I have now use the system package for libjs-underscore rather than the one shipped with . For once, the Debian version is newer but linking it didn't seem to give any errors on a browser console. It also meant I had to update my profile for wordpress.

WordPress version 5.2.3 is now out which is a security release. It fixes a bunch of XSS problems and some sanitization problems. Debian packages soon.


5.2.2 packages now uploaded to the FTP servers.

Not really sure what they changed between 5.2.1 and 5.2.2 just some tweaks by the look of things.

Also 5.3 should be out soon.


5.2.1 packages just got built and I'm uploading them in a few minutes.

Doesn't seem to be any major security updates despite the third digit. The WordPress website is saying 5.2.2 will be out soon too; now *that* one sounds like a security thing.

users, do you use the plugin called Social Warfare? It has a bug where anyone can update a string setting adding an eval()

So someone has decided to redirect sites with this plugin to a porn site. 😲

Best to delete this plugin


5.1.1 is now available! This and maintenance release introduces 10 fixes and enhancements, including changes designed to help hosts prepare users for the minimum PHP version bump coming in 5.2.

This release also includes a pair of security fixes that handle how comments are filtered and then stored in the database. With a maliciously crafted comment, a WordPress post was vulnerable to cross-site scripting.

If you are running stable on the security update has made it to the repositories. The deb9u5 version is the backport of the 5.0.1 fixes.

That should mean you're ok for most current WordPress security bugs except for CVE-2019-8943 which is a path traversal bug. I think it's fixed for WordPress proper but many modules are still vulnerable.

The backports for the security fixes (based on the bugs in wordpress 5.0.1) are going to be a bit different from now.

Instead of trying to pry apart all the changesets, there is now just a consolidated changeset between 4.7.11 and 4.7.12

4.7.12 is the 4.7 branch of fixes backported from 5.0.1. Just using the entire changeset makes it easier and helps with things like database updates.

Been also working on the 5.0.3 packages for Yes amazingly this is not a security fix but fix a lot of problems they found when they released the editor out into the wild.

Still need to work on the security fixes for stable distribution. 😭

5.0.2 is now available!

5.0.2 is a maintenance release that addresses 73 bugs. The primary focus of this release was performance improvements in the block editor: the cumulated performance gains make it 330% faster for a post with 200 blocks.


Would it kill the developers to actually reference the bug they are fixing in the commit log, or at least use the same words

version 5.0.1 addresses several issues, some going back to version 3.8!


Looks like I'm building WordPress packages tonight. 😭

5.0 beta 3 is out, which means they are close to releasing 5.0

Planned date of release is 19th November.


version 4.9.8 package was uploaded tonight.

This has a few fixes including a security patch. If someone uploads a plugin but its not a zip file, it isn't deleted and the file could be executed.

security update for stable was uploaded yesterday. This release is the 4.9.5 patches ported to 4.7.5 and fixes CVE-2018-12895

Debian stable users should be on 4.7.5+dfsg-2+deb9u4 and unstable/testing use 4.9.5-1

Well at least this time had a nice simple clear patch for what was needed to backport.

Sometimes their changelogs and patches don't line up, in so far as finding the security fixes.

packages for 4.9.7 just uploaded. These fix an arbitrary file deletion bug that anyone with Author privs can use.


I always knew that bugs in for example were bad. I'm reading the web application hackers handbook and it explains what you can do with it.

A good explanation and yeah it's bad.

Is there anything worse than hand writing JSON files? Yes, it's patching other people's code. With security bugs, I get to do both!

Securing using

How to setup AppArmor so it limits the WordPress code to access only what it needs and not everything available to the user. AppArmor is a Mandatory Access Control (MAC) system similar to


Show more
Mastodon on Dropbear

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!