I just noticed that the LTS team have just updated the for Debian

The latest is 4.7.22+dfsg-0+deb9u1

Show thread

:wordpress: 5.8.3 is out and fixes 4 security holes including a SQL injection. That last one needs a badly behaving plugin but we know how rare those are 😜

:debian: Sid packages already uploaded. Bullseye and buster just waiting on reviews to upload and should be available in a day or so.

version 5.7 is out. This is a feature enhancement release with some tweaks done to the editor and the blocks. There are also some colour enhancements and a jQuery update.

packages are built and uploaded so should be available soon.

packages for 5.6.1 were just uploaded to the Debian FTP servers.

It fixes 20 bugs and 7 issues; not sure what the difference is but there you go.

While 5.6.1is a short-cycle release, it may be the one that gets frozen in the next Debian stable, due to timing of the freeze and the 5.7 WordPress release.


Hmm, I tried following my plugin user and it just says "Cancel follow request" Any idea what has to happen for a follow request to be confirmed?

This is for the activitypub plugin.

Well, that took longer than expected.

packages 5.5.3 was uploaded yesterday fixing several security issues. I have also sent version 5.0.11 for review to update Debian Buster.

Guess what? Another security release of This release was 5.5.2 but something broke and they now have 5.5.3

LTS already got their updates in, I'll be working on the update for sir tonight.


I got a bug report for the version of where the logout redirect failed because it was neither a relative URL or one with a host.

Upstream of the same version worked fine so it was one of my patches. I found the relevant patch and it was a duplicate.This is where I bring a fix in early but we had now caught up to the version with the fix.

Odd thing was the patch took. So the URL manipulation was done twice.

packages for 5.4.2 jut got uploaded. They will be available from your local mirror soon.

They would have been there a day earlier except I forgot to actually sign and upload them!

5.4.2 is a security release and fixes about 6 security vulnerabilities plus an annoying problem where spammers can use the brief time between sending a spammy comment and it getting deleted.

Looking through my spam folder I have found something curious.

Spammers are using some sort of automated script to walk through part of the website and despite getting a 403 in the comments link the comment makes it through (although it ends up in the spam folder).

I'm not sure how to debug this further but wish I knew what they're sending to do that.

Guess what? have release a new version and its a security fix. There are 6 security bugs fixed, they even have CVE IDs! Much excitement.

Pretty much every version of wordpress is vulnerable except for CVE-2020-11030 because the block editor is new from about WordPress 5.0 or so.

I'll be cooking up the packages this weekend.

packages for 5.4 are now uploaded. Yes, only 2 numbers so it is *not* a security fix, yay!

I can't really see much that is different. They have done some enhancements in the editor and there is a new 2020 theme but other than that, its the same WordPress you know and love (or hate, or both, whatever).

I've just uploaded the backported packages for for Buster. This fixes all security bugs fixed in WordPress 5.2.3 5.2.4 and 5.3.1 ready for buster.

package for 5.3.2 has just been uploaded. This fixes some important problems introduced in 5.3.1 That version fixed a few security-related bugs, mainly XSS (again).

The update should be available for Debian sid in the next few hours.

Found a curious bug in the package last night. There is a reasonably old security patch for CVE-2017-14990 where the activation key is stored in plaintext for multisite users (normal users it's hashed).

Anyway it's a broken patch because it doesn't decide the user id. Easy to fix but I never used it before.

5.2.4 is now available! This security release fixes 6 security issues.

WordPress versions 5.2.3 and earlier are affected by these bugs, which are fixed in version 5.2.4. Updated versions of WordPress 5.1 and earlier are also available for any users who have not yet updated to 5.2


I have now use the system package for libjs-underscore rather than the one shipped with . For once, the Debian version is newer but linking it didn't seem to give any errors on a browser console. It also meant I had to update my profile for wordpress.

WordPress version 5.2.3 is now out which is a security release. It fixes a bunch of XSS problems and some sanitization problems. Debian packages soon.


5.2.2 packages now uploaded to the FTP servers.

Not really sure what they changed between 5.2.1 and 5.2.2 just some tweaks by the look of things.

Also 5.3 should be out soon.


Show older
Mastodon on Dropbear

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!