I am urging the security team to sponsor 2.0.11 into the stable archive. As for testing/unstable and 2.2.2 has 2627 and 3238 fixed. 1599 is not a priority.
---------- Forwarded message ---------- From: Mark Jaquith <[EMAIL PROTECTED]> Date: Aug 3, 2007 10:05 PM Subject: Re: http://wordpress.org/development/2007/06/wordpress-221/ To: [EMAIL PROTECTED], Ryan Boren <[EMAIL PROTECTED]> CVE-2007-0540 - This won't be fixed for this version. It's a tricky problem without an obvious solution. It's low on the security ladder, thankfully. CVE-2007-1230 - This is rather vague, but the one I can glean from it was already fixed in 2.0.10 - http://trac.wordpress.org/changeset/5058 CVE-2007-1244 - This is XSS, not CSRF. It is fixed... likely in [5058] CVE-2007-1599 - This won't be fixed for this version. We are discussing the issue. It's not really an exploit so much as a very slight Phishing aid, so it's not a huge priority. CVE-2007-1732 - There is no such parameter -- the bug is inadequately described. CVE-2007-2627 - This was fixed almost two years ago: http://trac.wordpress.org/changeset/2884/trunk/wp-content/themes/default/searchform.php CVE-2007-2821 - This will be fixed in 2.0.11 ( http://trac.wordpress.org/changeset/5442 ) CVE-2007-3140 - Does not apply to 2.0.x branch CVE-2007-3238 - This will be fixed in 2.0.11 ( http://trac.wordpress.org/changeset/5680/branches/2.0/wp-content/themes/default/functions.php ) On 8/3/07, Kai Hendry <[EMAIL PROTECTED]> wrote: > http://security-tracker.debian.net/tracker/source-package/wordpress > > I'm having trouble tracking down these CVEs in Trac. :) > > I hope you can give me some pointers. Debian security and putting the > screws in again! > > -- Mark Jaquith http://markjaquith.com/ | http://txfx.net/ Covered Web Services http://coveredwebservices.com/ WordPress Ninja @ b5media Inc http://b5media.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
