news.fp.o
Toshio Kuratomi
a.badger at gmail.com
Thu Feb 21 15:55:59 UTC 2008
Mike McGrath wrote:
> On Wed, 20 Feb 2008, seth vidal wrote:
>
>> On Wed, 2008-02-20 at 19:32 -0700, Stephen John Smoogen wrote:
>>
>>> Ok one thing to find out on this.. is what is the security aspects of
>>> using wordpress. I am probably not the person to mention this as I
>>> partially flamed a Red Hat employee earlier this month about their
>>> views on WordPress.. but it would be good to make sure that it isnt
>>> going to be a problem security wise.
>>>
>> wordpress is actively maintained and widely used. It has a security
>> track record of all php programs but it also has a good record of quick
>> turn around times for issues.
>>
>
> Additionally, mod_security will help is deal with 0day exploits and some
> other things. I think wordpress has an ok security record but thats by
> reputation, not research, anyone have a moment to look and post to the
> list?
>
This is a highly inaccurate measure of security but it's something to
look at. I wonder if lkundrak and the security team have a preference
for blogging/news software :-)
Number of CVEs listed on http://nvd.nist.gov/nvd.cfm
wordpress drupal mediawiki zope plone
2008 30 17 1 0 0
2007 64 37 7 2 1
2006 21 39 4 1 3
These numbers show a big difference between mediawiki and drupal or
wordpress. The questions are just how valid the numbers are and whether
we're confident that the combination of SELinux (which we will then
depend on; no more turning it off if we can't figure out a problem) and
mod_security will keep our servers and users of the sites safe from the
exploits that will appear.
-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20080221/4865fc6f/attachment.bin
More information about the infrastructure
mailing list