Ryan Boren the lead developer of Wordpress Team has just announced the release of Wordpress 2.8.6 Security update through
WP blog. The release fixes two vulnerabilities relevant only for blogs having more than one authors like iTB as they can only be exploited by registered, logged in users with posting rights. In his blog post Ryan Boren suggests webmasters having untrusted authors to switch and update to Wordpress 2.8.6.
The first problem is an XSS vulnerability in Press This discovered by Benjamin Flesch. The second problem, discovered by Dawid Golunski, is an issue with sanitizing uploaded file names that can be exploited in certain Apache configurations. Thanks to Benjamin and Dawid for finding and reporting these.
The update is now officially available on Wordpress.org and could be downloaded from : http://wordpress.org/download/. To update your wordpress blog to v.2.8.6 all you need to do is to click on Automatic Update in your Wordpress DashBoard (Admin Panel), and within a minute you will get your blog upgraded to Wordpress 2.8.6.
Wordpress 2.8.6 upgrade does not require any update to Wordpress database, but before updating it is recommended to take a backup both of your wordpress files hosted on the server plus the mysql database, which could be required in case the upgrade fails for any reason.
Peter Westwood on October 20, released Wordpress V 2.8.5, and termed it the “Hardening Release”. Hardening Release means more preventive measures have been taken to secure WordPress.
Worthy of note though is an issue that was addressed dealing with a trackback spam denial of service attack which was discussed on the WP-Hackers mailing list the other day. This exploit takes advantage of the WP-Trackback.php file which would exhaust a servers resources when used. This problem is specifically addressed in the Hardening Release. This release also cover up some bug fixes.
The headline changes in this release are:
- A fix for the Trackback Denial-of-Service attack that is currently being seen.
- Removal of areas within the code where php code in variables was evaluated.
- Switched the file upload functionality to be whitelisted for all users including Admins.
- Retiring of the two importers of Tag data from old plugins.
Peter Westwood, recommends web masters to check out the WordPress Exploit Scanner, through which you can scan if your site may have been hit by one of the recent exploits and you would like to make sure that you have cleared out all traces of the exploit.
Why This update?
On august 1o, a vulnerability in Wordpress 2.8.3 was discovered by Laurent Gaffié and was posted over the test and security portal milw0rm. The vulnerability is named as Remote admin reset password and could be exploited by an attacker to compromise the admin account of any wordpress/wordpress-mu <= 2.8.3.
Response by Wordpress..
In regards to this exploit, The wordpress team has released the secured Wordpress 2.8.4 as a fix for the exploit which is still under consideration to keep track over future problems and fixing issues. It is highly advisable to all wordpress users to update their blogs to the latest v 2.8.4
You can download the latest version of Wordpress i.e. Wordpress 2.8.4 by clicking here. Or you can simply go to your dashboard automatic upgrade option to upgrade your wordpress to v2.8.4 . Remember to take a backup of your databse and files before upgrading to the new version. You can do it by using php MyAdmin in your host cPanel, or for newbies and beginners , you can simply use the Wordpress Automatic Upgrade plugin, which provides you options to download the backup automatically.
For any help or queries regarding the same, use the comment box under this post.
In the previous post of mine, I had updated you about the critical security vulnerability in Firefox 3.5 . In response to this, Firefox 3.5.1 update is now available.
The updated setup is now available on Mozilla Website.If you are using Firefox 3.5 allready, you can update your Firefox to v3.5.1 simply by going through
Help >> Check for updates..
A new window like the in the screenshot will pop out and all you need to do, is to click on Update Firefox.
A critical security vulnerability was discovered in Firefox3.5, and this update fix that vulnerability on its own. If the update is still not available for you, you can fix this problem manually by going through the following steps:
- Enter about:config in the location bar to access advanced preferences.
- Look for javascript.options.jit.content and double click it to set it to false.
If you had allready applied the above steps, and this update is available for you, then you need to undo the manual changes you did before. To do this, simply follow the previous 2 steps and double click javascript.options.jit.content and set it to true. Now, you are ready to update your Firefox to v3.5.1
If you does not get the update option in your Firefox, you can get it from their US website by clicking here.
The Mozilla team is working on decreasing the start-up time of Firefox, which i guess will be provided in next update at the end of this month.
Recent Comments