WordPress 3.5.2 has been released and this is a security fix which fixes 12 bugs including the following security issues:
- Blocking server-side request forgery attacks, which could potentially enable an attacker to gain access to a site.
- Disallow contributors from improperly publishing posts, reported by Konstantin Kovshenin, or reassigning the post’s authorship, reported by Luke Bryan.
- An update to the SWFUpload external library to fix cross-site scripting vulnerabilities. Reported by mala and Szymon Gruszecki.
- Prevention of a denial of service attack, affecting sites using password-protected posts.
- An update to an external TinyMCE library to fix a cross-site scripting vulnerability. Reported by Wan Ikram.
- Multiple fixes for cross-site scripting. Reported by Andrea Santese and Rodrigo.
- Avoid disclosing a full file path when a upload fails. Reported by Jakub Galczyk.
You ae advised to upgrade immediately.
Download: WordPress 3.5.2 or visit Dashboard -> Updates in your site admin to update now.
WordPress 3.5.1 has been released and fixes 37 bugs including the following issues:
- Editor: Prevent certain HTML elements from being unexpectedly removed or modified in rare cases.
- Media: Fix a collection of minor workflow and compatibility issues in the new media manager.
- Networks: Suggest proper rewrite rules when creating a new network.
- Prevent scheduled posts from being stripped of certain HTML, such as video embeds, when they are published.
- Suppress some warnings that could occur when a plugin misused the database or user APIs.
Additionally, a bug affecting Windows servers running IIS can prevent updating from 3.5 to 3.5.1. If you receive the error “Destination directory for file streaming does not exist or is not writable,” you will need to follow the steps outlined on the Codex.
WordPress 3.5.1 also addresses the following security issues:
- A server-side request forgery vulnerability and remote port scanning using pingbacks. This vulnerability, which could potentially be used to expose information and compromise a site, affects all previous WordPress versions. This was fixed by the WordPress security team. We’d like to thank security researchers Gennady Kovshenin and Ryan Dewhurst for reviewing our work.
- Two instances of cross-site scripting via shortcodes and post content. These issues were discovered by Jon Cave of the WordPress security team.
- A cross-site scripting vulnerability in the external library Plupload. Thanks to the Moxiecode team for working with us on this, and for releasing Plupload 1.5.5 to address this issue.
Download: WordPress 3.5.1 or visit Dashboard -> Updates in your site admin to update now.
WordPress 3.5 is out after 6 RCs!
If you’ve been around WordPress a while, the most dramatic new change you’ll notice is a completely re-imagined flow for uploading photos and creating galleries. Media has long been a friction point and we’ve listened hard and given a lot of thought into crafting this new system. 3.5 includes a new default theme, Twenty Twelve, which has a very clean mobile-first responsive design and works fantastic as a base for a CMS site. Finally we’ve spent a lot of time refreshing the styles of the dashboard, updating everything to be Retina-ready with beautiful high resolution graphics, a new color picker, and streamlining a couple of fewer-used sections of the admin.
Codex: WordPress 3.5
Download: WordPress 3.5
WordPress 3.5 RC3 has been released, I am expecting it to be the last RC and we will see the final WordPress 3.5 sometime within this week. No idea whether they will meet the originally targeted date of 5th December 2012.
- Final UI improvements for the new media manager, based on lots of great feedback.
- Show more information about uploading errors when they occur.
- When inserting an image into a post, don’t forget the alternative text.
- Fixes for the new admin button styles.
- Improvements for mobile devices, Internet Explorer, and right-to-left languages.
- Fix cookies for subdomain installs when multisite is installed in a subdirectory.
- Fix ms-files.php rewriting for very old multisite installs.
Here is a list of pending issues (6 left): http://core.trac.wordpress.org/report/5
Download: WordPress 3.5 RC3
WordPress 3.5 RC2 has been released and if everything is ok, we will expect to see the final version of WordPress 3.5 next Wednesday, 5th December 2012.
Here is a list of pending issues: http://core.trac.wordpress.org/report/6
Download: WordPress 3.5 RC2