Summary: | www-apps/wordpress SQL Injection | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Patrik Karlsson <patrik> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | superlag |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Patrik Karlsson
2006-02-05 06:35:08 UTC
Aaron please advise. superlag: *bump* Removing version 1.5.2 from the tree, for SQL injection issue. Bug #121661. Marking 2.0.1 stable on AMD64 and x86. All other arches, please mark stable. please test and mark stable, thx SPARC'd I contacted wordpress through their security@wordpress.org e-mail address the 6th of February but haven't heard anything. I sent a new mail today. I guess they don't care about vulnerabilities in their older versions. I don't know how many other distributions still ship with 1.5.2. ppc stable Ready for GLSA vote I vote yes. Patrik, no response from Wordpress ? In thaht case I suppose we'll be free to release if you're OK with it... ah. Sorry should have notified you about my progress. I got in contact with Ryan Boren through security@wordpress.org and discussed the bug with him. His comments were: "1.5.2 has several security bugs that are fixed by 2.0.x, including this one. 1.5.2 is pretty much unmaintained now. We could patch this bug, but there would still be several bugs remaining unless we backport everything from 2.0.1. We hadn't planned on backporting anything to 1.5.2." So it's OK to release with me. HPPA still needs to mark it stable. Done by killerfox. Security please vote on GLSA need before we open this bug. I vote yes. Tend to say yes here. Is there any public disclosure date set yet? I guess we should feel free to release it anytime, they acked it and said they won't fix it in 1.5... So am I to take this as security's blessing to remove 1.5.2 from the tree, as well? or are there yet more hoops to jump through, and jigs to dance? :) Removing old (insecure) versions is more the maintainer choice than a security requirement -- but feel free to do it :) /me opens the bug now... Done. 1.5.2 has been removed from the tree. GLSA 200603-01 Thx everyone |