WordPress 5.2.4

Hot on the heels of WordPress version 5.2.3 which fixed a bunch of stuff we have WordPress 5.2.4 with fixes for six security issues.

There is a certain trick to matching up what the WordPress Blog thinks has been fixed and the changsets between the old version and the new. The curious thing is there were 6 changsets backported to older versions of WordPress, so you might think “six issues, six changesets, what’s the problem?”. The problem is that two of them fix the same thing (or one sort-of fixed it and the second really did) and another I couldn’t link to any vulnerability, BUT it was to do with directory traversal issue.

The hardest part of maintaining the Debian WordPress packages is the backporting. Trying to link the changes to the bugs is next to impossible so I generally import all the ones they have in the specific major version and hope for the best. This isn’t ideal, but information about what the actual bugs are and how they are fixed is not forthcoming.

WordPress 5.1.1

The Debian packages for WordPress version 5.1.1 are being updated as I write this. This is a security fix for WordPress that stops comments causing a cross-site scripting bug. It’s an important one to update.

The backports should happen soon so even if you are using Debian stable you’ll be covered.

WordPress 5.0.1

While I missed the WordPress 5.0 release, it was only a few more days before there was a security release out.

So WordPress 5.0.1 will be available in Debian soon. This is both a security update from 5.0.1 and a huge feature update from the 4.9.x versions to the 5.0 versions.

The WordPress website, in their 5.0 announcement¬†describe all the changes better, but one of the main things is the new editor (which I’m using as I write this).¬† It’s certainly cleaner, or perhaps more sparse. I’m not sure if I like it yet.

The security fixes (there are 7) are the usual things you expect from a WordPress security update. The usual XSS and permission problems type stuff.

I have also in the 5.0.1 Debian package removed the build dependency to libphp-phpmailer. The issue with that package is there won’t be any more security updates for the version in Debian. WordPress has an embedded version of it which *I hope* they maintain. There is an issue about the phpmailer in WordPress, so hopefully it gets fixed soon.

wordpress 4.9.7

No sooner than I had patched WordPress 4.9.5 to fix the arbitrary unlink bug than I realised there is a WordPress 4.9.7 out there. This release (just out for Debian, if my Internet behaves) fixes the unlink bug found by RIPS Technologies.  However, the WordPress developers used a different method to fix it.

There will be Debian backports for WordPress that use one of these methods. It will come down to do those older versions use hooks and how different the code is in post.php

You should update, and if you don’t like WordPress deleting or editing its own files, perhaps consider using AppArmor.