The question a lot of people were asking was: What about stable (or Wheezy). After way too much time due to other pressing issues, I have just uploaded the patched WordPress debian package for stable. The fixed version has the catchy number of 3.6.1~deb7u5. This package has all of the relevant patches that went in from WordPress 3.7.4 to 3.7.5 and there are even CVE IDs for this package (and 4.0.1 which all this stems from).
Stolen from the 3.6.1 changelog, these are the fixes:
- CVE-2014-9031 XSS in wptexturize() via comments or posts
- CVE-2014-9033 CSRF in the password reset process
- CVE-2014-9034 Denial of service for giant passwords
- CVE-2014-9035 XSS in Press This
- CVE-2014-9036 XSS in HTML filtering of CSS in posts
- CVE-2014-9037 Hash comparison vulnerability in old passwords
- CVE-2014-9038 SSRF: Safe HTTP requests did not sufficiently block the loopback IP address space
- CVE-2014-9039 Email address change didn’t invalidate previously sent password reset
I’d like to thank the Debian security team especially Salvatore for their assistance and checking the package looked ok.
Backporting and Git
Part of the delay in getting the wordpress stable package out is that backporting is fiddly. I’m currently using pdebuild with a custom pbuilderrc file that points to wheezy. Getting things to that point took a lot of trial and error; with one of the errors being that the pbuilder puts the files in a result directory, not the parent.
This also means that the wheezy backports are out of the git repository. I see that there is a git-pbuild but to me it looks like yet another workflow which will slow me right down. Anyone got some good and simple suggestions on having a wheezy track (branch?) and requiring backporting that doesn’t get complicated or broken quick? sbuild died in a wave of permission denieds within the chroot.