WordPress 3.9.2 for Debian

WordPress released today a security release 3.9.2 which they fix several security issues, including a denial of service issue around XML.  The corresponding Debian package 3.9.2+dfsg-1 is currently being uploaded to the Debian ftp-master server as I write this and should be available on the mirrors soon.

Unfortunately at the time of writing, there are no CVE identifiers to match these problems up with, but refer to the wordpress page for details about these bugs.

Andrew Nacin from WordPress has kindly outlined what versions are susceptible and it looks like the Debian squeeze (3.6.1+dfsg-1~deb6u4)  and wheezy (3.6.1+dfsg-1~deb7u3) are vulnerable to at least some of these bugs which means for me its patch reading and back-porting time

 

WordPress 3.9.1

The Debian package of WordPress version 3.9.1 was uploaded to the ftp master recently.  While the update was pretty simple, the upload took a lot more doing. I’m not sure why the Debian ftp-master server didn’t like me, but it was so slow. Strangely, even dcut uploads were slow and they are only a few lines of text.

Apologies for the delay too, I’m not sure why I didn’t notice the update from 3.9 to 3.9.1 but there you go.

The other change is that the package uses the system CA certificates rather than the ones pre-shipped with wordpress. This is done so that if the administrator makes decisions on what certificates to trust, then the wordpress client http libraries will follow that decision.

WordPress update needed for stable too

Yesterday I mentioned that wordpress had an important security update to 3.8.2  The particular security bugs also impact the stable Debian version of wordpress, so those patches have been backported.  I’ve uploaded the changes to the security team so hopefully there will new package soon.

The version you are looking for will be 3.6.1+dfsg-1~deb7u2 and will be on the Debian security mirrors.

Enhanced by Zemanta

Important WordPress update

WordPress 3.8.2 was released yesterday which contains some important security fixes. This is an important security release and the Debian packages were uploaded to the ftp-master a few minutes ago.

Besides fixing Debian Bug #744018, the release fixes the following two vulnerabilities (as mentioned in the bug report):

  • CVE-2014-0165 WordPress privilege escalation: prevent contributors from publishing posts
  • CVE-2014-0166 WordPress potential authentication cookie forgery

I recommend if you use the Debian package to upgrade as soon as it is available.

 

Enhanced by Zemanta

WordPress 3.8 for Debian

Well if you can read this then you know it’s working.  After way too many weeks, Debian will have WordPress version 3.8.  Thanks to Raphaël for his kind assistance and answering my questions about how it was built.  The upload is still gurgling along and will make it there in its own time. He said Handing over packages is hard, I’d agree but say taking over them is too.

So, what does WordPress 3.8 look like?  From the “frontend” I didn’t really notice much.  The big changes, at least cosmetically, seem to be for the admin backend.  It just look slicker and cleaner.

Hopefully Debian users find the update useful and I’ve not broken anything.  There’s always the BTS if there is.  I’ve deliberately tried to minimise the changes for this version to limit the breakage.

Enhanced by Zemanta