Too Yellow to Name a Ticket – WordPress Security Bites Itself Again in 3.0.4 (Updated 2x)

WordPress 3.0.4 is out. What?! [UPDATE: The advisory is now online: Persistent XSS vulnerability – wordpress 3.0.3 (kses.php) ]

Keep cool. There is an release (all 3.0.2 to 3.0.4 changes), but actually Matt Mullenweg is asking for a security review pro-bono first.

[UPDATE: As this is exploitable for 2.9.2 blogs as well, I’ve created Ticket #16042 with a patch for 2.9.2]

Well didn’t I suggest it in my last post reg. security? Matt, why don’t you act pro-actively?

Just do it. I mean, there should be enough money laying around. And if money is not the problem, what is the problem?

*coff* Rhetorical Question, sure. Kudos to miqrogroove for struggeling with KSES over the years. I really appreceate your feedback.

More coverage by:

This entry was posted in Pressed and tagged , , , , , , , , . Bookmark the permalink.

5 Responses to Too Yellow to Name a Ticket – WordPress Security Bites Itself Again in 3.0.4 (Updated 2x)

  1. I’m not sure what your question signifies. As soon as a vulnerability is found, often by those trusted to dig into WordPress and uncover them, a patch is made and an update released. The one prior to this was four hours from discovery to release. A couple years ago, it was 10 minutes. So what are you asking? That WordPress have a team to investigate security issues? They do. All over the world. These are usually found long before the “bad guys” find them. So I don’t understand your question about being proactive.

    I work with many other publishing platforms and I wish they were as active, proactive and reactive to security issues. I’ve found many developers say, “Oh, it’s not serious. We can wait until the next major update to fix this.” I’ve never found that with WordPress when it comes to serious security issues. Aren’t we lucky, especially here on WordPress.com.

    • hakre says:

      Exploits don’t get reported that often lately. For the response time: the longest track for a reported and serious security issue in WP I know of is eight month.

      Now we’ve exchanged some arguments. Both sides do not show the whole picture as the problem lies somewhere else: Security is a process, often related to quality management and complexity of software.

  2. Pingback: TalkPress, Yet Another WordPress Echo Chamber

  3. Security is an issue, and growing concern, and there have been four security releases in less than one month with WordPress. I work closely with the WordPress team and haven’t heard of any “serious” security issue taking that long to release.

    Either way, it’s critical to get the word out and help people understand how important it is to update when a security release is announced. Too bad so many wait too long for fear of something breaking, when hacking is a bigger breakage. And too long so many other software and web apps also wait so long.

    • hakre says:

      Sure, get the word out. And if you can, please suggest the project, that they should support the previous release next to the current lineup as well for security issues. Let’s say, for the security issues that have been reported for 3.0.x to update the 2.9.x line-up as well. Major releases often break backwards compatibility and then those users can’t update security wise. I think that’s common in other projects, no idea why wordpress doesn’t do it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s