Package: wordpress Version: 2.5.1-1 Severity: important Tags: security Hi,
Given the fact that wordpress has a long history of security bugs and shipping embedded code copies doesn't help at all the situation I decided to look at the other non-wordpress code in the package. A couple of commands provide, a propably incomplete, list of embedded copies: $ grep -r @package usr/share/wordpress/wp-includes/ 2>/dev/null | egrep -v "(WordPress|subpackage)" | cut -d/ -f4- > wp-includes/functions.php: * @package Debug > wp-includes/functions.php: * @package Debug False positives > wp-includes/gettext.php: * @package External Debian package: php-gettext > wp-includes/js/tinymce/plugins/spellchecker/classes/utils/JSON.php: * > @package MCManager.utils > wp-includes/js/tinymce/plugins/spellchecker/classes/utils/JSON.php: * > @package MCManager.utils > wp-includes/js/tinymce/plugins/spellchecker/classes/utils/Logger.php: * > @package MCFileManager.filesystems > wp-includes/js/tinymce/plugins/spellchecker/includes/general.php: * > @package MCManager.includes wp-includes/post-template.php: * @package > Template Tags Debian package: tinimce-* > wp-includes/atomlib.php: * @package AtomLib > wp-includes/atomlib.php: * @package AtomLib > wp-includes/atomlib.php: * @package AtomLib > wp-includes/atomlib.php: * @package AtomLib http://code.google.com/p/phpatomlib/ > wp-includes/class-pop3.php: * @package SquirrelMail Debian package: squirrelmail > wp-includes/compat.php: * @package PHP This actually looks like a c&p of some portions of the compat PEAR package. > wp-includes/class-snoopy.php: * @package Snoopy Debian package: libphp-snoopy > wp-includes/rss.php: * @package External Debian package: magpierss (rss_parse.inc) > wp-includes/streams.php: * @package External Debian package: php-gettext > wp-includes/class-phpass.php: * @package phpass http://www.openwall.com/phpass/ > wp-includes/kses.php: * @package External WNPP bug: #504240 > wp-includes/class-IXR.php: * @package IXR WNPP bug: #504236 It would be great to remove those embedded copies and use the packaged copies (and if the software hasn't been packaged, package it and then use the packaged version). Cheers, -- Raphael Geissert - Debian Maintainer www.debian.org - get.debian.net
signature.asc
Description: This is a digitally signed message part.
