[wp-hackers] Re: 2.0.10 and 2.1.3 Release Candidates

Ryan Boren ryan at boren.nu
Fri Mar 16 22:34:59 GMT 2007

On 3/14/07, Ryan Boren <ryan at boren.nu> wrote:
> Release candidates are up for 2.0.10 and 2.1.3.  These address all
> known vulnerabilities including the following:
> http://www.virtuax.be/advisories/Advisory4-20022007.txt
> http://secunia.com/advisories/24485/
> http://secunia.com/advisories/24430/

RC2 for both 2.0.10 and 2.1.3 is out.  The following bugs are fixed:


Also, some more attribute_escapes were added to a few places.


Areas that need testing are paging (posts_nav_link,
previous_posts_link, next_posts_link), xmlrpc uploading (for 2.1),
nonce AYS confirmations, and page on front (for 2.1).

Mark and I have been auditing the code and think we have found all
places where we should attribute_escape, but we could use some more
eyeballs.  Attributes that might contain user supplied content should
always receive attribute_escape treatment before being output.  This
includes $pagenow and PHP_SELF.  If you see any places where PHP_SELF
or $pagenow are being output, check to make sure they are being
properly escaped.  These should rarely be output by WP core, and
plugins and themes should probably avoid outputting them altogether.
Also, please give wp_nonce_ays() a thorough review.  This function has
been the source of many bugs.

Acunetix should run cleanly against the RCs.  If you have a
vulnerability scanner handy, run it against the RCs and let us know if
something pops up.

RC2 packages are available on the release archive page.


Here are direct links to the packages along with md5 checksums.


md5sum: cb6def9ae1d30c89a104d931b8e240c4







More information about the wp-hackers mailing list