ubuntu wordpress should suppress the "please update" warning

This bug was fixed in the package wordpress - 2.5.1-5ubuntu1

---------------
wordpress (2.5.1-5ubuntu1) intrepid; urgency=low

  * Merge from debian unstable, remaining changes: (LP: #237348)
   + debian/apache.conf:
    - Changed to use /var/www instead of /srv/www for virtual webroot.
   + debian/setup-mysql:
    - Changed to use /var/www instead of /srv/www.

  * other changes:
   + debian/patches/008_remove_update_notice.patch: (LP: #227547)
    - Removed Wordpress upgrade notify in admin dashboard.

wordpress (2.5.1-5) unstable; urgency=low

  * Modified rules file to have a lintian clean package.

wordpress (2.5.1-4) unstable; urgency=low

  * Added patch to fix unrestricted file upload vulnerability (Closes: #485807)
    Now administrators can upload only files that are in the standard
    mime-type set (Fixes CVE-2008-2392)

wordpress (2.5.1-3) unstable; urgency=low

  * rss_language is now modifiable through wp-admin panel.
    Thanks to Lionel Elie Mamane (Closes: #461584)
  * Makes Wordpress depend on tinymce (>= 3.0.7)

 -- Emanuele Gentili <email address hidden> Wed, 23 Jul 2008 02:25:27 +0200

fixed for Intrepid, reopening to nominate for hardy. Should this be backported to other releases as well?

Actually, this seems to have been unfixed in Intrepid with the latest merges. All Ubuntu specific patches are gone without explanation. We will need to again fix all releases.

Hm, the Intrepid changelog still mentions the patch. Yet, I don't find it in the unpacked source code. I'll need to take a closer look.

My mistake was that I was looking at the Debian sources instead of the Ubuntu Intrepid sources.

I do believe there is a minor mistake in the patch for Intrepid though. The if-statement is not commented, thus leading to an imbalance.

maybe we should update dapper-backports as well?

Hi,

Your jaunty patch appears to be incorrect, it leaves the patch trying to remove
commented lines and put in uncommented ones. Did you reverse the patch
while trying to update it?

Thanks,

James

I am busy with a new merge for Jaunty and I will look at this patch.

I dont have a working WP installation, but as a cleaner patch to this, could I propose and someone please test by

hash or remove

add_action( 'admin_notices', 'update_nag', 3 );

From wp-admin/includes/update.php at line 43.

I did not roll a new package, but just commented out that particular line in /usr/share/wordpress/wp-admin/includes/update.php That seems to work well for the warning message in the upper part.

But there is also a warning in the footer which seems to be set in lines 5-26 in /usr/share/wordpress/wp-admin/includes/update.php

Here is how I think /usr/share/wordpress/wp-admin/includes/update.php may be patched. If the experts agree, I'll prepare a debdiff which includes this patch.

Hi Rolf,

Your diff looks sensible to me.

Thanks,

James

Hi Rolf,

Patch looks good. I will put this into the merge.

Thanks for your work!

Stefan, the merge for Jaunty? I'll prepare a debdiff for hardy and intrepid only, then.

Yes, Jaunty merge. My debdiff for that is up at https://bugs.edge.launchpad.net/ubuntu/+source/wordpress/+bug/301340. If you could do the diff for hardy and intrepid, that would be great. Please follow the SRU guidelines for them.

https://wiki.ubuntu.com/StableReleaseUpdates

Let me know if you need any assistance.

Thanks!

does this look OK?

Hi,

Here are the diffs after cleanups.

Thanks,

James

This bug was fixed in the package wordpress - 2.5.1-10ubuntu1

---------------
wordpress (2.5.1-10ubuntu1) jaunty; urgency=low

  * Merge from debian unstable, remaining changes: (LP: #301340)
   + debian/apache.conf:
    - Changed to use /var/www instead of /srv/www for virtual webroot.
   + debian/setup-mysql:
    - Changed to use /var/www instead of /srv/www.
  * debian/patches/010_remove_update_notice.patch:
    - Reworked original patch to remove Wordpress upgrade notify
      in admin dashboard (Rolf Leggewie) (LP: #227547)
  * Include patch for CVE2008-3747 (LP: #269301)

wordpress (2.5.1-10) unstable; urgency=high

  * 007CVE2008-2392.patch modified.
   Now users chan dinamically choose to enable unrestricted upload for admins.
  * 010_REQUEST.patch added.
   This patch is only a workaround for #504771. Now cookies are properly
   checked; if something malicious is found wordpress stops any other execution
   until cookies are not cleaned.

 -- Stefan Lesicnik <email address hidden> Sun, 23 Nov 2008 18:12:33 +0200

reopening for hardy and intrepid

Hi,

The Hardy and Intrepid tasks are still open, the Jaunty one is closed
with the upload of the merge, which is what the "Fix Released" there
signifies.

Thanks,

James

motu-sru, ack?

Accepted into hardy-proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Accepted into intrepid-proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

verified fix for hardy, please release to -updates

verified fix for intrepid, please release to -updates

This bug was fixed in the package wordpress - 2.5.1-8ubuntu1.1

---------------
wordpress (2.5.1-8ubuntu1.1) intrepid-proposed; urgency=low

  * supersede debian/patches/010_remove_update_notice.patch with
    improved version from LP: #227547.

 -- Rolf Leggewie <email address hidden> Sun, 23 Nov 2008 19:04:41 +0100

This bug was fixed in the package wordpress - 2.3.3-1ubuntu1.1

---------------
wordpress (2.3.3-1ubuntu1.1) hardy-proposed; urgency=low

  * suppress the "new release available. please update" warning. LP: #227547

 -- Rolf Leggewie <email address hidden> Sun, 23 Nov 2008 20:04:50 +0100

 wordpress (2.8.3-1) unstable; urgency=medium

   * [f625087] Imported Upstream version 2.8.3 (Closes: #533387, #539411)
     This release fixed several security issue:
     - Privileges unchecked and multiple information disclosures.
       (CVE-2009-2334, CVE-2009-2335, CVE-2009-2336) (Closes: #536724)
     - CVE-2009-2431, CVE-2009-2432: Obtain sensitive information
       (Closes: #537146)
     - CVE-2008-6762: Open redirect vulnerability in wp-admin/upgrade.php
       (Closes: #531736)
   * [347c164] debian/control: Added Giuseppe Iuculano in Uploaders,
     added Vcs and DM-Upload-Allowed control field
   * [92fb4ab] Bump to debhelper 7 compatibility levels
   * [5b8536e] Refreshing patches
   * [d999c0e] Added a watch file
   * [4163c0c] debian/rules: Do not remove the autosave tinymce plugin, there
     isn't anymore.
   * [9c4d0e5] debian/get-upstream-i18n: download .xpi files into
     debian/languages
   * [76b7c5c] Install language files
   * [a0bfad2] Move gettext in Build-Depends-Indep
   * [8b607bf] Use set -e instead of passing -e to the shell on the #!
     line
   * [6cbbf36] debian/patches/009CVE2008-6767.dpatch: Only admin can
     upgrade wordpress. (CVE-2008-6767) (Closes: #531736)
   * [d6adfbe] Disabled the the "please update" warning, thanks to Hans
     Spaans and Rolf Leggewie (Closes: #506685)
   * [15c360c] Updated to standards version 3.8.2 (No changes needed)

 -- Giuseppe Iuculano <email address hidden> Tue, 11 Aug 2009 16:30:35 +0200