security: wordpress 2.5.1 which fixes CVE-2008-1930

Published
by
cyco
3 weeks, 1 day ago
in Debian
. Tags: , , , , , , .

Cause the subject, I did build a new package which can be installed on etch, lenny and of course sid. You can fetch it from http://ftp.cyconet.org/debian/archive/bpo/wordpress/2.5.1-1~bpo40+1/ or get via

deb http://ftp.cyconet.org/debian etch-backports main non-free contrib

Selfnote: Dump the wordpress user into separate domU

Creative Commons License
The security: wordpress 2.5.1 which fixes CVE-2008-1930 by Cyconet Blog, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License. Terms and conditions beyond the scope of this license may be available at blog.waja.info.

4 Responses to “security: wordpress 2.5.1 which fixes CVE-2008-1930”

Feed for this Entry Trackback Address
  1. 1 Anonymous
    3 weeks, 1 day ago.

    How many security vulnerabilities does wordpress need to have before people stop using it?

  2. 2 cyco
    3 weeks ago.

    I guess that won’t be a reason, since the most users of such an application doesn’t care (much) about security. From my side as hosting provider the best way is to stay with newest version of the software and keep an eye on security relevant sources.

  3. 3 Kai Hendry
    3 weeks ago.

    Hi guys,

    Did any of you bother to read the CVE? Most people don’t allow new users to register. So this risk is pretty low…

    If you do prepare packages before the maintainer does, please mail the relevant bug:
    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=477910
    So we can double check things. :)

    Wordpress itself, users and I as an ex-maintainer do care a lot about security. Truth is software of this complexity and popularity do get security bugs. Shocking isn’t it?!

    Sadly I’ve had a lot of problems getting security updates in Debian stable. Also I’ve had issues getting simple upload rights in Debian. So sorry for the delays. :( I tried my best, but a small minority of bigots in Debian can be too exhausting over the years! :)

    Why we’re here, why don’t you count the security bugs on another excellent piece of Web software, like ikiwiki?

  4. 4 cyco
    2 weeks, 5 days ago.

    Hi Hendry,

    yes, I did read the CVE and I recognized that there maybe a workaround. But not in all cases it can be used.

    I had two reasons to not write to the relevant bug:
    I did only rebuild the package with new upstream source, so there was nothing to change with packaging.
    I did the new package just hours before starting a one week vacation, which you probable noticed, so I’m not able to reply to anything. You might think, okay .. actually he can, but I had an unplanned interruption.

    The problem about getting security updates into stable is an other problem. Since the release policy is to just fix security bugs (backporting things), which might problematic with even wordpress.
    There was an idea about a webapps repository with different release cycles. Aba and ganneff stated, this might be a good idea, but this have to be done by anybody, for example write down a policy and get it discussed … infrastructure seems not the problem here.
    Since I might have less time in short term, I scheduled it for after post lenny, if nobody other get the ball.

    And counting security bugs for ikiwiki is less fun, since it have significant less (security-)bugcount. :)

Leave a Reply