Wordpress is out of date, possibly vulnerable to exploitation

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

> If you are able, I suggest posting a debdiff for this issue.

Although I've privately packaged quite a few RPMs, I'm relatively new to debian/ubuntu packaging and am not prepared to generate an updated package with a debdiff at this point.

After further research, it looks like the vulnerability fixed by 3.0.6 requires authentication (a "contributor" level account) and results in the ability to publish posts for semi-trusted users that should not have that ability [1]. This is probably a small impact for most sites due to the requirement to have a contributor-level account, but is an escalation of privilege.

I think the larger questions are still worth answering, if there is an active community maintainer for this package willing to do so:
1) Is there a maintainer that believes that upstream is still supporting 3.0.x?
2) Was WP held back for Onieric for a technical or policy reason, or simply because there was no community maintainer to do the work?

[1] http://codex.wordpress.org/Version_3.0.6

Hi,

On Sun, 06 Nov 2011, mikelococo wrote:
> I think the larger questions are still worth answering, if there is an active community maintainer for this package willing to do so:
> 1) Is there a maintainer that believes that upstream is still supporting 3.0.x?
> 2) Was WP held back for Onieric for a technical or policy reason, or simply because there was no community maintainer to do the work?

Because there was no newer release in Debian at that time and because
there's no "community maintainer" taking care of the package. That said
if anyone is interested to work on Wordpress, I advise you to do so at
the Debian level.

I happily accept help. And I already filed a sync-request for wordpress in
precise: https://bugs.launchpad.net/bugs/886876

There's no reason for such a package to carry a delta in Ubuntu.

Cheers,
--
Raphaël Hertzog ◈ Debian Developer

Pre-order a copy of the Debian Administrator's Handbook and help
liberate it: http://debian-handbook.info/go/ulule-rh/

Thanks for commenting, Raphaël. Hopefully this bug can document the need for additional maintainers on this package.

Precise now has an up-to-date version.

The precise Wordpress is no longer up-to-date.

An alert from Wordpress https://wordpress.org/news/2014/04/wordpress-3-8-2/ issued this month says "Sites that support automatic background updates will be updated to WordPress 3.8.2 within 12 hours. If you are still on WordPress 3.7.1, you will be updated to 3.7.2, which contains the same security fixes as 3.8.2. We don’t support older versions, so please update to 3.8.2 for the latest and greatest."

But there have been no updates to the 12.04/precise package, so it's clear that is no longer getting security patches.

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Does upstream mean the wordpress project's own bug-tracking system? I couldn't find anything there that suggested they'd be interested in an Ubuntu packaging issue - and the position there seems to be that people running older versions should just upgrade, and that there are no security updates for 3.3 any more.

Danny: What Raphael did last time was a sync request, and you can see how it worked out in this bug: https://bugs.launchpad.net/ubuntu/+source/wordpress/+bug/886876 There is a Wordpress 3.9 package in sid right now: https://packages.debian.org/unstable/web/wordpress so a resync is likely feasible again.

But there appear to be 2 more fundamental issues here...
1) Ubuntu has no package maintainer for Wordpress, or at least no active one. In my opinion, it would be better to drop the Wordpress package entirely than to leave it in it's current unmaintained state. It is, by design, an internet facing service and to be missing security fix after security fix is a bad idea that's going to bite Ubuntu users at some point.

2) Wordpress.org's release roadmap and end-of-life policity are fundamentally incompatible with Ubuntu's. They cannot be reconciled. I think this has gone unnoticed for so long because Wordpress.org's policies are implicit and not formally documented anywhere... but it seems that they only release security fixes for the last 3.x release or two. Like with Firefox and other browsers, Ubuntu needs to sync Wordpress with the latest release relatively promptly... which isn't likely to happen without (1) being resolved.

In the meantime, I (the original bug reporter) have stopped using Ubuntu's Wordpress packages. I'm not willing to step in as a maintainer at this time, and am too worried about the lack of maintainership/updates to use the Ubuntu package.

Mike, thanks for that long response.

I've switched the site in question over to hand-managed updates too - just got to find a Nagios plugin that will alert me when they're needed.

I'm thinking now that it would be better for Ubuntu to ship Wordpress the same way it ships Drupal - that is, with update alerts on the dashboard enabled, and with permissions so that updating from inside WP works.

[Expired for wordpress (Ubuntu) because there has been no activity for 60 days.]