wordpress in Edgy/Dapper has an unsettlingly large number of unfixed CVEs

I think Ubuntu will do better if provide backport updates with new versions of wordpress..

This will solve the problem if the backport is pushed into dapper-security (resp. edgy-security). But I think this is not what everyone wants, since it can potentially break systems.

If the new version only goes into dapper-updates, then it doesn't fix this bug. Everyone will assume that a system subscribing dapper + dapper-security contains no known security hole.

Fixing security bugs in php packages is a mess, as most projects do not provide patches.

If you can provide the security patches, I would be happy to fix wordpress.

Backports can be pushed to *-security if they fix security issues.

Pitti said that this would be possible if the following points are the case

- New package has been tested ample on Dapper / Edgy
- New package does not ship with any significant UI changes
- Upgrade to the new package works flawlessly and does not destroy settings and / or functionality

I think the problem does not only apply to php packages. For instance, bugzilla in edgy is 2.22-1, which has been two security-fix releases older than upstream. Of course, similar issues are more serious for some php packages, e.g. phpbb2 2.0.21-3 in edgy have 4 CVE's unfixed. The same applies to dapper versions of bugzilla 2.20-1 and phpbb2 2.0.18-2, with even more CVE's unfixed. I think we can find a couple dozens packages with similar problems.

Packages in main are better maintained, but many packages universe usually get no security fixes. Debian may have a newer version in testing/unstable, hence they may not need fix anything in stable-security or testing-security since the version in testing/unstable may be fixed already.

I only started to realize this problem recently. In old days, I believe that packages in ubuntu universe are equally secure as debian stable. Looks like I am plain wrong. Are we aware of such problems?

Debian has solicited upstream support the 2.0.x branch for 3 years [1]. The maintainer also planned to help the security team for security fixes in case upstream fails to keep its promise. It would be best if we upload the version debian etch contains (2.0.9) to both dapper and edgy. As reported in bug 107104, a new version basically works fine. I think we can start uploading to -proposed and ask for QA.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=413926

keescook and or ScottK in #ubuntu-motu told me I should try to create a SRU for wordpress 2.0.10-1. Is someone working on the issue here? Bug 111620 [1] should be considered too. If nothing has been done yet, I could start working on it.

[1] https://bugs.launchpad.net/ubuntu/+source/wordpress/+bug/111620

The 2.0.x branch has security support for 5 years for Debian. The diff between 2.0.[24] and 2.0.11 is fairly large, but I'll try to review both within the next couple of weeks (post-exams), and hopefully organise testing such that 2.0.11 can be pushed to both. Once we're there, we just have to track Etch, and further updates will be easy.

Edgy is EOL.

Dapper is not supported anymore since July 2009, therefore I mark Dapper status to invalid.

Dapper server support is until June 2011, so it can be fixed.

Thank you for reporting this bug to Ubuntu. dapper has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against dapper is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.