wordpress in Edgy/Dapper has an unsettlingly large number of unfixed CVEs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
wordpress (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Dapper |
Won't Fix
|
Undecided
|
Unassigned | ||
Edgy |
Won't Fix
|
Undecided
|
William Grant |
Bug Description
Binary package hint: wordpress
There are some security-related items in debian changelog of the wordpress package:
* CVE-2006-4208: Directory traversal vulnerability in WP-DB-Backup plugin for WordPress
* CVE-2006-6808: WordPress "get_file_
* CVE-2007-0539: Denial of service (bandwidth or thread consumption) via pingback service calls
* CVE-2007-0541: Determine the existence of arbitrary files, and possibly read portions of certain files
* CVE-2007-1049: XSS vulnerability to inject arbitrary web script or HTML to wp-admin/
In addition, the following CVE maybe related to wordpress 2.0.2 (version in dapper) as well:
* CVS-2006-2667
* CVE-2006-2702
* CVE-2006-3389
* CVE-2006-3390
* CVE-2006-4028
* CVE-2006-4743
* CVE-2006-5705
* CVE-2006-6016
* CVE-2006-6017
* CVE-2006-6863
* CVE-2007-0106
* CVE-2007-0107
* CVE-2007-0109
* CVE-2007-0233
* CVE-2007-0262
* CVE-2007-0540
Debian may not need to fix all of these since they already have 2.0.9 in testing and 2.1.1 in unstable.
Do we need to fix some of these in dapper-security and edgy-security?
Changed in wordpress: | |
assignee: | nobody → ubuntu-bugs |
status: | Unconfirmed → Confirmed |
Changed in wordpress: | |
assignee: | ubuntu-bugs → nobody |
Changed in wordpress: | |
status: | Confirmed → Fix Released |
I think Ubuntu will do better if provide backport updates with new versions of wordpress..