Guess what? Another security release of #wordpress This release was 5.5.2 but something broke and they now have 5.5.3
#debian LTS already got their updates in, I'll be working on the update for sir tonight.
Upstream of the same version worked fine so it was one of my patches. I found the relevant patch and it was a duplicate.This is where I bring a fix in early but we had now caught up to the version with the fix.
Odd thing was the patch took. So the URL manipulation was done twice.
They would have been there a day earlier except I forgot to actually sign and upload them!
5.4.2 is a security release and fixes about 6 security vulnerabilities plus an annoying problem where spammers can use the brief time between sending a spammy comment and it getting deleted.
Looking through my #wordpress spam folder I have found something curious.
Spammers are using some sort of automated script to walk through part of the website and despite getting a 403 in the comments link the comment makes it through (although it ends up in the spam folder).
I'm not sure how to debug this further but wish I knew what they're sending to do that.
Guess what? #wordpress have release a new version and its a security fix. There are 6 security bugs fixed, they even have CVE IDs! Much excitement.
Pretty much every version of wordpress is vulnerable except for CVE-2020-11030 because the block editor is new from about WordPress 5.0 or so.
I'll be cooking up the #Debian packages this weekend.
I can't really see much that is different. They have done some enhancements in the editor and there is a new 2020 theme but other than that, its the same WordPress you know and love (or hate, or both, whatever).
Found a curious bug in the #debian #wordpress package last night. There is a reasonably old security patch for CVE-2017-14990 where the activation key is stored in plaintext for multisite users (normal users it's hashed).
Anyway it's a broken patch because it doesn't decide the user id. Easy to fix but I never used it before.
#wordpress 5.2.4 is now available! This security release fixes 6 security issues.
WordPress versions 5.2.3 and earlier are affected by these bugs, which are fixed in version 5.2.4. Updated versions of WordPress 5.1 and earlier are also available for any users who have not yet updated to 5.2
WordPress version 5.2.3 is now out which is a security release. It fixes a bunch of XSS problems and some sanitization problems. Debian packages soon.
Not really sure what they changed between 5.2.1 and 5.2.2 just some tweaks by the look of things.
Also 5.3 should be out soon.
#wordpress users, do you use the plugin called Social Warfare? It has a bug where anyone can update a string setting adding an eval()
So someone has decided to redirect sites with this plugin to a porn site. 😲
Best to delete this plugin
#WordPress 5.1.1 is now available! This #security and maintenance release introduces 10 fixes and enhancements, including changes designed to help hosts prepare users for the minimum PHP version bump coming in 5.2.
This release also includes a pair of security fixes that handle how comments are filtered and then stored in the database. With a maliciously crafted comment, a WordPress post was vulnerable to cross-site scripting.
That should mean you're ok for most current WordPress security bugs except for CVE-2019-8943 which is a path traversal bug. I think it's fixed for WordPress proper but many modules are still vulnerable.
Instead of trying to pry apart all the changesets, there is now just a consolidated changeset between 4.7.11 and 4.7.12
4.7.12 is the 4.7 branch of fixes backported from 5.0.1. Just using the entire changeset makes it easier and helps with things like database updates.
Free Software programmer, network engineer and Debian developer.
100% tomato verified. 🍅✔
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!