WordPress 2.8.2 On The Way?

**Jeffro** · 07-20-2009 09:03 AM

I didn't think of it that way but you're right

**Otto** · 07-20-2009 09:13 AM

Here's the security changes:
http://core.trac.wordpress.org/chang...=11719%40trunk

Short version: The comment author email was not properly escaped, so it was/is possible to put code into there which would get displayed on the page. It was not particularly *easy* to do that, mind you, but it was still possible.

Security risk: Medium. It's an XSS bug, exploiting it is difficult but can be automated. If you allow comments, you're vulnerable. It would difficult to exploit this to gain deeper access to the site, due to the limited field size.

Most likely attack: Annoyance factor. Somebody could, for example, make a comment that caused the page to redirect when displayed.

**joetek** · 07-20-2009 11:40 AM

Even if you have had trouble with the autoupgrader, you could download it directly to your webhost and unzip it in place instead of downloading it to your computer, unzipping and then uploading to your webhost. That would likely be a faster option.

Looks like WPMU has been updated as well http://mu.wordpress.org/download/

**Martin** · 07-20-2009 12:35 PM

Manual upgrading is very easy and takes less then 5 minutes when I sometimes do it.

Delete the following folders and their content: wp-includes, wp-admin

Delete all loose WordPress files in the root of your install except one file: wp-config.php.

Move across new files not including folders: wp-includes, wp-admin and file wp-config-sample.php.

Go to the following link to finalize the upgrade: http://www.mysite.com//wp-admin/upgrade.php

That's it, use to do it like this all the time....

PS: Starting to like the auto-upgrade feature. Used it on about 40 sites today...

**itsananderson** · 07-20-2009 01:33 PM

I usually just upload the whole archive and overwrite everything (I've configured FileZilla to overwrite without asking). Saves the trouble of deleting anything.

Of course that's a moot point since I always use the auto up-grader now :)

**andrea_r** · 07-20-2009 03:13 PM

Yep, they're working hard to sync WPMU updates with WP ones as the merge gets closer.

(I'm kinda excited. Can I squee in here?)

**conorp** · 07-21-2009 01:58 AM

Well auto upgrade is quite slow as well for some reason. Its not the host at its fine on other internet connections

**chipbennett** · 07-21-2009 10:19 AM

Originally Posted by Jeffro

Annnd 2.8.2 is out the door which fixes a XSS vulnerability

http://wordpress.org/development/200...rdpress-2-8-2/

Finally had time to auto-upgrade today. All went smoothly, as is, by now, expected.

**MiroslavGlavic** · 07-22-2009 10:27 PM

upgrade upgrade upgrade upgrade upgrad.

Did I mention upgrade?

Most of these attacks are of very lazy admins. You can't just give up after installation.

You have to maintain your site, do your backups and so forth.

Thread: WordPress 2.8.2 On The Way?

LinkBack

Thread Tools

Display

Posting Permissions