Show more

5.0 beta 3 is out, which means they are close to releasing 5.0

Planned date of release is 19th November.

version 4.9.8 package was uploaded tonight.

This has a few fixes including a security patch. If someone uploads a plugin but its not a zip file, it isn't deleted and the file could be executed.

security update for stable was uploaded yesterday. This release is the 4.9.5 patches ported to 4.7.5 and fixes CVE-2018-12895

Debian stable users should be on 4.7.5+dfsg-2+deb9u4 and unstable/testing use 4.9.5-1

Well at least this time had a nice simple clear patch for what was needed to backport.

Sometimes their changelogs and patches don't line up, in so far as finding the security fixes.

packages for 4.9.7 just uploaded. These fix an arbitrary file deletion bug that anyone with Author privs can use.

I always knew that bugs in for example were bad. I'm reading the web application hackers handbook and it explains what you can do with it.

A good explanation and yeah it's bad.

Is there anything worse than hand writing JSON files? Yes, it's patching other people's code. With security bugs, I get to do both!

Securing using

How to setup AppArmor so it limits the WordPress code to access only what it needs and not everything available to the user. AppArmor is a Mandatory Access Control (MAC) system similar to

I have success with the profile for . It switches hats and keeps WordPress where it should be. I'll write it up later.

The for on webserver was a moderate success.

It is in complain mode and I need to do more tests like upload an image but it is reasonably simple to setup.

I think I'll lock off theme and plugin updates by default and switch them on when needed.

What is a worry is the non WordPress WSGI stuff just works with no rules. I'm not sure why.

version 4.9.4 is out and the packages are being uploaded right now.

You may have seen a lot of noise about 4.9.4 and how the sky is falling with 4.9.3 and you really need to update. The problem with 4.9.3 is it breaks the auto-update but if you use the Debian packages you don't use that method anyhow.

Still its good to update, if only to have the latest set of WordPress bugs in your system.

This update does not have the resource DoS fix ( CVE 2018-6389 )

From what I am seeing on trac looks like there will soon be a new maintenance and maybe security release

If you still run on Jessie the security update made it onto the mirrors yesterday.

Sorry for the delay but patching and checking something that old is hard

The security updates for Stretch just got uploaded. This fixes CVE 2017-1709[1234] which was in WordPress 4.9.1as well as CVE-2017-16510

Jessie updates fix these and CVE-2017-9066 and will be ready for review if I can get my build environment happy.

At first I thought WordPress had another security bug but this time it's hacked sites running something bad in the themes. A key logger and Bitcoin miner as the payload.

Why themes? These are usually updated via the website so are writable by the web server process. Often the core WordPress code is not.

If anyone wants to help me with and and removing the non-free component I'd appreciate that

Show thread
Show more

πŸ… Hraig's choices:

Mastodon on Dropbear

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!