WordPress

wordpress 2.2.3 is out: security release

Bug #138819 reported by Richard Brooklyn
260
Affects Status Importance Assigned to Milestone
WordPress
Fix Released
Unknown
wordpress (Ubuntu)
Fix Released
Medium
Unassigned
Gutsy
Fix Released
High
William Grant
Hardy
Fix Released
Medium
Unassigned

Bug Description

Binary package hint: wordpress

Wordpress 2.2.3 has been out for a few days now. This update contains security fixes for the 2.2 branch, and so gutsy's package needs to be updated.

Update announcement:
http://wordpress.org/development/2007/09/wordpress-223/

Fixed bugs:
http://trac.wordpress.org/query?status=closed&milestone=2.2.3

Changed files:
http://trac.wordpress.org/changeset?old_path=tags%2F2.2.2&old=6063&new_path=tags%2F2.2.3&new=6063

Revision history for this message
Marco Rodrigues (gothicx) wrote :

wordpress (2.2.3-1) unstable; urgency=high
 .
   * New upstream security release
   * http://wordpress.org/development/2007/09/wordpress-223/
   * wordpress debian config overrides $file, $server in upstream php
     files (Closes: #440572)

http://packages.qa.debian.org/w/wordpress/news/20070911T173211Z.html

It's on Debian unstable.

Changed in wordpress:
importance: Undecided → High
status: New → Confirmed
Revision history for this message
Dave Edwards (dle) wrote :

This really is urgent: Wordpress users on Ubuntu need all the security they can get. Wordpress 2.3 "Dexter" is now out.

Announcement:
http://wordpress.org/development/2007/09/wordpress-23/

Fixed bugs:
http://trac.wordpress.org/query?status=closed&milestone=2.3

The newer features would also be welcome.

Thank you.

Revision history for this message
Kees Cook (kees) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. If someone can prepare (and test) the fixes and attach debdiffs that follow the [https://wiki.ubuntu.com/SecurityUpdateProcedures], I'd be more than happy to get them uploaded.

Changed in wordpress:
importance: High → Medium
status: Confirmed → Triaged
Revision history for this message
Marco Rodrigues (gothicx) wrote :

The version 2.3.1 is out...

William Grant (wgrant)
Changed in wordpress:
importance: Undecided → High
status: New → Confirmed
Revision history for this message
William Grant (wgrant) wrote :

The only security fix in 2.2.3 is changeset 6018 (http://trac.wordpress.org/ticket/4720).

Revision history for this message
William Grant (wgrant) wrote :

wordpress (2.3.1-1ubuntu1) hardy; urgency=low

  * New upstream release. (LP: #138819)
  * Merge from debian unstable, remaining changes:
    - debian/apache.conf: Changed to use /var/www instead of /srv/www for
      virtual webroot.
    - debian/README.debian: Updated to include documentation on the change.
    - debian/setup-mysql: Changed to use /var/www instead of /srv/www.
    - Update maintainer field in debian/control.

wordpress (2.3.1-1) unstable; urgency=high

  * New upstream security release
  * http://wordpress.org/development/2007/10/wordpress-231/
  * should depend on php4-gd | php5-gd (Closes: #447492)
    php4-gd | php5-gd moves from suggests to depends
  * Bugs closed in this release:
    http://trac.wordpress.org/query?status=closed&milestone=2.3.1

wordpress (2.3-1) unstable; urgency=low

  * New upstream release
  * Maintainer meets upstream:
    http://flickr.com/photos/hendry/1468125949/
  * http://wordpress.org/development/2007/09/wordpress-23/

wordpress (2.2.3-1) unstable; urgency=high

  * New upstream security release
  * http://wordpress.org/development/2007/09/wordpress-223/
  * wordpress debian config overrides $file, $server in upstream php
    files (Closes: #440572)

 -- William Grant <email address hidden> Wed, 14 Nov 2007 08:50:22 +1100

Changed in wordpress:
status: Triaged → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in wordpress:
status: Unknown → Fix Released
William Grant (wgrant)
Changed in wordpress:
assignee: nobody → fujitsu
status: Confirmed → In Progress
Revision history for this message
William Grant (wgrant) wrote :
Revision history for this message
Kees Cook (kees) wrote :

Thanks! I've uploaded this to the security queue. It should be published shortly.

Changed in wordpress:
status: In Progress → Fix Committed
Revision history for this message
William Grant (wgrant) wrote :

wordpress (2.2.2-1ubuntu1.1) gutsy-security; urgency=low

  * SECURITY UPDATE: Cross-site scripting due to improper checking of
    unfiltered_html privilege. (LP: #138819)
  * wp-admin/admin-functions.php: Unset no_filter POST parameter, thus
    enforcing checking of privileges. Patch from upstream bug, applied inline.
  * References
    CVE-2007-4893

 -- William Grant <email address hidden> Thu, 29 Nov 2007 22:36:34 +1100

Changed in wordpress:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.