CVE-2012-5868 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5868): WordPress 3.4.2 does not invalidate a wordpress_sec session cookie upon an administrator's logout action, which makes it easier for remote attackers to discover valid session identifiers via a brute-force attack, or modify data via a replay attack.
Debian contacted upstream and this was their response: """ WordPress does not have session management on the server-side. Currently: * Cookies are only valid as long as they were originally designed to expire. They may be replayed until they timeout. * They are hashed so they cannot be used after their original intended expiration. * In general one should be using the WordPress admin over SSL if leaking a cookie is a concern: http://codex.wordpress.org/Administration_Over_SSL. WordPress takes sensible precautions with these cookies: * When running over SSL WordPress ensures to set secure flag on cookies * It sets the HTTPOnly flag so that they are not accessible by javascript * It invalidates the cookies in the browser. We are looking into some potential changes to our authentication system to allow for explicit session termination, but do not have a timeline at this time. """ Upstream cannot fix the bug. What should be done next?
With 3.8.5 being the latest version in Gentoo I vote for closing as obsolete.
Package is no longer in tree. Closing.