Bug#478515: README.Debian should tell about SECRET_KEY

Tue, 29 Apr 2008 07:02:00 -0700 

Package: wordpress
Version: 2.5.1-1
Severity: important

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Today I read some bits about one of the recently closed vulnerabilities
closed in 2.5.1. The document told about a new variable SECRET_KEY, that
should be set in wp-config.php. Of course, users have to do it
themselves ([1] shall help them). But wp-config.php tells, that users
should better not edit the file and instead read README.Debian. But the
Debian specific documentation tells nothing  about a) why users
shouldn't touch the file and b) (and this is what this report is about)
nothing about the new option, that seems to be a recommendation.

So the docs should tell about it or maybe the installation/upgrade/update
process should ask the users and try to set it. I consider it important,
as it seems to be of some importance. But you should know best and
adjust severity if necessary.

What is your opinion here?

[1] http://api.wordpress.org/secret-key/1.0/

Regards, Daniel


- -- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (850, 'unstable'), (700, 'testing'), (550, 'stable'), (110, 
'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.22-3-k7 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages wordpress depends on:
ii  apache2                       2.2.8-3    Next generation, scalable, extenda
ii  apache2-mpm-prefork [httpd]   2.2.8-3    Traditional model for Apache HTTPD
ii  libapache2-mod-php5           5.2.5-3    server-side, HTML-embedded scripti
pn  libjs-prototype               <none>     (no description available)
pn  libjs-scriptaculous           <none>     (no description available)
pn  libphp-phpmailer              <none>     (no description available)
ii  mysql-client-5.0 [virtual-mys 5.0.51a-5  MySQL database client binaries
ii  php5                          5.2.5-3    server-side, HTML-embedded scripti
pn  php5-gd | php4-gd             <none>     (no description available)
ii  php5-mysql                    5.2.5-3    MySQL module for php5
pn  tinymce                       <none>     (no description available)

wordpress recommends no packages.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIFykCm0bx+wiPa4wRAp0IAKCYZWqcxSQ2CGJoLhsZZLq9qr847wCdH7o1
ZT5GKjvqk3C7KQhYFe3elRY=
=TQjQ
-----END PGP SIGNATURE-----



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to