WordPress 2.6.5 – Security and Bug Fix Released
Um … meh … great.
WordPress 2.6.5 has been released, which is a security upgrade.
I did not expect this at all as WordPress 2.7 is supposed to be released very soon.
And what is in this security release? Well, there is one security fix and three bug fixes.
The security issue is an XSS exploit discovered by Jeremias Reith that fortunately only affects IP-based virtual servers running on Apache 2.x. If you are interested only in the security fix, copy wp-includes/feed.php and wp-includes/version.php from the 2.6.5 release package.
2.6.5 contains three other small fixes in addition to the XSS fix. The first prevents accidentally saving post meta information to a revision. The second prevents XML-RPC from fetching incorrect post types. The third adds some user ID sanitization during bulk delete requests. For a list of changed files, consult the full changeset between 2.6.3 and 2.6.5.
Got that? Good. Me neither.
Now what I think it the most important part of this is where is 2.6.4?
Well, a fake WordPress site released version 2.6.4 that contained code that opens up the entire WordPress installation. There is no version 2.6.4. If you are running it, your WordPress was hacked. Instructions for clearing this up are available at Viper007Bond.
As always, I recommend upgrading to 2.6.5. Enjoy! I know how you all love the upgrades.
***Update: This release can be updated with 5 files rather than having to upgrade the entire installation.
- /wp-admin/users.php
- /wp-includes/feed.php
- /wp-includes/post.php
- /wp-includes/version.php
- xmlrpc.php
photo credit: Heraklit
Related Posts:
November 26, 2008 at 1:41 pm
Yay! Another upgrade.
:-)
November 26, 2008 at 3:28 pm
Vered – LOL – I was actually thinking of you when writing the article. I was surprised by this. I really didn’t think there would be one before 2.7
November 27, 2008 at 5:50 am
Thank god, these upgrades are always so fun! (sarcasm) I’m glad that 2.7 will have an automatic update function to make life easier.
Jeremy´s last blog post – How To: Properly Exit An Airplane Seat
November 27, 2008 at 8:37 am
@Jeremy – There is an auto upgrade plugin that can be used now. I am not a fan of auto-upgrade though and have written about it before.
http://www.kimwoodbridge.com/upgrading-wordpress-manually/
November 28, 2008 at 4:27 am
I always use the upgrades as a good excuse to backup my databases. As far as I’m concerned, they could have one a week ;)
Sire´s last blog post – Blond Bombshell Finds The True Worth Of Vanity
November 28, 2008 at 8:38 am
@Sire – Please don’t tell me that’s the only time you backup.
I have a good automated system that backs up the database every day.
http://www.kimwoodbridge.com/dont-rely-on-your-host-and-lose-your-blog-backup-wordpress/
November 28, 2008 at 4:44 pm
OK, I wont ;) , but truth be told, apart from my wassupblog, where the backups are emailed to me on a daily basis, I only backup when I get updates. I know I’m slack. I will get to it eventually.
Sire´s last blog post – Wassup’s Bloggers Forum Adding To The Blogging Experience
November 28, 2008 at 4:46 pm
@Sire – Ok good :-) Most hosts have backups too. I use that automated system for three blogs and since setting it up haven’t even had to think about it. I moved one of the sites to it’s own domain today and having the backup made things so much easier when I created the new database.