[SAC] wordpress - 4 Debian package update(s) for projects.osgeo.osuosl.org


the wordpress user(s) on the projectsVM should please take care of this update.


---------- Forwarded message ----------
From: root <root@projects.osgeo.osuosl.org>
Date: Thu, Jul 11, 2013 at 3:25 PM
Subject: 4 Debian package update(s) for projects.osgeo.osuosl.org

apticron report [Thu, 11 Jul 2013 06:25:27 -0700]

apticron has detected that some packages need upgrading on:

        [ ]

The following packages are currently pending an upgrade:

        libpoppler5 0.12.4-1.2+squeeze3
        poppler-utils 0.12.4-1.2+squeeze3
        wordpress 3.5.2+dfsg-1~deb6u1
        wordpress-l10n 3.5.2+dfsg-1~deb6u1


Package Details:

Reading changelogs...
--- News for wordpress (wordpress wordpress-l10n) ---
wordpress (3.5+dfsg-1) unstable; urgency=low

  This version drops the "twentyten" theme and introduces the
  "twentytwelve" theme. If your website uses the "twentyten" theme
  you might want to keep it around:

    sudo rm /var/lib/wordpress/wp-content/themes/twentyten && \
    sudo cp -a /usr/share/wordpress/wp-content/themes/twentyten \

  The above command assumes that the package has not yet been upgraded.
  Otherwise you'll have to download it from
  http://wordpress.org/extend/themes/twentyten and unpack it
  in /var/lib/wordpress/wp-content/themes/.

-- Raphaël Hertzog <hertzog@debian.org> Fri, 21 Dec 2012 14:02:06 +0100

wordpress (3.4+dfsg-1) unstable; urgency=low

  1/ The default configuration now sets WP_CONTENT_DIR to
  /var/lib/wordpress/wp-content to respect the FHS and to cleanly allow the
  installation of local plugins and themes. You might have to adjust your
  Apache configuration with a directive to override the default wp-content
  directory with this one. For a dedicated virtual host, it could be the this:

    Alias /wp-content /var/lib/wordpress/wp-content

  If you want to disable this default setting and come back to the former
  situation, you can add this in your /etc/wordpress/config-*.php
  configuration file:

    define( 'DONT_SET_WP_CONTENT_DIR', true);

  2/ The "default" and "default-fr" theme are gone. If you're using one of
  them, make sure to install them manually in

-- Raphaël Hertzog <hertzog@debian.org> Fri, 15 Jun 2012 12:00:07 +0200

--- Changes for poppler (libpoppler5 poppler-utils) ---
poppler (0.12.4-1.2+squeeze3) oldstable-security; urgency=high

  * Upload to oldstable-security.

-- Michael Gilbert <mgilbert@debian.org> Sun, 07 Jul 2013 18:46:43 +0000

poppler (0.12.4-1.2+squeeze2) stable; urgency=high

  * Non-maintainer upload by the Security Team.
  * Fix cve-2013-1788: invalid memory access issues.
  * Fix cve-2013-1790: uninitialized memory issue.

-- Michael Gilbert <mgilbert@debian.org> Fri, 05 Jul 2013 21:25:34 +0000

--- Changes for wordpress (wordpress wordpress-l10n) ---
wordpress (3.5.2+dfsg-1~deb6u1) squeeze-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * Import wordpress from Jessie to fix all the security issues present in

-- Yves-Alexis Perez <corsac@debian.org> Sat, 29 Jun 2013 13:49:37 +0200

wordpress (3.5.2+dfsg-1) unstable; urgency=low

  * New upstream release with many security fixes. Closes: #713947
    * Server-Side Request Forgery (SSRF) via the HTTP API. CVE-2013-2199.
    * Privilege Escalation: Contributors can publish posts, and users can
      reassign authorship. CVE-2013-2200.
    * Cross-Site Scripting (XSS) in SWFUpload. CVE-2013-2205.
    * Denial of Service (DoS) via Post Password Cookies. CVE-2013-2173.
    * Content Spoofing via Flash Applet in TinyMCE Media Plugin.
    * Cross-Site Scripting (XSS) when Uploading Media. CVE-2013-2201.
    * Full Path Disclosure (FPD) during File Upload. CVE-2013-2203.
  * Additional security hardening includes:
    * Cross-Site Scripting (XSS) (Low Severity) when Editing Media.
    * Cross-Site Scripting (XSS) (Low Severity) when Installing/Updating
      Plugins/Themes. CVE-2013-2201.
    * XML External Entity Injection (XXE) via oEmbed. CVE-2013-2202.
  * Update the Vcs-Git and Vcs-Browser URLs.
  * Update Standards-Version to 3.9.4.

-- Raphaël Hertzog <hertzog@debian.org> Tue, 25 Jun 2013 15:52:07 +0200

wordpress (3.5.1+dfsg-2) unstable; urgency=low

  * Only replace tinymce files by symlinks if the content is exactly the same.
    Closes: #700289
  * Update debian/get-upstream-i18n to include supplementary PO files
    and use a more efficient method to update them. Closes: #697208

-- Raphaël Hertzog <hertzog@debian.org> Mon, 11 Feb 2013 13:56:18 +0100

wordpress (3.5.1+dfsg-1) unstable; urgency=low

  * New upstream maintenance and security release. Closes: #698916

-- Raphaël Hertzog <hertzog@debian.org> Mon, 28 Jan 2013 17:15:27 +0100

wordpress (3.5+dfsg-1) unstable; urgency=low

  * New upstream release.
  * Fix sample apache.conf so that Alias directives are in the proper order
    (from the most specific to the less specific). Closes: #693122
    Thanks to Jérôme Marant for the report.
  * Update debian/missing-sources/ with latest upstream changes.
  * Update all translations.
  * Try to deduplicate (i.e. replace with symlinks) backbone.js and
    underscore.js too.
  * Drop debian/patches/006rss_language.patch, the rss_language option
    is no longer used.
  * Update/refresh all other patches on top of the new release.
  * Update lintian overrides and debian/wordpress.linktrees to match the
    latest changes concerning javascript libraries shipped by WordPress.
  * Document the loss of the twentyten theme.

-- Raphaël Hertzog <hertzog@debian.org> Fri, 21 Dec 2012 14:17:50 +0100

wordpress (3.4.2+dfsg-1) unstable; urgency=low

  * New upstream security & bugfix release.
  * Also setup languages symlink in setup-mysql. Closes: #684628
    Thanks to Jun NOGATA <nogajun@gmail.com> for the analysis.
  * Add new patch 011support-symlinks-for-plugins.patch grabbed
    in the upstream ticket to allow plugin directories to be
    symlinks (which is required for the Debian package since
    we put symlinks in /var/lib/wordpress/wp-content/plugins/).
    Closes: #686228

-- Raphaël Hertzog <hertzog@debian.org> Wed, 12 Sep 2012 14:52:14 +0200

wordpress (3.4.1+dfsg-1) unstable; urgency=high

  * New upstream security & bugfix release. Closes: #680721
    Fixes CVE-2012-3383, CVE-2012-3384, CVE-2012-3385.

-- Raphaël Hertzog <hertzog@debian.org> Tue, 03 Jul 2012 08:36:08 +0200

wordpress (3.4+dfsg-3) unstable; urgency=low

  * [f7a1c09] Drop useless postrm.
  * [d92219b] Add a prerm script calling wp-setup --purge-wp-content on
    remove. Closes: #678842
  * [2fbf903] Allow wp-setup to symlink files as well as directories.
  * [cef928f] Let wp-setup also manage
  * [ac86408] Densify output of wp-setup.

-- Raphaël Hertzog <hertzog@debian.org> Tue, 26 Jun 2012 10:47:25 +0200

wordpress (3.4+dfsg-2) unstable; urgency=low

  * [2e63535] Merge unused debian/NEWS into debian/wordpress.NEWS so that
    users are correctly informed of the latest changes.
  * [e3b7b1c] Improve preinst to also move the
    /usr/share/wordpress/wp-content/uploads directory to its new location in
    /var/lib/wordpress/wp-content/. The package never created this directory
    but many users probably created it and we need to do this to let dpkg
    install the symlink that we put into place.
  * [5c0a29b] Add a trigger that watches /usr/share/wordpress/wp-content.
    When activated, it will execute wp-setup --sync-wp-content
    which updates /var/lib/wordpress/wp-content/ with symlinks
    to plugins/themes that have been added and it drops symlinks
    to plugins/themes which have disappeared. (Closes: #677889)

-- Raphaël Hertzog <hertzog@debian.org> Thu, 21 Jun 2012 20:44:53 +0200

wordpress (3.4+dfsg-1) unstable; urgency=low

  * New upstream release. Closes: #677534

  [ Raphaël Hertzog ]
  * [a1c0409] Refresh and update all patches to correctly apply on version
  * [3804496] Update debian/missing-sources/ to match the current versions of
    embedded javascript and flash files.
  * [185b051] Drop the old "default" theme (and its French translation)
  * [966ce6c] Grab latest translations
  * [1983326] Update Standards-Version to 3.9.3 (no change).
  * [29c48b6] Increase debhelper compat level to 9.
  * [73e16d0] Replace debian/dh_linktree by the packaged version.
  * [359b660] Update debian/wordpress.linktrees to match latest developments.
  * [645b650] Let setup-mysql lowercase the FQDN since the configuration
    scheme expects this. Thanks to Chris Butler <chrisb@debian.org> for the
    report (Closes: #658395)
  * [5433e90] Fix setup-mysql to avoid creating /srv/www with restricted
    permissions (Closes: #616400)
  * [dd2ef1d] Move back wp-config.php to /usr/share/wordpress/ since it's only
    a dispatcher to the real configuration file (Closes: #592502)
  * [b602372] Improve wp-config.php so that WordPress works behind an https
  * [ba0b729] Entirely update and rewrite README.debian. (Closes: #575985,
  * [683a908] Update wp-config.php to not redefine constants which have
    already been set. Thanks to Richard van den Berg <richard@vdberg.org> for
    the report. (Closes: #613283)
  * [315eb68] Let wordpress-l10n depend on the same version than wordpress.
    (Closes: #623557)
  * [a6d0b9f] Default configuration now sets WP_CONTENT_DIR to
    /var/lib/wordpress/wp-content. And the package provides this new directory
    appropriately setup with write rights to www-data on blogs.dir and
    uploads. themes and plugins are root-owned directories with symlinks
    pointing back to the default themes and plugins. (Closes: #675469)
  * [4db98c6] Update setup-mysql to use WP_CONTENT_DIR (and no longer use
    $upload_dir). (Closes: #658508)
  * [a1970da] Extend debian/wordpress.linktrees to cover swfobject.js.
  * [8d46dab] Use dpkg-maintscript-helper to drop obsolete

  [ Martin Bagge / brother ]
  * [56d0a34] Improve the setup script to be able to use a remote MySQL

-- Raphaël Hertzog <hertzog@debian.org> Sat, 16 Jun 2012 01:19:20 +0200


You can perform the upgrade by issuing the command:

        aptitude full-upgrade

as root on projects.osgeo.osuosl.org


On Thu, Jul 11, 2013 at 03:58:36PM +0200, Markus Neteler wrote:

The following packages are currently pending an upgrade:


        wordpress 3.5.2+dfsg-1~deb6u1
        wordpress-l10n 3.5.2+dfsg-1~deb6u1

Since it's our responsibility to keep the systems safe, I'll take care
of installing this update today. I'll post a notice when it's done,

Unix _IS_ user friendly - it's just selective about who its friends are !

Wordpress update on the "projects" VM completed. I checked the
OpenLayers Blog - since that's the sole user of Wordpress I was able to
identify - and it looks plausible to me. Anyhow, the more people
check, the better ....

Unix _IS_ user friendly - it's just selective about who its friends are !