Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[20.03] wordpress: 5.3.4 -> 5.5.1 #99896

Closed

Conversation

@mohe2015
Copy link
Contributor

@mohe2015 mohe2015 commented Oct 6, 2020

Motivation for this change

Backport of #98302
Close #99868
Close #92064
Close #91304

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
@pbogdan
Copy link
Member

@pbogdan pbogdan commented Oct 6, 2020

Is this actually necessary? Upstream doesn't seem to consider this a security issue but nevertheless backported the changes to mitigate it to 5.3.4 - https://make.wordpress.org/core/2020/06/09/wordpress-5-4-2-prevent-unmoderated-comments-from-search-engine-indexation/

@mohe2015
Copy link
Contributor Author

@mohe2015 mohe2015 commented Oct 6, 2020

@pbogdan I'm not in the position to make such decisions the problem is just that Wordpress officially says that other versions are not supported. I understand that all the CVEs in the issues have explicitly mentioned that the vulnerability is also fixed in 5.3.4. They also say "There are no fixed period of support nor Long Term Support (LTS) version such as Ubuntu's. None of these are safe to use, except the latest series, which is actively maintained. ". So I personally would like to update but I don't want to make that decision myself.

Edit: I think all currently known CVEs are fixed in 5.3.4 so this is not urgent. So this is more of a discussion for now.

@pbogdan
Copy link
Member

@pbogdan pbogdan commented Oct 6, 2020

Admittedly I've been out of the loop for a while but historically upstream has been very good about backporting any security fixes. OTOH upgrading between non-patch upgrades can be problematic so unless there's a pressing need I would personally hold off on a jump from 5.3.x to 5.5.x on a stable release branch.
Let's see if we can get any feedback from other maintainers.

@mohe2015
Copy link
Contributor Author

@mohe2015 mohe2015 commented Oct 6, 2020

@pbogdan I agree with you that upstream seems to be backporting quite well. I will close this for now also considering that 20.03 is expected to get obsolete (hopefully soon). If a maintainer objects they can reopen of course.

Edit: I just don't like their policy: No guarantee for any older version but basically it's safe to use in practice.

@mohe2015 mohe2015 closed this Oct 6, 2020
@mohe2015 mohe2015 deleted the backport/20.03/wordpress branch Jan 14, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants