Comments on: Upgraded to WordPress 2.3.3 ‘Coz of Security Issues, Again!

By: DreamHost Enters Into Application Hosting | HostingFu

DreamHost Enters Into Application Hosting | HostingFu — Thu, 07 Feb 2008 01:16:07 +0000

[...] Posted on February 7, 2008 – 10:18am Yesterday on my personal blog, I wrote about WordPress 2.3.3 upgrade due to a security exploit, and one issue I wrote in the comment, is that there are just too many blogs out there installed by [...]

By: mark

mark — Wed, 06 Feb 2008 06:04:47 +0000

not all wordpress sucks, just the diy version ;)

XML-RPC?

unsupported branches?

security issues?

$ svn diff?

2.1/2.2?

“there might be millions of blogs out there that are not patched because they were installed by Fantastico and alike”

holy cow, I wouldn’t wish that stuff on my worst enemy and certainly never recommend it to a non programmer, yet it’s still the one of the most popular blogging solutions? crazy world.

By: Matt

Matt — Wed, 06 Feb 2008 02:44:54 +0000

Man it frustrates me too. Hopefully with the update notification added in 2.3 and the one-click upgrades coming in 2.5 we’ll get more people updating when we do a release.

I think you also have a good point that we need to put pressure on the hosts and Fantastico to take responsibility for the blogs that they set up and stay current with releases.

By: scotty

scotty — Wed, 06 Feb 2008 02:30:33 +0000

Matt,

Thanks for the clarification, especially on how the ticket was updated. No, I am not being angry, but frustrated. It is easy for me to keep up with WordPress development and new releases, but (due to WP’s popularity) there might be millions of blogs out there that are not patched because they were installed by Fantastico and alike. A few days ago I have to report to PodShow that some of their blogs were hacked — and I thought they are big and tech-savvy enough to know that they need to keep up to date? Not entirely WordPress’ fault, but frustrating nevertheless.

Sorry that I did not know the official stable branches are 2.0 and 2.3. I have just checked the code and it appears 2.0/2.1 are not affected but 2.2/2.3.2 are.

Thanks again for the explanation.

By: Matt

Matt — Wed, 06 Feb 2008 01:55:55 +0000

It’s sounds like you’re pretty angry about this release, and it always sucks to have to do one due to security, but let me clarify two things.

The ticket is a little confusing, even though the issue was opened up 3 months ago there was not enough information to identify the issue and it was closed. The original poster said as much on wp-hackers the other day. When the new issue came to light Lloyd Budd edited the ticket to update it with the new information, and the fix was there within hours, not months later as it may look from the ticket.

The problem doesn’t apply to 2.0 users, which is the stable branch we’ve committed to maintaining through 2010. 2.1/2.2 are both unsupported branches, I don’t think they’re affected by this issue but they probably have others, you should be running either 2.0.latest or 2.3.latest. You could also protect your blog from this and the previous issue you refer to by turning off open registration, which is actually off by default when you install WP.

Do you have any more questions about the release I could answer? I’m happy to try my best to clarify what the situation is and what the thinking was behind issues.