WordPress 3.5.2 Security Release

WordPress 3.5.2 just shipped and addresses a few security issues one of which was brought up around June 7th. The release also contains a few bug fixes as well. It’s been awhile since we’ve seen a dedicated security release but I guess it’s time to start a new streak.

Also of note is that the WordPress team has decided to fork the SWFUpload project so that they could maintain it with security fixes. The Make.WordPress.core post strongly emphasizes that developers do not use SWFUpload but if you must, to use their fork. It’s interesting that WordPress does not use this specific library but it continues to be shipped with WordPress because of plugins not being updated to use Plupload.

Last but not least, some information geared towards everyone.

We do not condone the use of abandonware. We only wish to make the web a better place by ensuring that developers have access to a secure version of SWFUpload, when the only alternative may be to use insecure code.

If you think you have found a vulnerability in this fork of SWFUpload, we appreciate your help in disclosing it to us responsibly. Please email reports of security vulnerabilities to swfupload-security AT wordpress.org. These reports will be reviewed by the WordPress security team and by security researchers contributing to this project, including Neal and Szymon.

If you’re testing WordPress, WordPress 3.6 Beta 4 includes all of the fixes in 3.5.2.

12 Comments


  1. I searched with ‘wordpress’ in Google News last night, and the v3.6 story barely made the first page of returns; a single hit.

    The dominant story is an investigation showing that 20% of plugins have “security issues” or “vulnerabilities”.

    This story is plainly being played as ‘Those plugins that we can hang around the neck of WordPress like a dead albatross’.

    In fact, the less inhibited just go right ahead and write it up as, ‘See? WordPress is a badie’! That the issue (uh, such as it actually may be) is with plugins that are written by 100s or 1,000s of different volunteers, is mentioned down in the fine-print somewhere, if anywhere.
    =====

    Now remember, we’re the Media, and we’re frightened of the Internet. And it’s not paranoia, when your industry – not to say your own job & erstwhile pension – are going the way of the ol’-time Rust Belt … which was a natural & logic thing, in our view, and a testament of our personal vision of Progress, of course! But anyway…

    Anything that can be posed as an empowerment, enabler or popularizer of the dreaded Internet (for which we can blame the possible purchase & total desecration of Our Beloved Los Angeles Times by the filthy mega-billionaire Tea Partying Obama-opposer Koch Bros! … is fair game. Lock, load, and fire at will.

    WordPress makes the Internet much more accessible to the Masses, and it has really given them (omg!) an enhanced publishing capability of their own (gag)! The power of the Press should be reserved only to ourselves! And those who’s bias & prejudices we adore and blatantly promote in a mockery of our own Journalistic Principles.

    So come on now people … you know what to do. Get in there in and dig for those security thingies. Stretch the definition of security to fit our goal, leave the nature of any issue vague and write it up like a Hot Line to Osama bin Laden!

    Report


  2. I upgraded 2 of my sites to WP 3.5.2 and…. the “links” tab is missing from the dashboard as well as there is no “links widget” in the widget section either.

    So, no more blogroll??

    Report


  3. My v3.5.2 still has a “Links: Your blogroll” widget showing in the Admin page. Did it get put down in the Inactive area, below the main list?

    The “Links” tab in the Dash still has All, Add and Categories. My motley ‘blogroll’ (links-collection) sprawls down the sidebar.

    A common source of glitches is plugins. If you have lots, click the Plugin checkbox at the top of the table to select them all, then open the Actions box and pick Deactivate. Then click Apply, and log-out, log back in.

    With a strong Links or Blogroll interest, a person might have more than one plugin or widget for links and/or blogroll, and they can then be ‘fighting’ and preventing normal functions.

    Hope it clears up for you!

    Report


  4. Hi Ted,

    Tried that, didn’t work. However I did find a solution…

    Downloaded and activated “Link Manager” by WordPress Version 0.1-beta – and it brought the “links” tab along with my blogroll.

    Weird.

    Report


  5. @Marc – Which version of WordPress did you use for the initial install? Starting with WordPress 3.5, the Links area of WordPress is disabled by default unless it already contains link data.

    Report


  6. @Jeffro – it’s a 2 yr old site, updated with every version of WP since… It’s been through a lot of design changes, sometimes a blogroll sometimes not, perhaps on the previous update is when my blogroll was not active?? I don’t recall. Was not aware of the WP 3.5 links situation.

    But glad I know the fix now in case it happens with my other sites.

    Report


  7. @Jeffro – I saw your comment about the links area being disabled by default when it contained no data. How can I enable again the links administration? I am working on a WordPress 3.5.2 and I can’t see the links administration.
    Thanks!

    Report


  8. @Jeffro – I saw your comment about the links area being disabled by default when it contained no data. How can I enable again the links administration? I am working on a WordPress 3.5.2 and I can’t see the links administration.
    Thanks!

    Report


  9. Can I upgrade from WP 3.5.2 to 3.6.1 without issues or should I upgrade to WP 3.6 first and then proceed to 3.6.1 ?

    Report

Comments are closed.