The UFO Blog

Author Archive

Unfortunately, I missed some places when fixing the privilege escalation issues for 2.8.1.  Luckily, the entire WordPress community has our backs.  Several folks in the community dug deeper and discovered areas that were overlooked.  With their help, the remaining issues are fixed in 2.8.3.  Since this is a security release, upgrading is highly recommended.  Download 2.8.3, or upgrade automatically from your admin.

WordPress 2.8.2 fixes an XSS vulnerability. Comment author URLs were not fully sanitized when displayed in the admin. This could be exploited to redirect you away from the admin to another site.  Download 2.8.2 or automatically upgrade from the Tools->Upgrade page of your blog’s admin.

WordPress 2.8.1 fixes many bugs and tightens security for plugin administration pages. Core Security Technologies notified us that admin pages added by certain plugins could be viewed by unprivileged users, resulting in information being leaked. Not all plugins are vulnerable to this problem, but we advise upgrading to 2.8.1 to be safe.

What else is new since 2.8?  Read through the highlights below, or  view all changes since 2.8

• Certain themes were calling get_categories() in such a way that it would fail in 2.8. 2.8.1 works around this so these themes won’t have to change.
• Dashboard memory usage is reduced.  Some people were running out of memory when loading the dashboard, resulting in an incomplete page.
• The automatic upgrade no longer accidentally deletes files when cleaning up from a failed upgrade.
• A problem where the rich text editor wasn’t being loaded due to compression issues has been worked around.
• Extra security has been put in place to better protect you from plugins that do not do explicit permission checks.
• Translation of role names fixed.
• wp_page_menu() defaults to sorting by the user specified menu order rather than the page title.
• Upload error messages are now correctly reported.
• Autosave error experienced by some IE users is fixed.
• Styling glitch in the plugin editor fixed.
• SSH2 filesystem requirements updated.
• Switched back to curl as the default transport.
• Updated the translation library to avoid a problem with mbstring.func_overload.
• Stricter inline style sanitization.
• Stricter menu security.
• Disabled code highlighting due to browser incompatibilities.
• RTL layout fixes.

2.8.1 is nigh.  Release Candidate 1 is our last stop before the final release.  Please download RC1, review the changes made since beta 2, and have a look at all of the tickets fixed in 2.8.1.  Thanks for testing WordPress.

2.8.1 Beta 2 is ready for testing.  Download it, check out the changes since beta 1, and review all tickets fixed in 2.8.1.  We especially suggest, recommend, and beg that plugin developers test their plugins against beta 2 and let us know of any issues.  Notable fixes in beta 2:

• Translation of role names fixed
• wp_page_menu() defaults to sorting by the user specified menu order rather than the page title
• Upload error messages are now correctly reported
• Autosave error experienced by some IE users is fixed
• Styling glitch in the plugin editor fixed
• SSH2 filesystem requirements updated
• Switched back to curl as the default transport
• Updated the translation library to avoid a problem with mbstring.func_overload

Thanks again for testing WordPress.

We’ve started work on the first maintenance release to 2.8.  2.8.1 will fix a handful of bugs that turned up in 2.8.  Today we’re releasing the first beta of 2.8.1.  Download it, and check out the bugs fixed so far.  Here are some of the notable issues that are fixed in beta 1.

• Certain themes were calling get_categories() in such a way that it would fail in 2.8. 2.8.1 works around this so these themes won’t have to change.
• Dashboard memory usage is reduced.  Some people were running out of memory when loading the dashboard, resulting in an incomplete page.
• The automatic upgrade no longer accidentally deletes files when cleaning up from a failed upgrade.
• A problem where the rich text editor wasn’t being loaded due to compression issues has been worked around.
• Extra security has been put in place to better protect you from plugins that do not do explicit permission checks.

If you would like to automatically upgrade from 2.8 to 2.8.1 Beta 1, follow these instructions.  Thanks for testing WordPress.

With Release Candidate 1, we think WordPress 2.8 is ready and complete.  Download it, test it, and tell us what you think.  If you don’t uncover any bad bugs, 2.8 will be released on Wednesday the 10th.

If you’re interested in what has changed since beta 2, consult the changelog.

• Next Wednesday, June 10th, is the target date for the release of
  WordPress 2.8.  Tickets against the 2.8 milestone that are not
  blockers will be postponed to another release.
• WP 2.9 will require MySQL 4.1.2 or greater.  This is raised from the current requirement of 4.0.
• Checks will be added to the automatic upgrader that will prevent upgrading to 2.9 if  MySQL < 4.1.2 is being used.  The upgrader will also issue a notice that suggests asking the host to upgrade MySQL to meet the minimum requirement.
• In order to promote migration to PHP 5, the upgrader will suggest that those running
  PHP 4 switch to PHP 5. A link to a Codex page describing how to switch for various hosts should be provided.
• The new weekly IRC meetup time will be every Wednesday at 9pm UTC.

Download beta 2.  See changes since beta 1.

Download it, test it, file bugs.

What’s new? All of this.

Good hunting, all you testers.