Tech Talk

[WordPress v2.8.4 released]

FYI...

WordPress v2.8.4 released
- http://wordpress.org/download/
August 12, 2009 - "The latest stable release of WordPress (Version 2.8.4) is available..."

- http://secunia.com/advisories/36237/2/
Release Date: 2009-08-12
Impact: Security Bypass
Where: From remote
Solution Status: Vendor Patch
Software: WordPress 2.x
Solution: Update to version 2.8.4...
Original Advisory: WordPress:
http://wordpress.org/development/2009/08/2-8-4-security-release/

 

[here]

FYI...

- http://news.cnet.com/8301-1009_3-10345900-83.html
September 5, 2009 - "A worm is circulating that can post malware and spam to some WordPress blogs using outdated versions of the blogging software... The vulnerability allowing the attack was discovered August 11, at which point WordPress encouraged users to upgrade to version 2.8.4... The worm does not affect the current version 2.8.4 and the one prior to it. And it only affects people who host their own WordPress blog. Blogs hosted on WordPress.com are unaffected..."

- http://wordpress.org/development/2009/09/keep-wordpress-secure/
September 5, 2009

- http://securitylabs.websense.com/content/Blogs/3472.aspx
09.09.2009

 

[WordPress v2.8.5 released]

FYI...

WordPress v2.8.5 released
- http://wordpress.org/download/
October 20, 2009 - "The latest stable release of WordPress (Version 2.8.5) is available..."

- http://wordpress.org/development/2009/10/wordpress-2-8-5-hardening-release/
"... changes in this release are:
• A fix for the Trackback Denial-of-Service attack that is currently being seen.
• Removal of areas within the code where php code in variables was evaluated.
• Switched the file upload functionality to be whitelisted for all users including Admins.
• Retiring of the two importers of Tag data from old plugins.
We would recommend that all sites are upgraded to this new version of WordPress to ensure that you have the best available protection. If you think your site may have been hit by one of the recent exploits and you would like to make sure that you have cleared out all traces of the exploit then we would recommend that you take a look at the WordPress Exploit Scanner*..."
* http://wordpress.org/extend/plugins/exploit-scanner/

- http://secunia.com/advisories/37088/2/
Impact: DoS
Where: From remote
Solution Status: Vendor Patch
Software: WordPress 2.x
Solution: Update to version 2.8.5...

 

[WordPress Exploit Scanner]

FYI...

WordPress Exploit Scanner
- http://wordpress.org/extend/plugins/exploit-scanner/
• Version: 0.6
• Last Updated: 2009-11-4
• Requires WordPress Version: 2.7.1 or higher
• Compatible up to: 2.8.5

 

[WordPress v2.8.6 released]

FYI...

WordPress v2.8.6 released
- http://wordpress.org/download/
"The latest stable release of WordPress (Version 2.8.6) is available..."

- http://secunia.com/advisories/37332/2/
Release Date: 2009-11-13
Critical: Less critical
Impact: Cross Site Scripting, System access
Where: From remote
Solution Status: Vendor Patch
Software: WordPress 2.x ...
Solution: Update to version 2.8.6...
Original Advisory:
http://wordpress.org/development/2009/11/wordpress-2-8-6-security-release/
November 12, 2009 - "2.8.6 fixes two security problems that can be exploited by registered, logged in users who have posting privileges.  If you have untrusted authors on your blog, upgrading to 2.8.6 is recommended. The first problem is an XSS vulnerability... The second problem... is an issue with sanitizing uploaded file names that can be exploited in certain Apache configurations..."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3890
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3891

 

[WordPress v2.9 released]

FYI...

WordPress v2.9 released
- http://wordpress.org/download/
December 19, 2009 - "The latest stable release of WordPress (Version 2.9) is available..."

- http://wordpress.org/development/2009/12/
"... You can upgrade easily from your Dashboard by going to Tools > Upgrade, or you can download from WordPress.org... over 500 tickets, bugs, and enhancements... in this release cycle*..."
* http://core.trac.wordpress.org/query?status=closed&milestone=2.9

- http://codex.wordpress.org/Version_2.9

 

[WordPress Woopra Analytics Plugin Arbitrary File Creation vuln]

FYI...

WordPress Woopra Analytics Plugin Arbitrary File Creation vuln
- http://secunia.com/advisories/37911/2/
Release Date: 2009-12-23
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch...
Software: WordPress Woopra Analytics Plugin 1.x
Solution: Update to version 1.4.3.2
Remove ofc_upload_image.php file from the Open Flash Chart directory.
Original Advisory: http://wordpress.org/extend/plugins/woopra/changelog/
1.4.3.2 (12-21-09)
[SECURITY UPDATE] Removed 'ofc_upload_image.php' from the Open Flash Directory. Remove this file if you do upgrading manually.
[SVN CHANGE] Made a 1.4 branch and moved 'trunk' to the new development version of '1.5.x'
Version: 1.4.3.2
Last Updated: 2009-12-22
Requires WordPress Version: 2.7.0 or higher
Compatible up to: 2.9.0

 

[WordPress v2.9.1 released]

FYI...

WordPress v2.9.1 released
- http://wordpress.org/download/
Jan. 5, 2010 - "The latest stable release of WordPress (Version 2.9.1) is available..."

- http://wordpress.org/development/2010/01/

- http://codex.wordpress.org/Version_2.9.1

 

[WordPress v2.9.2 released]

FYI...

WordPress v2.9.2 released
- http://wordpress.org/download/
Feb. 15, 2010 - "The latest stable release of WordPress (Version 2.9.2) is available..."

- http://wordpress.org/development/2010/02/
"... If you have untrusted users signed up on your blog and sensitive posts in the trash, you should upgrade to 2.9.2..."

- http://wordpress.org/development/2010/02/wordpress-2-9-2/
February 15, 2010 - "... visit the Tools->Upgrade menu to upgrade."

- http://secunia.com/advisories/38592/
Last Update: 2010-02-16

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0682

 

[WordPress v3.0 released]

FYI...

WordPress v3.0 released
- http://wordpress.org/download/
"The latest stable release of WordPress (Version 3.0) is available..."

- http://wordpress.org/development/2010/06/
June 17, 2010 - "... 1,217 bug fixes and feature enhancements..."

- http://www.h-online.com/open/news/item/WordPress-3-0-adds-multi-site-support-1025027.html
18 June 2010
___

WordPress Simple:Press Plugin ...
- http://secunia.com/advisories/40496/
Release Date: 2010-07-05
Solution: Update to version 4.3.1.
http://mantis.simple-press.com/view_all_bug_page.php?filter=2284

- http://secunia.com/advisories/40446/
Release Date: 2010-07-05
Solution Status: Unpatched...
Solution: Edit the source code to ensure that input is properly sanitised...

WordPress WP-UserOnline Plugin ...
- http://secunia.com/advisories/40493/
Release Date: 2010-07-05
Solution: Update to version 2.70 or later...
http://scribu.net/wordpress/wp-useronline/wu-2-70.html
... Current version: 2.73

 

[WordPress v3.0.1 released]

FYI...

WordPress v3.0.1 released
- http://wordpress.org/download/
"The latest stable release of WordPress (Version 3.0.1) is available..."

- http://wordpress.org/news/2010/07/
July 29, 2010 - "... This maintenance release addresses about -50- minor issues..."

 

[WordPress v3.0.2 released]

FYI...

WordPress v3.0.2 released
- http://wordpress.org/download/
"The latest stable release of WordPress (Version 3.0.2) is available..."

- http://wordpress.org/news/2010/11/wordpress-3-0-2/
November 30, 2010 - "... mandatory security update for all previous WordPress versions..."

WordPress SQL Injection Vuln
- http://secunia.com/advisories/42431/
Release Date: 2010-12-01
Solution: Update to version 3.0.2.

- http://www.securitytracker.com/id?1024809
Dec 1 2010

- http://www.us-cert.gov/current/#wordpress_releases_wordpress_3_0
December 2, 2010

Over 500,000 Windows Live Spaces blogs migrated to WordPress.com
- http://windowsteamblog.com/windows_live/b/windowslive/archive/2010/11/29/over-500-000-windows-live-spaces-blogs-migrated-to-wordpress-com.aspx
29 November 2010 - "... nearly 1 million new people now blogging on WordPress... those of you who haven’t gotten around to it yet, we want to remind you that you’ll need to do so before March 2011..."

 

[WordPress v3.0.3 released]

FYI...

WordPress v3.0.3 released
- http://wordpress.org/download/
December 8, 2010 - "The latest stable release of WordPress (Version 3.0.3) is available..."

- http://wordpress.org/news/2010/12/wordpress-3-0-3/
"... security update for all previous WordPress versions. This release fixes issues in the remote publishing interface, which under certain circumstances allowed Author- and Contributor-level users to improperly edit, publish, or delete posts. These issues only affect sites that have remote publishing enabled. Remote publishing is disabled by default, but you may have enabled it to use a remote publishing client such as one of the WordPress mobile apps. You can check these settings on the “Settings → Writing” screen..."

- http://www.securitytracker.com/id?1024842
Dec 9 2010

 

[WordPress v3.0.4 released]

FYI...

WordPress v3.0.4 released
- http://wordpress.org/download/
December 29, 2010

- http://wordpress.org/news/2010/12/3-0-4-update/
"Version 3.0.4 of WordPress, available immediately through the update page in your dashboard or for download... it fixes a core security bug in our HTML sanitation library... rate this release as “critical”..."

- http://core.trac.wordpress.org/changeset/17172/branches/3.0

- http://www.securitytracker.com/id?1024928
Dec 29 2010

 

[Wordpress v3.0.5 released]

FYI...

Wordpress v3.0.5 released
- http://wordpress.org/download/
"The latest stable release of WordPress (Version 3.0.5) is available..."

- http://wordpress.org/news/2011/02/wordpress-3-0-5/
February 7, 2011

- http://www.securitytracker.com/id/1025029
Feb 8 2011

- http://secunia.com/advisories/43238/
Release Date: 2011-02-09
Impact: Cross Site Scripting, Exposure of sensitive information
Where: From remote...
Solution: Update to version 3.0.5.