WordPress 3.3.2 (and WordPress 3.4 Beta 3)

WordPress 3.3.2 is available now and is a security update for all previous versions.

Three external libraries included in WordPress received security updates:

  • Plupload (version 1.5.4), which WordPress uses for uploading media.
  • SWFUpload, which WordPress previously used for uploading media, and may still be in use by plugins.
  • SWFObject, which WordPress previously used to embed Flash content, and may still be in use by plugins and themes.

Thanks to Neal Poole and Nathan Partlan for responsibly disclosing the bugs in Plupload and SWFUpload, and Szymon Gruszecki for a separate bug in SWFUpload.

WordPress 3.3.2 also addresses:

  • Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances, disclosed by Jon Cave of our WordPress core security team, and Adam Backstrom.
  • Cross-site scripting vulnerability when making URLs clickable, by Jon Cave.
  • Cross-site scripting vulnerabilities in redirects after posting comments in older browsers, and when filtering URLs. Thanks to Mauro Gentile for responsibly disclosing these issues to the security team.

These issues were fixed by the WordPress core security team. Five other bugs were also fixed in version 3.3.2. Consult the change log for more details.

Not confident to update wordpress yourself? kimtown can do it for you! Visit the shoppe for this upgrade offer!


WordPress 3.4 Beta 3 also available

Our development of WordPress 3.4 development continues. Today we are proud to release Beta 3 for testing. Nearly 90 changes have been made since Beta 2, released 9 days ago. (We are aiming for a beta every week.)

This is still beta software, so we don’t recommend that you use it on production sites. But if you’re a plugin developer, a theme developer, or a site administrator, you should be running this on your test environments andreporting any bugs you find. (See the known issues here.) If you’re a WordPress user who wants to open your presents early, take advantage of WordPress’s famous 5-minute install and spin up a secondary test site. Let us know what you think!

Version 3.4 Beta 3 includes all of the fixes included in version 3.3.2. Download WordPress 3.4 Beta 3 or use theWordPress Beta Tester plugin.

WordPress 3.1.4 (and 3.2 Release Candidate 3)

Mandatory Security update!

From the WP Blog:

WordPress 3.1.4 is available now and is a maintenance and security update for all previous versions.

This release fixes an issue that could allow a malicious Editor-level user to gain further access to the site. Thanks K. Gudinavicius of SEC Consult for bringing this to our attention. Version 3.1.4 also incorporates several other security fixes and hardening measures thanks to the work of WordPress developers Alexander Concha and Jon Caveof our security team. Consult the change log for more details.

Download WordPress 3.1.4 or update immediately from the Dashboard → Updates menu in your site’s admin area.

WordPress 3.2 Release Candidate 3

This release was about all that stood in the way of a final release of WordPress 3.2. So we’re also announcing the third release candidate for 3.2, which contains all of the fixes in 3.1.4; few minor RTL, JavaScript, and user interface fixes; and ensures graceful failures if 3.2 is run on PHP4. As a reminder, we’ve bumped our minimum requirements for version 3.2 to PHP 5.2.4 and MySQL 5.0.

To test WordPress 3.2, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you candownload the release candidate here (zip). At this stage, plugin authors should be doing final tests to ensure compatibility.

Bonus: For more on what to test and what to do if you find an issue, please read our Beta 1 post.

CREDITS
(Disclaimer: We do not carry credit for this post nor any of the photographs; we are simply sharing information, you may not otherwise see, in accordance with the copyright laws and under a Creative Commons Attribution 3.0 License of the USA)

Original Post by WordPress.org

WordPress 3.1.1

WordPress 3.1.1 is now available. This maintenance and security release fixes almost thirty issues in 3.1, including:

  • Some security hardening to media uploads
  • Performance improvements
  • Fixes for IIS6 support
  • Fixes for taxonomy and PATHINFO (/index.php/) permalinks
  • Fixes for various query and taxonomy edge cases that caused some plugin compatibility issues

Version 3.1.1 also addresses three security issues discovered by WordPress core developers Jon Cave and Peter Westwood, of our security team. The first hardens CSRF prevention in the media uploader. The second avoids a PHP crash in certain environments when handling devilishly devised links in comments, and the third addresses an XSS flaw.

We suggest you update to 3.1.1 promptly. Download 3.1.1 or update automatically from the Dashboard => Updates menu in your site’s admin area.

If you aren’t comfortable with upgrading, we can do it for you!

Our release haiku:

Only the geeks know
What half this stuff even means
Don’t worry — update

Posted April 5, 2011 by Ryan Boren

WordPress 3.0 is HERE!

I’m am MAJORLY excited to announce that WordPress has released 3.0. Here is their post found on the wordpress blog.

From the WordPress Blog:
Posted June 17, 2010 by Matt. Filed under Releases.
Arm your vuvuzelas: WordPress 3.0, the thirteenth major release of WordPress and the culmination of half a year of work by 218 contributors, is now available for download (or upgrade within your dashboard). Major new features in this release include a sexy new default theme called Twenty Ten. Theme developers have new APIs that allow them to easily implement custom backgrounds, headers, shortlinks, menus (no more file editing), post types, and taxonomies. (Twenty Ten theme shows all of that off.) Developers and network admins will appreciate the long-awaited merge of MU and WordPress, creating the new multi-site functionality which makes it possible to run one blog or ten million from the same installation. As a user, you will love the new lighter interface, the contextual help on every screen, the 1,217 bug fixes and feature enhancements, bulk updates so you can upgrade 15 plugins at once with a single click, and blah blah blah just watch the video. (In HD, if you can, so you can catch the Easter eggs.)

For a more comprehensive look at everything that has improved in 3.0 check out 3.0’s Codex page or the long list of issues in Trac. (We’re trying to keep these announcement posts shorter.) Whew! That’s a lot packed into one release. I can’t think of a better way to kick off the 3.X cycle we’ll be in for the next two and a half years.

The Future
Normally this is where I’d say we’re about to start work on 3.1, but we’re actually not. We’re going to take a release cycle off to focus on all of the things around WordPress. The growth of the community has been breathtaking, including over 10.3 million downloads of version 2.9, but so much of our effort has been focused on the core software it hasn’t left much time for anything else. Over the next three months we’re going to split into ninja/pirate teams focused on different areas of the around-WordPress experience, including the showcase, Codex, forums, profiles, update and compatibility APIs, theme directory, plugin directory, mailing lists, core plugins, wordcamp.org… the possibilities are endless. The goal of the teams isn’t going to be to make things perfect all at once, just better than they are today. We think this investment of time will give us a much stronger infrastructure to grow WordPress.org for the many tens of millions of users that will join us during the 3.X release cycle.

It Takes a Village
I’m proud to acknowledge the contributions of the following 218 people to the 3.0 release cycle. These are the folks that make WordPress what it is, whose collaboration and hard work enable us to build something greater than the sum of our parts. In alphabetical order, of course.

******If you need your blog upgraded to the latest version, head on over to the SHOPPE!*****

WordPress 2.8.5: Hardening Release (Should I wait for 2.9?)

It seems wordpress comes out with a new update every couple of months, but this is for good reason. When vulnerabilities are found in software, the company will release a patch to fix it, right? Well wordpress is no different. If you are running anything less than 2.8.5 (released yesterday) then you need to upgrade NOW; don’t wait for 2.9.

There were numerous security issues with the release of 2.8 that they found and patched with several releases (up to 2.8.4). Now that 2.8.5 is out, it will fix the follow security gaps:

  • A fix for the Trackback Denial-of-Service attack that is currently being seen.
  • Removal of areas within the code where php code in variables was evaluated.
  • Switched the file upload functionality to be whitelisted for all users including Admins.
  • Retiring of the two importers of Tag data from old plugins.

What does that mean to you? It means less chance for a hack or breach into your blog. What does that affect? It could affect a lot of things, not just your blog. After a breach is found in your software, it is open to viruses and hacks that can get into your server/host and destroy other parts of your entire server (and possibly others).

So unless you want a total online meltdown, upgrade your wordpress please. 😀

If you aren’t comfortable backing up your site and upgrading your blog, kimtown can do it for you. If you have ONE wordpress to upgrade it’s $50 and you can purchase that HERE.

If you have TWO or more wordpress that you’ll need to upgrade they are only $30 each. You can purchase that HERE.

Read the full post by wordpress.org