Version 2.0.4 fixes some bugs. Bump.
Done.
An ebuild name would help.... www-apps/wordpress bumped from 2.0.3 to 2.0.4
taking over the bug since 2.0.4 fixes security issues "WordPress 2.0.4, the latest stable release in our Duke series, is available for immediate download. This release contains several important security fixes, so it
taking over the bug since 2.0.4 fixes security issues "WordPress 2.0.4, the latest stable release in our Duke series, is available for immediate download. This release contains several important security fixes, so its highly recommended for all users. Weve also rolled in a number of bug fixes (over 50!), so its a pretty solid release across the board." arches, please test and mark wordpress-2.0.4 stable if possible
2.0.3 is affected by http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3390 and http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3389 Which sounds like B3/minor to me.
oh and there is this... "announcement" http://unknowngenius.com/blog/archives/2006/07/26/critical-announcement-to-all-wordpress-users/
stable on hppa
ppc stable
x86 is gone ^.^
sparc, how's your happiness factor? :)
sparc stable.
see CVE 3389 & 3390 : i vote a full NO.
I vote a big no.
NO
Might also fix another issue, but I can't really find any information on it justifying a GLSA. So I guess this is a NO as well.
http://unknowngenius.com/blog/archives/2006/07/27/followup-on-wordpress/ produces a lot of FUD, there's a follow-up that *might* make us want to reconsider: http://www.4null4.de/174/wp-users-disable-guest-account-registration-immediately/
@comment #15: Not really a lot of information there either. Maybe we should try mailing upstream?
I'll try but I doubt the usefulness .-)
Wordpress contacted.
Ok, I got an answer from WordPress; there is a problem in the core application not mentioned here yet that they wish not yet published. Details available from me. I personally think might want to issue a GLSA. After all, WP *is* in the official tree, so we can't really bail out on our own commitment.
Pinging SecTeam again
(In reply to comment #20) > Pinging SecTeam again > i vote no glsa
I change to YES.
/me tends to vote yes
Ok, lets have a GLSA with no details :-)
I dont get this. I probably misunderstand the whole thing... So what we have is: the 2 CVEs. One absolutely minor, and one disputed and minor -> no glsa. Then we have some FUD coming from blogs. Uh yeah, blogs ...no real info there,too. I wont issue a GLSA, saying "XY said on his blog that one might be able to conduct $evilthings" -> no glsa. Then we have that other unknown problem. Is that fixed in 2.0.4? Is this related to 3rd party plugins? If a users installs 3rd party plugs, then it's his own problem. -> no glsa.
Frankly I don't give a damn. If you ask me, mask the app. My point still stands that the bug is in the core. Installing plugins is your own risk, the core not handling plugins correctly is not. Just close if you see fit.
@comment #25: the so called FUD and unknown problem appears to be one and the same thing. @comment #26: User roles and capabilities are clearly described by upstream: http://codex.wordpress.org/Roles_and_Capabilities If my understanding of the issue is correct I'd rerate as C1.
Thanks and excuse my outburst .-)
Rerating to C1 after discussion, even if it's only to be on the safe side. Ready for GLSA, then.
GLSA 200608-19 thanks to all
Thanks, and fight the FUD :P