Wordpress is out of date, possibly vulnerable to exploitation
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
wordpress (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
The current version of Wordpress shipped with Ubuntu 11.10 appears to be out of date, and is likely to have known security flaws. The current version produced by upstream is available in Debian unstable, and I think there's a good case to be made that a StableReleaseUp
1) The version shipped with 11.10 is 3.0.5+dfsg-
2) Upstream has since released 3.0.6, last updated in April according to file timestamps in the tarball. It's described as a ***mandatory security update*** per [1], but there are no bugs associated with the release in trac so it's hard to tell what exactly was fixed without diffing the releases.
3) Upstream has also since released 3.1 in Feb, 3.2 in July, and 3.3 is scheduled in November. Are these being considered for inclusion in new versions of Ubuntu? There are no Ubuntu bugs that I can find documenting the decision to stay back. All I can find is [5] documenting the availability of 3.2 in Debian sid.
4) Is the Ubuntu release practice consistent with upstream's maintenance policy? I've checked [2], [3], and [4] and cannot find any indication the wordpress team commits to providing security fixes for anything but the current/stable version of wordpress (3.2 at the moment). Every 3.1.x release is marked as fixing security vulns, is it really true that none of them apply to 3.0.x or is upstream just not checking to see if new reports apply to the 3.0.x series and not releasing fixes for that series anymore?
[1] http://
[2] http://
[3] http://
[4] http://
[5] http://
Changed in wordpress (Ubuntu): | |
status: | New → Triaged |
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/ /wiki.ubuntu. com/SecurityTea m/UpdateProcedu res