Bug 142142 - www-apps/wordpress - security version bump to 2.0.4 (CVE-2006-3389|3390)
|
Bug#:
142142
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Other
|
Status: CLOSED
|
Severity: normal
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: superlag@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
http://wordpress.org/development/2006/07/wordpress-204/
|
|
Summary: www-apps/wordpress - security version bump to 2.0.4 (CVE-2006-3389|3390)
|
|
Keywords:
|
|
Status Whiteboard: C1 [glsa] frilled
|
|
Opened: 2006-07-29 19:45 0000
|
Version 2.0.4 fixes some bugs. Bump.
An ebuild name would help....
www-apps/wordpress
bumped from 2.0.3 to 2.0.4
taking over the bug since 2.0.4 fixes security issues
"WordPress 2.0.4, the latest stable release in our Duke series, is available
for immediate download. This release contains several important security fixes,
so it
taking over the bug since 2.0.4 fixes security issues
"WordPress 2.0.4, the latest stable release in our Duke series, is available
for immediate download. This release contains several important security fixes,
so its highly recommended for all users. Weve also rolled in a number of
bug fixes (over 50!), so its a pretty solid release across the board."
arches, please test and mark wordpress-2.0.4 stable if possible
sparc, how's your happiness factor? :)
see CVE 3389 & 3390 : i vote a full NO.
Might also fix another issue, but I can't really find any information on it
justifying a GLSA.
So I guess this is a NO as well.
@comment #15: Not really a lot of information there either. Maybe we should try
mailing upstream?
I'll try but I doubt the usefulness .-)
Ok, I got an answer from WordPress; there is a problem in the core application
not mentioned here yet that they wish not yet published. Details available from
me. I personally think might want to issue a GLSA. After all, WP *is* in the
official tree, so we can't really bail out on our own commitment.
(In reply to comment #20)
> Pinging SecTeam again
>
i vote no glsa
Ok, lets have a GLSA with no details :-)
I dont get this. I probably misunderstand the whole thing... So what we have
is: the 2 CVEs. One absolutely minor, and one disputed and minor -> no glsa.
Then we have some FUD coming from blogs. Uh yeah, blogs ...no real info
there,too. I wont issue a GLSA, saying "XY said on his blog that one might be
able to conduct $evilthings" -> no glsa.
Then we have that other unknown problem. Is that fixed in 2.0.4? Is this
related to 3rd party plugins? If a users installs 3rd party plugs, then it's
his own problem. -> no glsa.
Frankly I don't give a damn. If you ask me, mask the app. My point still stands
that the bug is in the core. Installing plugins is your own risk, the core not
handling plugins correctly is not. Just close if you see fit.
Thanks and excuse my outburst .-)
Rerating to C1 after discussion, even if it's only to be on the safe side.
Ready for GLSA, then.
GLSA 200608-19
thanks to all
Thanks, and fight the FUD :P
