Comments on: Security Fixes on WordPress http://www.lostaddress.org/2006/03/12/security-fixes-on-wordpress/ making our stupidity help you Tue, 06 Jan 2009 08:07:49 +0000 http://wordpress.org/?v=2.7 hourly 1 By: hari http://www.lostaddress.org/2006/03/12/security-fixes-on-wordpress/comment-page-1/#comment-194 hari Tue, 14 Mar 2006 06:43:40 +0000 http://www.lostaddress.org/index.php/2006/03/12/security-fixes-on-wordpress/#comment-194 Yeah, I updated as well... Doesn't seem that too many files are updated. It would be nice if we could get the patched files list and update only those. Re-uploading the entire package every time seems a bit overkill. Yeah, I updated as well… Doesn’t seem that too many files are updated. It would be nice if we could get the patched files list and update only those. Re-uploading the entire package every time seems a bit overkill.

]]> By: Ray http://www.lostaddress.org/2006/03/12/security-fixes-on-wordpress/comment-page-1/#comment-193 Ray Sun, 12 Mar 2006 21:57:42 +0000 http://www.lostaddress.org/index.php/2006/03/12/security-fixes-on-wordpress/#comment-193 While I accept, to a certain degree, what you are saying, I would say that the fact that you have to hunt around the bug tracker woulddissuade most of the WP users from finding out about it. It's a pretty imperfect way of telling people that there's a problem. I am a Linux user, which means that I expect to see announcements saying "<em>users of [software]-versionx.x should update to versionx.y because the following exploit will make your system vulnerable in this way</em>" The way WP chooses to do it does not make it safer (if I were a cracker, I <em>would</em> look at the bug-tracker). Looking at the WP dashboard on my site, when 2.0.1 was released, there was a link to all the fixed things. 2.0.2 doesn't have this - compare http://wordpress.org/development/2006/01/201-release/ with http://wordpress.org/development/2006/03/security-202/ While I accept, to a certain degree, what you are saying, I would say that the fact that you have to hunt around the bug tracker woulddissuade most of the WP users from finding out about it. It’s a pretty imperfect way of telling people that there’s a problem.

I am a Linux user, which means that I expect to see announcements saying “users of [software]-versionx.x should update to versionx.y because the following exploit will make your system vulnerable in this way” The way WP chooses to do it does not make it safer (if I were a cracker, I would look at the bug-tracker).

Looking at the WP dashboard on my site, when 2.0.1 was released, there was a link to all the fixed things. 2.0.2 doesn’t have this - compare http://wordpress.org/development/2006/01/201-release/ with http://wordpress.org/development/2006/03/security-202/

]]> By: Mark J http://www.lostaddress.org/2006/03/12/security-fixes-on-wordpress/comment-page-1/#comment-192 Mark J Sun, 12 Mar 2006 20:25:20 +0000 http://www.lostaddress.org/index.php/2006/03/12/security-fixes-on-wordpress/#comment-192 <a href="http://lists.automattic.com/mailman/listinfo/wp-trac" rel="nofollow">WP-Trac mailing list (bug tracking system)</a> <a href="http://lists.automattic.com/mailman/listinfo/wp-hackers" rel="nofollow">WP-Hackers mailing list (some discussion of bugs, even security related, goes on here)</a> <a href="http://lists.automattic.com/mailman/listinfo/wp-svn" rel="nofollow">WP-SVN mailing list (immediate notifications of changes to the code)</a> The "bug" (alleged security issue) actually <strong>was</strong> fixed in 2.0.2 <a href="http://trac.wordpress.org/changeset/3584" rel="nofollow">here</a>... but that wasn't the reason for the update (because it wasn't a valid security concern). As to what the update addresses: SQL injection, XSS and CSF loopholes that were discovered internally, as well as a few miscelaneous non-security-related bugs (like the one in changeset 3584). See <a href="http://trac.wordpress.org/log/branches/2.0/" rel="nofollow">here</a> for the whole list of what has changed in the 2.0 branch. I understand your concern with regards to openness... but considering that there was no public knowledge of these security bugs (and thus, no instances of them being exploited), it wouldn't make sense to explicitly describe the security holes when the new version is offered. That would only give the script kiddies a head start. This way, the public knows that there are security issues being addressed, and that the upgrade fixes them, but any would-be exploiters have to actually work to figure out what they are. It's not that the bugs are being hidden... they're there for everyone to see in the links I just provided... they're just not being advertised in explicit detail just yet. WP-Trac mailing list (bug tracking system)
WP-Hackers mailing list (some discussion of bugs, even security related, goes on here)
WP-SVN mailing list (immediate notifications of changes to the code)

The “bug” (alleged security issue) actually was fixed in 2.0.2 here… but that wasn’t the reason for the update (because it wasn’t a valid security concern).

As to what the update addresses:
SQL injection, XSS and CSF loopholes that were discovered internally, as well as a few miscelaneous non-security-related bugs (like the one in changeset 3584).

See here for the whole list of what has changed in the 2.0 branch.

I understand your concern with regards to openness… but considering that there was no public knowledge of these security bugs (and thus, no instances of them being exploited), it wouldn’t make sense to explicitly describe the security holes when the new version is offered. That would only give the script kiddies a head start. This way, the public knows that there are security issues being addressed, and that the upgrade fixes them, but any would-be exploiters have to actually work to figure out what they are.

It’s not that the bugs are being hidden… they’re there for everyone to see in the links I just provided… they’re just not being advertised in explicit detail just yet.

]]>