WordPress 2.6.3 is out, it fixes a Snoopy class vulnerability.
A vulnerability in the Snoopy library was announced today. WordPress uses Snoopy to fetch the feeds shown in the Dashboard. Although this seems to be a low risk vulnerability for WordPress users, we wanted to get an update out immediately. 2.6.3 is available for download right now. If you don’t want to download the whole release to get the security fix, you can download the following two files and copy them over your 2.6.2 installation.
Replace these 2 files:
Download full version:
- Coke Studio – WP-Polls
- Ford Motor Company Global Auto Cars Shows – WP-PostRatings
- Mashable – WP-PostRatings
- MTV Buzz Worthy Blog – WP-Email
- Smashing Magazine – WP-PageNavi
- The Martha Stewart Blog – WP-Polls
- Truemors – WP-PostRatings
- Playstation Blog – WP-PostRatings
- Wall Street Journal Blog – WP-Print
- Weblog Tools Collection – WP-PostRatings
- WordPress Showcase – WP-PostRatings
- Xerox Blogs – WP-Email
- Yahoo Blog (Yodel Anecdotal) – WP-PostRatings
- ZDNet Blog – WP-Polls
Feel free to add on to the list by posting it in the comments.
The next update of my plugin will feature Right to Left Language support and this is done by Kambiz. He did a great job updating all my plugins to support RTL and fixing some minor bugs along the way. Kudos to you Kambiz!
I have not been developing at all besides committing those changes that Kambiz made since my school started on the 22nd August 2008. Hopefully I will have time to finished what I have planned for, for the next update in December 2008 where I will have only 1 month break.
Just to iterate once again, I decided to stopped developing WP-Sticky anymore as WordPress 2.7 will have that feature built-in and hence WP-Sticky 1.31 is the last version.
WordPress 2.7 will also feature comment threading and paging. Comment paging is the feature I have been waiting for!
Ryan Boren has posted a list of confirmed features that will appear in WordPress 2.7. Some of this features are still under development and they should be done soon.
- New admin UI based on the crazyhorse experimental UI branch with new menus and navigation
- New edit post page that allows dragging and dropping of meta boxes. Boxes can be expanded and collapsed as before and now also completely hidden.
- Ability to hide columns on the content index pages
- Inline editing of posts and pages on the content index pages
- Comments XMLRPC API (Who wants comment moderation on the iPhone? Me.)
- Reply to comments from the admin
- Keyboard hot keys for managing comments
- Threaded Comments and new wp_list_comments() API
- Sticky Posts
- Automatic plugin install and integrated plugin browser
- Automatic upgrade of WordPress
- HTTPOnly auth cookies
- New HTTP request API
- A new SSH2 filesystem abstraction for updates and installs over sftp
Theme update, install, and browsing may also get done in time for 2.7.
WordPress 2.6.2 has been released.
Stefan Esser recently warned developers of the dangers of SQL Column Truncation and the weakness of mt_rand(). With his help we worked around these problems and are now releasing WordPress 2.6.2. If you allow open registration on your blog, you should definitely upgrade. With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password. The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit. However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password. Stefan Esser will release details of the complete attack shortly. The attack is difficult to accomplish, but its mere possibility means we recommend upgrading to 2.6.2.
Here is a list of bugs fixed:
- Can’t control where a user redirects to when they log in
- Bug in textpattern import
- include mysql version in version check query string
- RSS widget shouldn’t link if there isn’t a link
- get_post_meta fails to unserialize when $single=false
- typing error in wp-settings.php
- comment_max_links causes confusion when zero
- get_posts not working properly
- Insert image into post always inserts full size
- Filter news on templates cant work
- Typo in post revisions
Here is a list of changed files:
Download WordPress 2.6.2