group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1691520] Re: Wordpress May 2017 security updates

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1691520@xxxxxxxxxxxxxxxxxx>
Date: Tue, 07 Nov 2017 04:17:34 -0000
Reply-to: Bug 1691520 <1691520@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
[Expired for wordpress (Ubuntu Yakkety) because there has been no
activity for 60 days.]

** Changed in: wordpress (Ubuntu Yakkety)
       Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1691520

Title:
  Wordpress May 2017 security updates

Status in wordpress package in Ubuntu:
  Expired
Status in wordpress source package in Xenial:
  Expired
Status in wordpress source package in Yakkety:
  Expired
Status in wordpress source package in Zesty:
  Expired

Bug description:
  Sponsorship
  -----------
  git-buildpackage from the ubuntu/* branches at
  https://git.launchpad.net/~jbicha/ubuntu/+source/wordpress/

  Impact
  ------
  Update 17.04     from 4.7.3 to 4.7.5
  Update 16.10     from 4.6.1 to 4.6.6
  Update 16.04 LTS from 4.4.2 to 4.4.10

  to fix numerous critical security bugs.

  wordpress 4.7.5-1 was auto-synced from Debian to Ubuntu 17.10 Alpha
  "artful"

  Changes for Ubuntu 17.04
  ------------------------
  https://wordpress.org/news/2017/04/wordpress-4-7-4/
  https://wordpress.org/news/2017/05/wordpress-4-7-5/

  https://codex.wordpress.org/Version_4.7.4
  https://codex.wordpress.org/Version_4.7.5

  You can change the codex URL to a different version number if you
  really want to see all the individual security fixes.

  The changelog entries were produced by tweaking the changelog from
  https://tracker.debian.org/media/packages/w/wordpress/changelog-4.7.5%2Bdfsg-1

  For Xenial, I also used
  https://tracker.debian.org/media/packages/w/wordpress/changelog-4.1%2Bdfsg-1%2Bdeb8u13

  and filled in the descriptions for these 2 that didn't apply to the Debian security update but apply to Xenial
  https://security-tracker.debian.org/tracker/CVE-2016-6896
  https://security-tracker.debian.org/tracker/CVE-2016-6897

  Testing Done
  ------------
  I have successfully test-built each package.

  Regression Potential
  --------------------
  WordPress maintains separate branches to backport security fixes. I suspect that the older the branch gets, the more likely it is that something will break.

  WordPress still uses trac/svn, but there's this handy read-only copy
  that is easier to examine:

  https://github.com/WordPress/WordPress/commits/4.4-branch

  WordPress only officially recommends the latest stable series (currently 4.7)
  https://wordpress.org/download/release-archive/

  Other Info
  ----------
  On one hand, I hope right now no one actually uses the Ubuntu package on a live web server. I mean, if they are using the development version of Ubuntu, it might actually work but otherwise, it's not really received any security support at all.

  Similarly, I guess there's a concern that if we start providing
  security updates, then people will start thinking that Ubuntu's
  'wordpress' package is safe to use, which is fine as long as someone
  from the community will indeed package these updates from now on.
  Otherwise, maybe doing these security updates is not really helping
  anyone?

  WordPress also maintains a 3.8 branch (with a 3.8.21 release this week
  corresponding with 4.7.5) that we could use for Ubuntu 14.04 LTS. I
  could prepare that one too, but I don't think it's worth spending much
  time testing that version.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/wordpress/+bug/1691520/+subscriptions