Your message dated Tue, 11 Sep 2007 17:32:11 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#440572: fixed in wordpress 2.2.3-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: wordpress
Version: 2.2.2-1
Severity: serious
Tags: patch
The use of the variable $file in /etc/wordpress/wp-config.php
overrides $file in many of the upstream package's base files (list
below).
This can lead to unintended security holes, as the included file
(/etc/wordpress/config-<$server>.php) contains the backend MySQL
access information - *including* the plaintext password. At the very
least, the use of $file breaks WP's theme editor. Similarly, the
variable $server overrides some upstream files' variables as well,
though it's unclear that this presents any immediate concern.
The fix is simple, though perhaps inelegant. Prefix debian- to all
variable names as shown below to prevent namespace collision.
Best regards,
Joan
<?php
/** WordPress's Debianised default master config file
Please do NOT edit and read about how the configuration works in the
README.Debian
**/
#http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=435289
$debian-server = preg_replace('/:.*/', "", $_SERVER['HTTP_HOST']);
$debian-file = '/etc/wordpress/config-'.strtolower($debian-server).'.php';
if (!file_exists($debian-file)) {
header("HTTP/1.0 404 Not Found");
echo "404 Not found";
}
require_once($debian-file);
define('ABSPATH', '/usr/share/wordpress/');
require_once(ABSPATH.'wp-settings.php');
?>
-- System Information:
Debian Release: 4.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17.13-vs2.0.2.1
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages wordpress depends on:
ii apache2-mpm-prefork [httpd] 2.2.4-3 Traditional model for Apache HTTPD
ii libapache2-mod-php5 5.2.3-1+b1 server-side, HTML-embedded scripti
ii libphp-phpmailer 1.73-6 full featured email transfer class
ii mysql-client-5.0 [virtual-mys 5.0.45-1 MySQL database client binaries
ii php5-cgi 5.2.3-1+b1 server-side, HTML-embedded scripti
ii php5-mysql 5.2.3-1+b1 MySQL module for php5
wordpress recommends no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: wordpress
Source-Version: 2.2.3-1
We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive:
wordpress_2.2.3-1.diff.gz
to pool/main/w/wordpress/wordpress_2.2.3-1.diff.gz
wordpress_2.2.3-1.dsc
to pool/main/w/wordpress/wordpress_2.2.3-1.dsc
wordpress_2.2.3-1_all.deb
to pool/main/w/wordpress/wordpress_2.2.3-1_all.deb
wordpress_2.2.3.orig.tar.gz
to pool/main/w/wordpress/wordpress_2.2.3.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kai Hendry <[EMAIL PROTECTED]> (supplier of updated wordpress package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 10 Sep 2007 19:36:34 +0100
Source: wordpress
Binary: wordpress
Architecture: source all
Version: 2.2.3-1
Distribution: unstable
Urgency: high
Maintainer: Kai Hendry <[EMAIL PROTECTED]>
Changed-By: Kai Hendry <[EMAIL PROTECTED]>
Description:
wordpress - an award winning weblog manager
Closes: 440572
Changes:
wordpress (2.2.3-1) unstable; urgency=high
.
* New upstream security release
* http://wordpress.org/development/2007/09/wordpress-223/
* wordpress debian config overrides $file, $server in upstream php
files (Closes: #440572)
Files:
4be3cd4c1779e7f96746e1a9a705a398 559 web optional wordpress_2.2.3-1.dsc
98c1e611f8533d4fe4e8f995b8d83110 824904 web optional
wordpress_2.2.3.orig.tar.gz
fd46ee1c57d719bf5fdb3886a211ff1b 10057 web optional wordpress_2.2.3-1.diff.gz
4871b0079878d58678694e75b27085bb 801956 web optional wordpress_2.2.3-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFG5s3AK/juK3+WFWQRAiHbAKCLfPQj74l3LnETuv5MAjRWW/586QCfbvvz
DJjTkjvEv7er9YdoFEclbKk=
=99bV
-----END PGP SIGNATURE-----
--- End Message ---
