stable releases
Date: Sun, 13 May 2012 00:04:57 +0200
On Sat, May 12, 2012 at 11:45:17PM +0200, Bernd Zeimetz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Package: wordpress
> Severity: grave
> Version: 3.3.2+dfsg-1
> 
> [CC-in d-devel@l.d.o to discuss this]
> 
> Hi,
> 
> although I think the wordpress maintainer are doing all they can do to keep
> wordpress in a good shape in Debian, I do not think that it is possible to
> support a stable version with security fixes as we expect it for our releases.
> The last security update shows that the wordpress upstream is not interested
> in helping by documenting their patches or shipping proper point-releases to
> at least some versions.
> 
> Being forced to upgrade to a new major version by a stable security support is
> nothing we should force our users to. Debian stable is known for (usually)
> painfree updates and bugfixes only, not for shipping completely new versions
> with a forced migration. Therefore - in my opinion - we should not ship
> wordpress in Wheezy, at least not until upstream handles such issues in a sane
> way.

Closing. Neither the Wordpress maintainer nor the Debian Security Team have
objections to supporting Wordpress as it was until now.

Cheers,
         Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#672695; Package wordpress. (Sun, 13 May 2012 01:15:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to russell@coker.com.au:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>. (Sun, 13 May 2012 01:15:04 GMT) Full text and rfc822 format available.

Message #15 received at 672695@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: debian-devel@lists.debian.org, Bernd Zeimetz <bernd@bzed.de>, 672695@bugs.debian.org
Subject: Re: Bug#672695: wordpress: no sane way for security updates in stable releases
Date: Sun, 13 May 2012 11:13:05 +1000
On Sun, 13 May 2012, Bernd Zeimetz <bernd@bzed.de> wrote:
> Being forced to upgrade to a new major version by a stable security support
> is nothing we should force our users to. Debian stable is known for
> (usually) painfree updates and bugfixes only, not for shipping completely
> new versions with a forced migration. Therefore - in my opinion - we
> should not ship wordpress in Wheezy, at least not until upstream handles
> such issues in a sane way.

Forcing users to manually install and update it or to use a package from 
outside Debian are also options that aren't good for users.

deb http://www.coker.com.au squeeze wordpress

I run my own repository of Wordpress packages at the above APT source.  That 
includes some Wordpress plugins that are licensed suitably for Debian but 
which have the same update issue.

One thing about Wordpress and it's plugins and themes is that you have to 
assume that every new release fixes some security issues.  They just don't 
document things well enough to allow you to assume otherwise.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/




Information forwarded to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#672695; Package wordpress. (Sun, 13 May 2012 12:57:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Yves-Alexis Perez <corsac@debian.org>:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>. (Sun, 13 May 2012 12:57:12 GMT) Full text and rfc822 format available.

Message #20 received at 672695@bugs.debian.org (full text, mbox):

From: Yves-Alexis Perez <corsac@debian.org>
To: Bernd Zeimetz <bernd@bzed.de>, 672695@bugs.debian.org
Cc: debian-devel@lists.debian.org
Subject: Re: Bug#672695: wordpress: no sane way for security updates in stable releases
Date: Sun, 13 May 2012 14:54:40 +0200
[Message part 1 (text/plain, inline)]
On sam., 2012-05-12 at 23:45 +0200, Bernd Zeimetz wrote:
> Being forced to upgrade to a new major version by a stable security support is
> nothing we should force our users to. Debian stable is known for (usually)
> painfree updates and bugfixes only, not for shipping completely new versions
> with a forced migration.

Yes, that's usually the case. But I think having (*few*) exceptions is
actually helpful. I was the one preparing the update, because of my
security team hat and because I do use wordpress on one small blog. I
tried to package latest point release (3.0.6) and backport some patches
from the various releases in the more recent branches, but it's just
doomed to fail. Wordpress upstream doesn't seem to be able to support a
stable branch long enough for us (and I don't blame them for that, we do
know how painful it is).


>  Therefore - in my opinion - we should not ship
> wordpress in Wheezy, at least not until upstream handles such issues in a sane
> way. 

I'm unsure if squeeze (and wheezy)-updates is really suited for that,
but I know that I prefer having a wordpress updated in Debian (either by
the security team or the maintainers) to a new upstream release than not
having it at all and having to handle it myself (even if in this case I
handled it myself).
-- 
Yves-Alexis
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#672695; Package wordpress. (Sun, 13 May 2012 19:36:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>. (Sun, 13 May 2012 19:36:08 GMT) Full text and rfc822 format available.

Message #25 received at 672695@bugs.debian.org (full text, mbox):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: Yves-Alexis Perez <corsac@debian.org>
Cc: Bernd Zeimetz <bernd@bzed.de>, 672695@bugs.debian.org, debian-devel@lists.debian.org
Subject: Re: Bug#672695: wordpress: no sane way for security updates in stable releases
Date: Sun, 13 May 2012 21:33:35 +0200
On Sun, May 13, 2012 at 02:54:40PM +0200, Yves-Alexis Perez wrote:
> On sam., 2012-05-12 at 23:45 +0200, Bernd Zeimetz wrote:
> > Being forced to upgrade to a new major version by a stable security support is
> > nothing we should force our users to. Debian stable is known for (usually)
> > painfree updates and bugfixes only, not for shipping completely new versions
> > with a forced migration.
> 
> Yes, that's usually the case. But I think having (*few*) exceptions is
> actually helpful.

Additionally it's important to mention that we (security team) 
raised our concerns a long time ago and we were voted down by 
the technical committee to include Wordpress despite our concerns. 

As such, anyone who wants to exclude Wordpress needs to re-raise 
this with the TC (certainly not me, I no longer care).

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#672695; Package wordpress. (Mon, 14 May 2012 10:12:44 GMT) Full text and rfc822 format available.

Acknowledgement sent to Martin Bagge / brother <brother@bsnet.se>:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>. (Mon, 14 May 2012 10:12:51 GMT) Full text and rfc822 format available.

Message #30 received at 672695@bugs.debian.org (full text, mbox):

From: Martin Bagge / brother <brother@bsnet.se>
To: Bernd Zeimetz <bernd@bzed.de>, 672695@bugs.debian.org
Cc: debian-devel@lists.debian.org
Subject: Re: Bug#672695: wordpress: no sane way for security updates in stable releases
Date: Mon, 14 May 2012 12:03:49 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 2012-05-13 14:54, Yves-Alexis Perez wrote:
> Wordpress upstream doesn't seem to be able to support a stable branch
> long enough for us (and I don't blame them for that, we do know how
> painful it is).

This pretty much sounds like the web browser situation where we don't
support the current version for the entire life cycle of the stable release.
Document and be done with it.
http://www.debian.org/releases/stable/i386/release-notes/ch-information.en.html#browser-security

- -- 
brother
http://sis.bthstudent.se
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBCAAGBQJPsNiFAAoJEJbdSEaj0jV7pWEH/j3mqJqcUMQ4gyzu8yANpAf0
pM4nxSqc4bey43VXBluunNO67yiJAPv3WDnuhoBNcCm43+Q8EN+uC1x2PukMVNvD
hUIfT3TafJ5YVMV/lhnek0EayUOaxm+B/Tn1ocCgke4b9gBB+U9lkaAfIf+wPMNs
dTmY+jOM6S3TPKWyjDGXYvp1EQlZGYKvUyZ0gBOH/srvt7uWM4AVmPSDL0DtI1WV
ELRucoPNs5n5IZhnPywHo2Y8JmGROhkU3BJlkV9YcS1MheIW+KdMQbh97Ljsspwz
sgbW0EYiwscFV5NDzAfi+o9bEEabO/BXZalYaIWi1ah2AAJFhzlNadc11vGuW1Q=
=BPA0
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 12 Jun 2012 07:50:22 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 12:21:34 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.