Monthly Archives: January 2013

WordPress 3.5.1 Security Patch Released

WordPress 3.5.1 is now available for download or update within your WordPress dashboard. This version is a maintenance and security release for all previous versions.

WordPress Hosting

Version 3.5.1 is the first maintenance release of 3.5, fixing 37 bugs. For a full list of changes, consult the list of tickets and the changelog, which include:

  • Editor: Prevent certain HTML elements from being unexpectedly removed or modified in rare cases.
  • Media: Fix a collection of minor workflow and compatibility issues in the new media manager.
  • Networks: Suggest proper rewrite rules when creating a new network.
  • Prevent scheduled posts from being stripped of certain HTML, such as video embeds, when they are published.
  • Work around some misconfigurations that may have caused some JavaScript in the WordPress admin area to fail.
  • Suppress some warnings that could occur when a plugin misused the database or user APIs.

WordPress 3.5.1 also addresses the following security issues:

  • A server-side request forgery vulnerability and remote port scanning using pingbacks. This vulnerability, which could potentially be used to expose information and compromise a site, affects all previous WordPress versions. This was fixed by the WordPress security team.
  • Two instances of cross-site scripting via shortcodes and post content.
  • A cross-site scripting vulnerability in the external library Plupload.

We recommend everyone to update their WordPress to this latest version ASAP!

Drupal 7.19 & 6.28 Now Available

Drupal 7.19 and 6.28 maintenance releases which contain fixes for security vulnerabilities are now available.

Drupal Hosting

Upgrading your existing Drupal 7 and 6 sites is strongly recommended. There are no new features or non-security-related bug fixes in these releases.

Changelog

Drupal 7.19 is a security release only. For more details, see the 7.19 release notes. A complete list of all bug fixes in the stable 7.x branch can be found in the git commit log.

Drupal 6.28 is a security release only. For more details, see the 6.28 release notes. A complete list of all bug fixes in the stable 6.x branch can be found in the git commit log.

Security vulnerabilities

Drupal 7.19 and 6.28 were released in response to the discovery of security vulnerabilities. Details can be found in the official security advisory:

To fix the security problem, please upgrade to either Drupal 7.19 or Drupal 6.28.