[wp-testers] Re: 2.0.10 and 2.1.3 Release Candidates

Tom Mount tmountjr at gmail.com
Fri Mar 16 22:53:53 GMT 2007


On 3/16/07, Ryan Boren <ryan at boren.nu> wrote:
> On 3/14/07, Ryan Boren <ryan at boren.nu> wrote:
> > Release candidates are up for 2.0.10 and 2.1.3.  These address all
> > known vulnerabilities including the following:
> >
> > http://www.virtuax.be/advisories/Advisory4-20022007.txt
> > http://secunia.com/advisories/24485/
> > http://secunia.com/advisories/24430/
>
> RC2 for both 2.0.10 and 2.1.3 is out.  The following bugs are fixed:
>
> http://trac.wordpress.org/ticket/3979
> http://trac.wordpress.org/ticket/3981
>
> Also, some more attribute_escapes were added to a few places.
>
> http://trac.wordpress.org/changeset/5046
> http://trac.wordpress.org/changeset/5050
>
> Areas that need testing are paging (posts_nav_link,
> previous_posts_link, next_posts_link), xmlrpc uploading (for 2.1),
> nonce AYS confirmations, and page on front (for 2.1).
>
> Mark and I have been auditing the code and think we have found all
> places where we should attribute_escape, but we could use some more
> eyeballs.  Attributes that might contain user supplied content should
> always receive attribute_escape treatment before being output.  This
> includes $pagenow and PHP_SELF.  If you see any places where PHP_SELF
> or $pagenow are being output, check to make sure they are being
> properly escaped.  These should rarely be output by WP core, and
> plugins and themes should probably avoid outputting them altogether.
> Also, please give wp_nonce_ays() a thorough review.  This function has
> been the source of many bugs.
>
> Acunetix should run cleanly against the RCs.  If you have a
> vulnerability scanner handy, run it against the RCs and let us know if
> something pops up.
>
> RC2 packages are available on the release archive page.
>
> http://wordpress.org/download/release-archive/
>
> Here are direct links to the packages along with md5 checksums.
>
> http://wordpress.org/wordpress-2.0.10-RC2.zip
>
> md5sum: cb6def9ae1d30c89a104d931b8e240c4
>
> http://wordpress.org/wordpress-2.0.10-RC2.tar.gz
>
> 04d32f69e6df17562f3d26d993a3f0b7
>
> http://wordpress.org/wordpress-2.1.3-RC2.zip
>
> 4f95bfbe9176a423fd794c3c6f38381c
>
> http://wordpress.org/wordpress-2.1.3-RC2.tar.gz
>
> 8dcbf82fbdff4f0214e1d8862e281e7e
> _______________________________________________
> wp-testers mailing list
> wp-testers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-testers
>

Not that this is a big deal, but it looks like
/wp-includes/version.php wasn't updated to reflect the new build
number and RC status - I copied over all the new files from the latest
release and it still shows RC1.


More information about the wp-testers mailing list