Weekly Edition
Return to the Development page
| |||||||||||||
WordPress 3.3 released
The WordPress 3.3
release (code-named "Sonny") is available. "Experienced users
will appreciate the new drag-and-drop uploader, hover menus for the
navigation, the new toolbar, improved co-editing support, and the new
Tumblr importer. We've also been thinking a ton about what the WordPress
experience is like for people completely new to the software. Version 3.3
has significant improvements there with pointer tips for new features
included in each update, a friendly welcome message for first-time users,
and revamped help tabs throughout the interface. Finally we've improved the
dashboard experience on the iPad and other tablets with better touch
support."
On this topic the LWN site (which is not based on WordPress) is seeing a flood of attempts to exploit the TimThumb vulnerability; anybody running a WordPress site who has not closed this hole should do so immediately. (Log in to post comments)
WordPress 3.3 released Posted Dec 12, 2011 23:56 UTC (Mon) by ceplm (guest, #41334) [Link]
Packages are available in Fedora Rawhide for other versions of Fedora (and EPEL-6) are building. :)
Good explanations of the TimThumb vulnerability? Posted Dec 13, 2011 0:05 UTC (Tue) by coriordan (guest, #7544) [Link]
I don't know who the target audience of that meandering blog entry is, but it's certainly not for busy admins who want to know how to check if they're vulnerable. (and if so, what to do.)
Good explanations of the TimThumb vulnerability? Posted Dec 13, 2011 0:30 UTC (Tue) by corbet (editor, #1) [Link] Sorry...I'm far from a WordPress expert, so I put in something I found while trying to figure out what all those attacks were. FWIW, it's the entry pointed to by the page for the TimThumb vulnerability scanner on the WordPress site.
Does 3.3 fix the TimThumb vulnerability? Posted Dec 13, 2011 2:36 UTC (Tue) by coriordan (guest, #7544) [Link]
Well, my sharpness of tongue was a bit nasty :-) I guess it just caught me at a critic-ful moment.
So, does upgrading to 3.3 fix/prevent the TimThumb vulnerability?
The mentality difference shown is, ...interesting. PHP and WordPress get installed by Windows users, and when there's a problem there are clueful people who write plugins and who blog: "Think you've installed dodgy software? Install and run my 325K plugin to find out!"
(320K of that is a screenshot)
The author might be well intentioned, but free software users balk at the idea of running software found via a blog by some guy you've never heard of. Especially on a server. We look for someone to say "Check if you have this file, and if it has this line of code, and then change it this way".
Does 3.3 fix the TimThumb vulnerability? Posted Dec 13, 2011 2:46 UTC (Tue) by rahulsundaram (subscriber, #21946) [Link]
Fortunately or unfortunately, most people are not interested in editing files and checking lines of code. They will do whatever seems easier even if it is more risky.
Does 3.3 fix the TimThumb vulnerability? Posted Dec 13, 2011 4:01 UTC (Tue) by corbet (editor, #1) [Link] Here's a vulnerability report on the TimThumb site. It would appear that TimThumb is an add-on module packaged by a lot of WordPress themes. So it's more a matter of what theme you're using than what version of WordPress is running. If I understand things right, which is not guaranteed.
Does 3.3 fix the TimThumb vulnerability? Posted Dec 13, 2011 8:45 UTC (Tue) by ssmith32 (subscriber, #72404) [Link]
... free software users balk at the idea of running software found via a blog by some guy you've never heard of..
So confused by your post.. you seem to think this is bad thing?
If so, you might want to review the Download.com/nmap posts from earlier..
(The best was a relative who got infected by X, and then got re-infected by site saying that X was horrible, install Y to fix it!... of course they were both run by the same operation.. *sigh*..)
Or is it just late and I misread your tone?
Does 3.3 fix the TimThumb vulnerability? Posted Dec 13, 2011 11:37 UTC (Tue) by coriordan (guest, #7544) [Link]
> you seem to think this is bad thing?
Not at all :-) I'm baffled by the Windows mentality.
Good explanations of the TimThumb vulnerability? Posted Dec 13, 2011 15:41 UTC (Tue) by nye (guest, #51576) [Link]
$ find /your/wordpress/dir -name 'timthumb.php'
Ought to cover it, from my reading. If it finds any results, you're probably vulnerable (apparently there's an updated version to replace them with).
SELinux? Posted Dec 13, 2011 16:32 UTC (Tue) by dmarti (subscriber, #11625) [Link] Probably a stupid question, but does TimThumb even work with SELinux in enforcing mode? It seems like letting the web server both write to a directory and run PHP code from that directory is the kind of thing that would be hard enough to set up in SELinux that you'd end up not doing it.
SELinux? Posted Dec 15, 2011 8:01 UTC (Thu) by zlynx (subscriber, #2285) [Link]
I just checked a few CentOS 5 systems we have deployed where I work.
Sure enough, our administrators have SELinux turned off. I do try to use it on systems I set up, but I don't blame them. It is such a pain to use that you can easily spend 3x the effort getting SELinux happy than it took to configure nginx or node.js.
SELinux? Posted Dec 15, 2011 17:54 UTC (Thu) by raven667 (subscriber, #5198) [Link]
I find this attitude annoying. I leave SELinux enabled on my CentOS 5 and 6 hosts and while I have ran into permissions problems they have always been easy to fix, I've never ran into a situation where it would make sense to just disable SELinux entirely. I think a _lot_ of administrators are trying to avoid learning about SELinux at all and keep taking the easy way out by disabling it.
SELinux? Posted Dec 15, 2011 22:53 UTC (Thu) by dmarti (subscriber, #11625) [Link] Good point. And if you can describe an application's required permissions well enough to write the needed SELinux incantations to run it, you might end up doing a facepalm-based security review. Hmmm, how do I set up SELinux to allow "Download files from untrusted sites, then run them as PHP code"?
SELinux? Posted Dec 19, 2011 13:04 UTC (Mon) by ceplm (guest, #41334) [Link]
If you file bugs in the Red Hat bugzilla (if we are talking about SELinux I suppose, although it is not fair, that you have RHEL or some of its derivates, right?), we have couple of bugs opened https://bugzilla.redhat.com/buglist.cgi?quicksearch=selin... and there is actually a lot work done on it.
|
|||||||||||||