WordPress 3.0.5 & 3.1 RC4 has been released:
WordPress 3.0.5 is now available and is a security hardening update for all previous WordPress versions.
This security release is required if you have any untrusted user accounts, but it also comes with important security enhancements and hardening. All WordPress users are strongly encouraged to update.
Three point oh point five
Three point one comes soon
The release addresses a number of issues and provides two additional enhancements:
Two moderate security issues were fixed that could have allowed a Contributor- or Author-level user to gain further access to the site.
One information disclosure issue was addressed that could have allowed an Author-level user to view contents of posts they should not be able to see, such as draft or private posts.
Two security enhancements were added. One improved the security of any plugins which were not properly leveraging our security API. The other offers additional defense in depth against a vulnerability that was fixed in previous release.
Thanks to Nils Jueneman and Saddy for their private and responsible disclosures to email@example.com for two of the issues. The others were reported or repaired by our security team.
Changelog: WordPress 3.0.5
Download: WordPress 3.0.5
Download: Modified files since WordPress 3.0.4
WordPress 3.1 RC4
The Release Candidate 4 build includes the security fixes and enhancements included in 3.0.5 and addresses about two dozen additional bugs. This includes fixes for:
- Deleting a user and reassigning their posts to another user.
- Marking multiple users or sites as spam in multisite.
- PHP4 compatibility.
As outlined in previous RC posts, if you are testing the release candidate and think you’ve found a bug, there are a few ways to let us know:
To test WordPress 3.1, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the release candidate here (zip). If any new issues become known, you’ll be able to find them here.
After nearly five months of development and testing, we think we’re very close to a final release. Users and developers, please test your themes and plugins.
Download: WordPress 3.1 RC4
WordPress 3.0.4 has been released and it a critical update as it fixes an XSS vulnerability.
It is a very important update to apply to your sites as soon as possible because it fixes a core security bug in our HTML sanitation library, called KSES. I would rate this release as critical.
I realize an update during the holidays is no fun, but this one is worth putting down the eggnog for. In the spirit of the holidays, consider helping your friends as well.
If you are a security researcher, we’d appreciate you taking a look over this changeset as well to review our update. We’ve given it a lot of thought and review but since this is so core we want as many brains on it as possible. Thanks to Mauro Gentile and Jon Cave (duck_) who discovered and alerted us to these XSS vulnerabilities first.
Changelog: WordPress 3.0.4
Download: WordPress 3.0.4
Download: Modified files since WordPress 3.0.3
WordPress 3.0.3 has been released and it is yet another security update.
This release fixes issues in the remote publishing interface, which under certain circumstances allowed Author- and Contributor-level users to improperly edit, publish, or delete posts.
These issues only affect sites that have remote publishing enabled.
Remote publishing is disabled by default, but you may have enabled it to use a remote publishing client such as one of the WordPress mobile apps. You can check these settings on the “Settings > Writing” screen.
Changelog: WordPress 3.0.3
Download: WordPress 3.0.3
Download: Modified files since WordPress 3.0.2
WordPress 3.0.2 is out and it is recommended for everyone to upgrade as it is a mandatory security update for all previous WordPress versions.
- Fixed moderate security issue where a malicious Author-level user could gain further access to the site.
- Remove pingback/trackback blogroll whitelisting feature as it can easily be abused.
- [Fixed other issues]
Changelog: WordPress 3.0.2
Download: WordPress 3.0.2
Download: Modified files since WordPress 3.0.1
WordPress 3.0.1 has been released.
After nearly 11 million downloads of WordPress 3.0 in just 42 days, we’re releasing WordPress 3.0.1.
This maintenance release addresses about 50 minor issues. The testing many of you contributed prior to the release of 3.0 helped make it one of the best and most stable releases we’ve had.
Changelog: WordPress 3.0.1
Download: WordPress 3.0.1
Download: Modified files since WordPress 3.0.0