Security Update

Posted May 27, 2005 by Matt Mullenweg. Filed under Security.

It has come to our attention that under certain circumstances there is a security vulnerability in WordPress that may be triggered if you’re running the default template. We were able to respond very quickly (under 40 minutes) and update the download to 1.5.1.2. You can upgrade by overwriting your old 1.5 files or if you would like to apply the fix manually it is relatively simple:

  1. Open the wp-includes/template-functions-category.php file in a text editor like Wordpad.
  2. Go to around line 103 where it says get_the_category_by_ID.
  3. Create a new line after that and paste in $cat_ID = (int) $cat_ID;

After the problem was found we audited the codebase for any similar problems and nothing was found.

One note, even if the vulnerability was present in your blog, you would still be safe if your host ran mod_security on their servers. It is an Apache module which can provide very high-level protection against everything like the vulnerability above to comment spam. We will be updating the hosting page shortly to reflect which hosts there support mod_security or not.

WordPress 1.5.1 (Updated)

Posted May 9, 2005 by Matt Mullenweg. Filed under Releases.

Update: In our effort to optimize we made two mistakes in 1.5.1, one related to feeds and one related to trackbacks and pingbacks. We’ve updated the download with 1.5.1.1 which corrects these bugs and a few others.

It seemed like a good time to brighten everyone’s Monday with a new release of everyone’s favorite blogging software. We’re happy to announce the immediate availability of WordPress 1.5.1 for free download. By our counter there were 207,981 downloads of 1.5.0 and we hope even more people will enjoy this latest release.

What’s new? Our crack documentation team has put together a short, technical changelog but to summarize this release has a ton of bug fixes, enhancements, and an important security fix. (Thanks again to Thomas Waldegger.) Plugin authors especially will love all the new API hooks and functionality we added to make advanced extensions to WordPress even easier. As a user you’ll find WordPress will run faster and make the world an even better place. Many thanks go out to our amazing testing and development team, who together squashed over 170 bugs!

With our new theme system in place upgrading should be a piece of cake: Just overwrite your old WordPress files and be careful not to delete anything important in your wp-content folder. There are more detailed upgrade instructions on the Codex if you need them. After you’ve upgraded consider helping a friend for extra karma points.

See Also:

Want to follow the code? There’s a development P2 blog and you can track active development in the Trac timeline that often has 20–30 updates per day.

Want to find an event near you? Check out the WordCamp schedule and find your local Meetup group!

For more WordPress news, check out the WordPress Planet or subscribe to the WP Briefing podcast.

Categories

Subscribe to WordPress News

Join 1,932,285 other subscribers

Archives

%d bloggers like this: