Package: wordpress Version: 4.7.2+dfsg-1~bpo8+1 Severity: normal Dear Craig,
thanks for your notice on your blog. Fortunately Rodrigo was fast with the backport. And I think I installed the update before disclosure. According to https://make.wordpress.org/core/2017/02/01/disclosure-of-additional-security-fix-in-wordpress-4-7-2/ the security issue was in a feature I do not use on any of my sites. Additionally since Wordpress 4.7.2 it is not possible to disable that feature without installing a plugin like https://de.wordpress.org/plugins/disable-json-api/ I do think this is a highly questionable approach to security that upstream goes there, and if upstream insists on continuing this despite all the comments and requests to disable that feature by default, I ask you to take such measures in downstream package. So please consider packaging and enabling by default the above plugin in case upstream developers do not change their approach to prioritize security over enabling features by default that not everyone need. If you do not want to enable it by default, please at least consider to package the plugin. Meanwhile I think I will install the plugin manually, hoping that it does not introduce any security issues by itself. Thank you, Martin -- System Information: Debian Release: 8.7 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 4.8.0-0.bpo.2-686 (SMP w/1 CPU core) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages wordpress depends on: ii apache2 [httpd] 2.4.10-10+deb8u7 ii ca-certificates 20141019+deb8u2 ii libapache2-mod-php5 5.6.30+dfsg-0+deb8u1 ii libjs-cropper 1.2.2-1 ii libphp-phpmailer 5.2.9+dfsg-2+deb8u3 ii mariadb-client-10.0 [virtual-mysql-client] 10.0.29-0+deb8u1 ii nginx-full [httpd] 1.6.2-5+deb8u4 ii php-getid3 1.9.8-3 ii php5 5.6.30+dfsg-0+deb8u1 ii php5-gd 5.6.30+dfsg-0+deb8u1 ii php5-mysql 5.6.30+dfsg-0+deb8u1 Versions of packages wordpress recommends: ii wordpress-l10n 4.7.2+dfsg-1~bpo8+1 ii wordpress-theme-twentyseventeen 4.7.2+dfsg-1~bpo8+1 Versions of packages wordpress suggests: ii mariadb-server-10.0 [virtual-mysql-server] 10.0.29-0+deb8u1 pn php-ssh2 <none> -- Configuration Files: /etc/wordpress/htaccess changed [not included] -- no debconf information
