114 replies to this topic

[AplusWebMaster]

FYI...

WordPress 2.5 released
- http://wordpress.org/development/2008/
March 29, 2008

Download:
- http://wordpress.org/download/
"The latest stable release of WordPress (Version 2.5)..."

Changelog:
- http://codex.wordpress.org/Version_2.5


> http://blog.trendmic...ily-javascript/ !!!
March 31, 2008

[AplusWebMaster]

FYI...

- http://secunia.com/advisories/29949/
Release Date: 2008-04-25
Critical: Moderately critical
Impact: System access
Where: From remote
Solution Status: Vendor Workaround
...The vulnerability is confirmed in version 2.3.3.
Solution: Fixed in the SVN repository.
http://trac.wordpres.../changeset/7586

- http://secunia.com/advisories/29938/
Release Date: 2008-04-25
Critical: Moderately critical
Impact: Exposure of sensitive information, Manipulation of data
Where: From remote
Solution Status: Vendor Patch
Software: WordPress Spreadsheep Plugin (wpSS) 0.x
...can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The vulnerability is reported in version 0.6. Other versions may also be affected.
The vulnerability is reported in version 0.6. Other versions may also be affected.
Solution: Update to version 0.62.
http://timrohrer.com/blog/?page_id=71

[AplusWebMaster]

FYI...

- http://secunia.com/advisories/29965/
Release Date: 2008-04-28
Critical: Highly critical
Impact: Security Bypass, Cross Site Scripting, System access
Where: From remote
Solution Status: Vendor Patch
Software: WordPress 2.x
...The vulnerability is reported in version 2.5. Prior versions may also be affected.
Solution: Update to version 2.5.1.
Original Advisory: WordPress:
http://wordpress.org.../wordpress-251/ ..."

Also see:
- http://secunia.com/advisories/29876/
Release Date: 2008-04-28
Critical: Moderately critical ...

- http://nvd.nist.gov/...e=CVE-2008-1930

Edited by AplusWebMaster, 29 April 2008 - 12:59 PM.

[AplusWebMaster]

FYI...

WordPress 2.6 released
- http://codex.wordpre...ner.22_Released
July 15, 2008

- http://wordpress.org/download/
"...The latest stable release of WordPress (Version 2.6) is available..."

- http://trac.wordpress.org/ticket/7220

- http://nvd.nist.gov/...e=CVE-2008-3233
Last revised: 7/21/2008
"...Cross-site scripting (XSS) vulnerability in WordPress before 2.6..."

//

Edited by AplusWebMaster, 14 August 2008 - 07:59 AM.
Added note for CVE-2008-3233...

[AplusWebMaster]

FYI...

WordPress v2.6.1 released
- http://wordpress.org/download/
"...The latest stable release of WordPress (Version 2.6.1) is available..."

- http://wordpress.org.../wordpress-261/
August 15, 2008 - "...full list of over 60 fixes*..."

* http://preview.tinyurl.com/6mxj4j

- http://nvd.nist.gov/...e=CVE-2008-3747
Last revised: 8/27/2008

Edited by AplusWebMaster, 05 September 2008 - 01:56 AM.
Added CVE ref...

[AplusWebMaster]

FYI...

WordPress v2.6.2 released
- http://wordpress.org/download/
09.08.2008 - "The latest stable release of WordPress (Version 2.6.2) is available..."

- http://wordpress.org.../wordpress-262/
September 8, 2008 - "Stefan Esser recently warned developers of the dangers of SQL Column Truncation and the weakness of mt_rand(). With his help we worked around these problems and are now releasing WordPress 2.6.2. If you allow open registration on your blog, you should definitely upgrade. With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password. The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit. However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password. Stefan Esser will release details of the complete attack shortly. The attack is difficult to accomplish, but its mere possibility means we recommend upgrading to 2.6.2. Other PHP apps are susceptible to this class of attack. To protect all of your apps, grab the latest version of Suhosin**. If you’ve already updated Suhosin, your existing WordPress install is already protected from the full exploit. You should still upgrade to 2.6.2 if you allow open user registration so as to prevent the possibility of passwords being randomized. 2.6.2 also contains a handful of bug fixes*..."
* http://preview.tinyurl.com/55petj

** http://www.suspekt.o...ved-randomness/

[AplusWebMaster]

FYI...

WordPress v2.6.3 released
- http://wordpress.org/download/
October 23, 2008 - "...latest stable release of WordPress (Version 2.6.3) is available..."

- http://wordpress.org.../wordpress-263/
"A vulnerability in the Snoopy library was announced today. WordPress uses Snoopy to fetch the feeds shown in the Dashboard. Although this seems to be a low risk vulnerability for WordPress users, we wanted to get an update out immediately. 2.6.3 is available for download right now. If you don’t want to download the whole release to get the security fix, you can download... two files and copy them over your 2.6.2 installation..."

- http://trac.wordpres...wser/tags/2.6.3

[AplusWebMaster]

FYI...

Fake WordPress site - trojanized
- http://www.theregist...ised_wordpress/
6 November 2008 - "Fraudsters have set up a fake site featuring a backdoored version of the WordPress blogging application as part of a sophisticated malware-based attack. The fake Wordpresz.org site offered up what purports to be version 2.6.4 of the open source blogging tool. In reality all but one of the files are identical to the latest pukka (2.6.3) version of WordPress. The crucial difference comes in the form of a Trojanised version of pluggable.php, according to Sophos virus researcher Paul Baccas. Sophos detects the malicious code as WPHack-A Trojan. "The new PHP contains call backs to the Fake WordPress site and looks to be stealing credentials," Baccas reports... The latest version of WordPress (version 2.6.3), published on 23 October, is available through http://wordpress.org "

[AplusWebMaster]

FYI...

WordPress v2.6.5 released
- http://wordpress.org/download/
"The latest stable release of WordPress (Version 2.6.5)..."

- http://wordpress.org.../wordpress-265/
November 25, 2008 - "WordPress 2.6.5 is immediately available and fixes one security problem and three bugs. We recommend everyone upgrade to this release. The security issue is an XSS exploit..."

- http://trac.wordpres...wser/tags/2.6.5

- http://web.nvd.nist....d=CVE-2008-5278
Last revised:12/03/2008

Edited by AplusWebMaster, 09 December 2008 - 05:05 PM.

[AplusWebMaster]

FYI...

WordPress v2.7 released
- http://wordpress.org/download/
12.11.2008 - "The latest stable release of WordPress (Version 2.7) is available..."

- http://wordpress.org...08/12/coltrane/
December 11, 2008

- http://trac.wordpres...rowser/tags/2.7

[AplusWebMaster]

FYI...

WordPress v2.7.1 released
- http://wordpress.org/download/

- http://wordpress.org.../wordpress-271/
February 10, 2009 - "2.7.1, the first 2.7 maintenance release, is now available. 2.7.1 fixes 68 tickets..."

[AplusWebMaster]

FYI...

WordPress v2.8 released
- http://wordpress.org/download/
June 11, 2009 - "The latest stable release of WordPress (Version 2.8) is available..."

- http://wordpress.org...6/wordpress-28/

- http://codex.wordpress.org/Version_2.8

[AplusWebMaster]

FYI...

WordPress v2.8.1 released
- http://wordpress.org...ordpress-2-8-1/
July 9, 2009 - "WordPress 2.8.1 fixes many bugs and tightens security for plugin administration pages. Core Security Technologies* notified us that admin pages added by certain plugins could be viewed by unprivileged users, resulting in information being leaked. Not all plugins are vulnerable to this problem, but we advise upgrading to 2.8.1 to be safe..."

- http://wordpress.org/download/

* http://corelabs.core...leges_Unchecked

- http://web.nvd.nist....d=CVE-2009-2334
- http://web.nvd.nist....d=CVE-2009-2335
- http://web.nvd.nist....d=CVE-2009-2336

Also:
- http://web.nvd.nist....d=CVE-2009-2432

Edited by AplusWebMaster, 14 July 2009 - 03:47 AM.
Added CVE links...

[AplusWebMaster]

FYI...

WordPress v2.8.2 released
* http://wordpress.org/download/
July 20, 2009 - "The latest stable release of WordPress (Version 2.8.2) is available..."

- http://wordpress.org...ordpress-2-8-2/
July 20, 2009 - "WordPress 2.8.2 fixes an XSS vulnerability. Comment author URLs were not fully sanitized when displayed in the admin. This could be exploited to redirect you away from the admin to another site. Download 2.8.2* or automatically upgrade from the Tools->Upgrade page of your blog’s admin."

- http://secunia.com/advisories/35946/2/
Release Date: 2009-07-22
Critical: Moderately critical
Impact: Cross Site Scripting
Where: From remote
Solution Status: Vendor Patch
Software: WordPress 2.x ...
Solution: Update to version 2.8.2 ...

Edited by AplusWebMaster, 22 July 2009 - 04:42 AM.
Added Secunia advisory link...

[AplusWebMaster]

FYI...

WordPress v2.8.3 released
* http://wordpress.org/download/
"The latest stable release of WordPress (Version 2.8.3) is available..."

- http://wordpress.org...curity-release/
August 3, 2009 - "... Since this is a security release, upgrading is highly recommended. Download 2.8.3*, or upgrade automatically from your admin..."

> http://secunia.com/advisories/36146/2/