On Fri, May 15, 2015 at 02:35:45PM +0100, Rodrigo Campos wrote:
> On Fri, May 15, 2015 at 09:08:28PM +1000, Craig Small wrote:
> > On Thu, May 07, 2015 at 05:31:03AM +0100, Rodrigo Campos wrote:
> > > A new Wordpress *critical* security release has been announced here:
> > > https://wordpress.org/news/2015/05/wordpress-4-2-2/
> > > 
> > > Can you please update and backport the patches to stable ?
> > > Also, let me know if you need help to backport, test or if I can help in 
> > > any
> > > way.
> > There is apparently two patches, one is the removal of example.html
> > but the other is another XSS fix.  It's not clear if this was fixed in
> > 4.2.1 or 4.2.2

As I understand tha annoucements, XSS fixes were done in both releases. In 4.2.1
they fixed the issue and, AFAIU, 4.2.2 includes "includes a comprehensive fix
for this issue". Like, (totally invented example), 4.2.2 takes a "more radical"
approach and makes XSS attacks (besides the one discovered was already fixed) by
doing things quite different. And doing this "code reorganization" would have
fixed the XSS bug fixed in 4.2.1, but requires more time and test, so 4.2.1 was
released and then 4.2.2 improved things. But, no idea, just thinking out loud.

But it seems clear to me that 4.2.1 fixed a concrete known XSS attack and 4.2.2
"includes a comprehensive fix for this issue" (quote from 4.2.2 announcement).
So XSS related things done in both releases seem desirable.

> > 
> > So decoding that would be good.
> 
> As I said in a later email, there was a 4.1.5 release. So isn't it easier to
> take those patches ?

I mean, instead of using 4.2.x to extract the patches and backport, isn't it
easier to extract them from 4.1.x for stable ? Or just do a "new upstream
release" based on 4.1.5 ?

Not sure if debian allows "new upstream release" (security fixes only) uploads
for stable or if patches must be handled by quilt or something and applied on
top of the current debian package. But in any case, it seems easier to me to use
the 4.1.x release.

I've never ever used quilt, but if it's necessary to use it and need help, I can
see on creating quilt patches from the 4.1.5 release.






Thanks a lot,
Rodrigo


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to