From ${URL} : wo cross-site scripting flaws were found in WordPress: * The Genericons icon font package, which is used in a number of popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack. * WordPress versions 4.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. Both of these issues have been fixed in the 4.2.2 release of WordPress. Upstream advisory: https://wordpress.org/news/2015/05/wordpress-4-2-2/ @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
In light of https://wordpress.org/news/2015/07/wordpress-4-2-3/, 4.2.2 also has XSS vulnerabilities and should be immediately dropped in favor of 4.2.3.
02:33 < gentoovcs> jmbsvicetto → gentoo-x86 (www-apps/wordpress/) Bump wordpress to release 4.2.3 - fixes bug 548828. Security bump to address CVE-2015-5622 and CVE-2015-5623. Ebuild added to the tree.
+ 25 Jul 2015; Sebastian Pipping <sping@gentoo.org> -wordpress-3.8.5.ebuild, + -wordpress-3.9.3.ebuild, -wordpress-4.0.1.ebuild, -wordpress-4.1.ebuild, + -wordpress-4.1.1.ebuild, -wordpress-4.1.2-r2.ebuild, -wordpress-4.2.ebuild, + -wordpress-4.2.1.ebuild, -wordpress-4.2.2.ebuild: + Remove vulnerable releases (bug #548828 but not only) +
Maintainer(s), Thank you for you for your work. No stable versions, closing as noglsa.
Actually, removing all older versions was overshooting it a bit. WP is supported at upstream 4 releases back. So currently 3.8-branch still receives all upgrades and would be valid for living in our precious tree as well. Now the amount of work associated with this is another matter. I'm mainly looking to clarify here whether the package maintainer knows about the upstream policy or not.