WordPress package

NoOp glgxg at mfire.com
Fri Apr 13 21:00:08 UTC 2007 

On 04/13/2007 07:58 AM, Scott Lockwood wrote:

> 
> If you make software available, then maintain it. If  this was just a
> minor feature / functionality update, I'd agree with you. It is not.
> WordPress, prior to 2.1.3, has a REMOTE ROOT VULNERABILITY. In fact, I
> am doing exactly what I should by complaining, loudly, about this. If
> you are (misfortunate enough to be) runing WordPress, and you're doing
> so out of Ubuntu's repository, YOU ARE VULNERABLE.
> 

Package wordpress

    * warty (web): a semantic personal publishing platform or weblog
manager [universe]
      1.0.2-1: all
    * hoary (web): a semantic personal publishing platform or weblog
manager [universe]
      1.2.2-1.1: all
    * breezy (web): an award winning weblog manager [universe]
      1.5.2-1: all
    * dapper (web): an award winning weblog manager [universe]
      2.0.2-2: all
    * dapper-backports (web): an award winning weblog manager [universe]
      2.1.2-1ubuntu1~dapper1: all
    * edgy (web): an award winning weblog manager [universe]
      2.0.4-2: all
    * edgy-backports (web): an award winning weblog manager [universe]
      2.1.0-1~edgy1: all
    * feisty (web): an award winning weblog manager [universe]
      2.1.3-1ubuntu1: all

The are all in universe:

http://www.ubuntu.com/community/ubuntustory/components
<quote>
"universe" component

The universe component is a snapshot of the free, open source, and Linux
world. In universe you can find almost every piece of open source
software, and software available under a variety of less open licences,
all built automatically from a variety of public sources. All of this
software is compiled against the libraries and using the tools that form
part of main, so it should install and work well with the software in
main, but it comes with no guarantee of security fixes and support. The
universe component includes thousands of pieces of software. Through
universe, users are able to have the diversity and flexibility offered
by the vast open source world on top of a stable Ubuntu core.

Please note: universe is not enabled by default when you install Ubuntu,
you need to turn it on yourself. Canonical does not provide a guarantee
of regular security updates for software found in universe but will
provide these where they are made available by the community. Users
should understand the risk inherent in using packages from the universe
component.

You can enable the universe component by editing the file
"/etc/apt/sources.list" after installing Ubuntu.

Popular or well supported pieces of software will move from universe
into main if they are backed by maintainers willing to meet the
standards set for main by the Ubuntu team.
</quote>

You can of course, upgrade to Feisty, or download and install directly
from Wordpress:
http://wordpress.org/download/

There is also a workaround according to the original security alert :
<http://www.notsosecure.com/folder2/2007/04/03/wordpress-212-xmlrpc-security-issues/>
<quote>
Workaround:
1. Disable xmlrpc if you dont use it or restrict its access to trusted
users only.
</quote>

More information about the ubuntu-users mailing list