Package: wordpress Version: 5.8.1+dfsg1-1 Severity: normal Dear Maintainer,
It seems this package includes a WordPress-provided root store, which like Debian's is based on Mozilla, but which includes a workaround for an issue from six years ago concerning 1024-bit roots (<https://core.trac.wordpress.org/ticket/54207>). I can't say I've bothered looking for any Debian policies which may apply to this, but it seems to me that no package should use a non-system root store unless there is a very good reason to. I'm not convinced that this six year old issue is such a reason; the workaround was only needed for OpenSSL 1.0.1g, a version which predates Stretch. I cannot really see that there is anything otherwise unique to WordPress that would justify not just using the Debian-provided system root store. As one example, the recently released 5.8.2 included one security fix which was directly caused by this practice (related to the recent Let's Encrypt root expiry): <https://core.trac.wordpress.org/ticket/54207>. In Debian, this issue was already sorted a month ago in #995432. To solve this, I suggest one of the following: 1. Remove /usr/share/wordpress/wp-includes/certificates/ca-bundle.crt from the package and make it a symlink to /etc/ssl/certs/ca-certificates.crt (ca-certificates is already a dependency) or 2. Remove /usr/share/wordpress/wp-includes/certificates/ and patch /usr/share/wordpress/wp-includes/class-http.php to read /etc/ssl/certs/ca-certificates.crt (see lines 14 and 137 in 5.3.1) Cheers -- System Information: Debian Release: 10.11 APT prefers oldstable APT policy: (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 5.8.0-0.bpo.2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/bash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages wordpress depends on: ii apache2 [httpd] 2.4.48-3~bpo10+1 ii ca-certificates 20210119 ii default-mysql-client 1.0.5 ii libjs-cropper 1.2.2-1 ii libjs-underscore 1.9.1~dfsg-1+deb10u1 ii mariadb-client-10.3 [virtual-mysql-client] 1:10.3.31-0+deb10u1 ii php 2:7.3+69 ii php-gd 2:7.3+69 ii php-getid3 1.9.20+dfsg-1 ii php-mysql 2:7.3+69 ii php7.3 [php] 7.3.31-1~deb10u1 ii php7.3-gd [php-gd] 7.3.31-1~deb10u1 ii php7.3-mysql [php-mysqlnd] 7.3.31-1~deb10u1 Versions of packages wordpress recommends: ii wordpress-l10n 5.8.1+dfsg1-1 ii wordpress-theme-twentytwentyone 5.8.1+dfsg1-1 Versions of packages wordpress suggests: ii mariadb-server-10.3 [virtual-mysql-server] 1:10.3.31-0+deb10u1 pn php-ssh2 <none> -- Configuration Files: /etc/wordpress/htaccess [Errno 2] No such file or directory: '/etc/wordpress/htaccess' -- no debconf information
