[wp-testers] Re: 2.0.10 and 2.1.3 Release Candidates
tmountjr at gmail.com
Fri Mar 16 22:53:53 GMT 2007
On 3/16/07, Ryan Boren <ryan at boren.nu> wrote:
> On 3/14/07, Ryan Boren <ryan at boren.nu> wrote:
> > Release candidates are up for 2.0.10 and 2.1.3. These address all
> > known vulnerabilities including the following:
> > http://www.virtuax.be/advisories/Advisory4-20022007.txt
> > http://secunia.com/advisories/24485/
> > http://secunia.com/advisories/24430/
> RC2 for both 2.0.10 and 2.1.3 is out. The following bugs are fixed:
> Also, some more attribute_escapes were added to a few places.
> Areas that need testing are paging (posts_nav_link,
> previous_posts_link, next_posts_link), xmlrpc uploading (for 2.1),
> nonce AYS confirmations, and page on front (for 2.1).
> Mark and I have been auditing the code and think we have found all
> places where we should attribute_escape, but we could use some more
> eyeballs. Attributes that might contain user supplied content should
> always receive attribute_escape treatment before being output. This
> includes $pagenow and PHP_SELF. If you see any places where PHP_SELF
> or $pagenow are being output, check to make sure they are being
> properly escaped. These should rarely be output by WP core, and
> plugins and themes should probably avoid outputting them altogether.
> Also, please give wp_nonce_ays() a thorough review. This function has
> been the source of many bugs.
> Acunetix should run cleanly against the RCs. If you have a
> vulnerability scanner handy, run it against the RCs and let us know if
> something pops up.
> RC2 packages are available on the release archive page.
> Here are direct links to the packages along with md5 checksums.
> md5sum: cb6def9ae1d30c89a104d931b8e240c4
> wp-testers mailing list
> wp-testers at lists.automattic.com
Not that this is a big deal, but it looks like
/wp-includes/version.php wasn't updated to reflect the new build
number and RC status - I copied over all the new files from the latest
release and it still shows RC1.
More information about the wp-testers