Security Fixes on WordPress

Lorelle has reported on the latest security update to WordPress – you need to download WordPress 2.02.  Incidentally, I don’t know Lorelle, it’s just that that is how she is named on her blog.

Cunningly, no one is actually saying what the update addresses, merely that it fixes some unannounced bugs and that the ones publicly announced by others are not fixed.  I think I’ll wait for version 2.1, personally.

Anyway, if you are in a panic about some bugs which the developers know about but no one else does, go ahead and download and install it.

WordPress 2.1 looks to have some interesting additions to the program.  But in my view, if we don’t get public notification of bugs I may just jump to some other software – Geeklog or b2evolution or somesuch.  Maybe Linux has spoiled me, I just like to know when I’m at risk.

Advertisements

Posted on 12 March, 2006, in Blogging/WordPress, News. Bookmark the permalink. 4 Comments.

  1. WP-Trac mailing list (bug tracking system)
    WP-Hackers mailing list (some discussion of bugs, even security related, goes on here)
    WP-SVN mailing list (immediate notifications of changes to the code)

    The “bug” (alleged security issue) actually was fixed in 2.0.2 here… but that wasn’t the reason for the update (because it wasn’t a valid security concern).

    As to what the update addresses:
    SQL injection, XSS and CSF loopholes that were discovered internally, as well as a few miscelaneous non-security-related bugs (like the one in changeset 3584).

    See here for the whole list of what has changed in the 2.0 branch.

    I understand your concern with regards to openness… but considering that there was no public knowledge of these security bugs (and thus, no instances of them being exploited), it wouldn’t make sense to explicitly describe the security holes when the new version is offered. That would only give the script kiddies a head start. This way, the public knows that there are security issues being addressed, and that the upgrade fixes them, but any would-be exploiters have to actually work to figure out what they are.

    It’s not that the bugs are being hidden… they’re there for everyone to see in the links I just provided… they’re just not being advertised in explicit detail just yet.

  2. While I accept, to a certain degree, what you are saying, I would say that the fact that you have to hunt around the bug tracker woulddissuade most of the WP users from finding out about it. It’s a pretty imperfect way of telling people that there’s a problem.

    I am a Linux user, which means that I expect to see announcements saying “users of [software]-versionx.x should update to versionx.y because the following exploit will make your system vulnerable in this way” The way WP chooses to do it does not make it safer (if I were a cracker, I would look at the bug-tracker).

    Looking at the WP dashboard on my site, when 2.0.1 was released, there was a link to all the fixed things. 2.0.2 doesn’t have this – compare http://wordpress.org/development/2006/01/201-release/ with http://wordpress.org/development/2006/03/security-202/

  3. Yeah, I updated as well… Doesn’t seem that too many files are updated. It would be nice if we could get the patched files list and update only those. Re-uploading the entire package every time seems a bit overkill.

  4. I am trying to download new updates at proper time but with every new build wordpress script becomes more heavy and heavy. It requires more memory. Sometimes even cache plugins don't help.

%d bloggers like this: