Important WordPress update

WordPress 3.8.2 was released yesterday which contains some important security fixes. This is an important security release and the Debian packages were uploaded to the ftp-master a few minutes ago.

Besides fixing Debian Bug #744018, the release fixes the following two vulnerabilities (as mentioned in the bug report):

  • CVE-2014-0165 WordPress privilege escalation: prevent contributors from publishing posts
  • CVE-2014-0166 WordPress potential authentication cookie forgery

I recommend if you use the Debian package to upgrade as soon as it is available.

 

Enhanced by Zemanta

WordPress 3.8 for Debian

Well if you can read this then you know it’s working.  After way too many weeks, Debian will have WordPress version 3.8.  Thanks to Raphaël for his kind assistance and answering my questions about how it was built.  The upload is still gurgling along and will make it there in its own time. He said Handing over packages is hard, I’d agree but say taking over them is too.

So, what does WordPress 3.8 look like?  From the “frontend” I didn’t really notice much.  The big changes, at least cosmetically, seem to be for the admin backend.  It just look slicker and cleaner.

Hopefully Debian users find the update useful and I’ve not broken anything.  There’s always the BTS if there is.  I’ve deliberately tried to minimise the changes for this version to limit the breakage.

Enhanced by Zemanta

Odd WordPress pingbacks

I’m getting some odd log messages for the apache module modsecurity.  Essentially its xml parser is breaking when random places are sending pingbacks. The requests go to xmlrpc.php and the response headers are ok, but the body is binary.  The message in the modsecurity log looks like:

Message: XML parser error: XML: Failed parsing document.

After a bit of guessing and sending messages to and fro, I can now see that it is a gziped response. So I’m not sure if it is modsecurity not realising that the response is gziped or wordpress not marking it correctly. In any case I can regularly get very similar binary strings using gzip and the usual xml response. So that’s half the mystery solved.

Most of the requests are spammers so I’m not too worried.  I think it also impacts legitimate pingbacks because I’ve not had any, even from the usual automatic places.

Getting around the WordPress "add image" bug

WordPress currently has an annoying bug where you cannot add images easily using the in-built editor. Instead of a pop-up being shown with the image setting details, you are sent to another page.  Once you choose the image size etc, you go to a blank page. Until that’s fixed, there is a work-around.  It’s not exactly pretty but it does work. I have assumed you have uploaded your images to the media library first.

First, type up what you want your blog entry to say. The save it as a draft which is the button in the blue circle in the screenshot. Then click the “add image” icon which will bring up the warning to go to the image selection page. This page should be a pop up on the same screen but is not (and is the bug).


On the image selection page choose “Image library” which is the blue circle and edit the meta-data such as the name caption etc. Once you are happy with your decisions, click the “Insert into Post” button (red circle) which goes to a blank screen.

The blank screen actually does have data in it. You will need to view source which will show something like:


The stuff in the win.send_to_editor is what you want. You will also need to change the backslash-quotes to plain quotes, so the code I would use is


You then enter this information back into your post (click back a few times in your browser). Also, make sure you have your editor set for HTML and not Visual for it to work. With that small bit of HTML, I have a nice set of home-grown tomatoes, or whatever else you want.

Enhanced by Zemanta