yes, I did read the CVE and I recognized that there maybe a workaround. But not in all cases it can be used.

I had two reasons to not write to the relevant bug:
I did only rebuild the package with new upstream source, so there was nothing to change with packaging.
I did the new package just hours before starting a one week vacation, which you probable noticed, so I’m not able to reply to anything. You might think, okay .. actually he can, but I had an unplanned interruption.

The problem about getting security updates into stable is an other problem. Since the release policy is to just fix security bugs (backporting things), which might problematic with even wordpress.
There was an idea about a webapps repository with different release cycles. Aba and ganneff stated, this might be a good idea, but this have to be done by anybody, for example write down a policy and get it discussed … infrastructure seems not the problem here.
Since I might have less time in short term, I scheduled it for after post lenny, if nobody other get the ball.

And counting security bugs for ikiwiki is less fun, since it have significant less (security-)bugcount. :)

Did any of you bother to read the CVE? Most people don’t allow new users to register. So this risk is pretty low…

If you do prepare packages before the maintainer does, please mail the relevant bug:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=477910
So we can double check things. :)

Wordpress itself, users and I as an ex-maintainer do care a lot about security. Truth is software of this complexity and popularity do get security bugs. Shocking isn’t it?!

Sadly I’ve had a lot of problems getting security updates in Debian stable. Also I’ve had issues getting simple upload rights in Debian. So sorry for the delays. :( I tried my best, but a small minority of bigots in Debian can be too exhausting over the years! :)

Why we’re here, why don’t you count the security bugs on another excellent piece of Web software, like ikiwiki?