WordPress version 2.8.6 was released earlier today which addressed a couple of security issues. WordPress 2.8.6 patches a XSS vulnerability in Press This and another issue with sanitizing upload file names which could be exploited to run a php file uploaded as file.php.jpg in some apache configurations.
It is recommended to download and upgrade to version 2.8.6 or use the automatic upgrade function of WordPress under Tools > Upgrade from the admin area. WordPress 2.8.6 will be available for automatic upgrade soon.
WordPress MU 2.8.5.1 released yesterday had a minor bug that prevented a user from publishing or saving a new post. When a user tried to save or publish, they would get an error message saying “You cannot make this user the post author”. The post was still saved as a draft and it could then be published or saved as a draft again without any errors. This bug was fixed in WordPress MU 2.8.5.2 which can be downloaded here.
WordPress MU 2.8.5.1 has just been released and is available for download immediately. This release addresses several security issues and bug-fixes. WordPress MU version 2.8.5 was tagged and ready for release when a bug was discovered which prevented editing of blogs. That is why this release is tagged 2.8.5.1. It is recommended to upgrade to version 2.8.5.1 immediately.
This release also fixes a problem with slashes in blog and site options. You’ll be prompted to run the site upgrader. Please run it on all your blogs.
If you are using the automatic upgrading feature in WordPress MU 2.8.2, you’ll first need to edit line 697 in wp-admin/includes/class-wp-upgrader.php. Replace “wordpress” with “wordpress-mu”.
Before:
if ( !$wp_filesystem->copy($working_dir . '/wordpress/wp-admin/includes/update-core.php', $wp_dir . 'wp-admin/includes/update-core.php', true) )
After:
if ( !$wp_filesystem->copy($working_dir . '/wordpress-mu/wp-admin/includes/update-core.php', $wp_dir . 'wp-admin/includes/update-core.php', true) )
You can use the auto upgrader after saving the changes. This bug was fixed in WordPress MU 2.8.3, so you only need to do this if you are using the auto upgrader from version 2.8.2.
WordPress version 2.8.5 was released earlier today which addressed several security issues. The WordPress core team had identified several security hardening changes while working on WordPress 2.9 and felt it was worth the effort to back-port these changes to the 2.8 branch.
The headline changes in this release are:
A fix for the Trackback Denial-of-Service attack that is currently being seen.
Removal of areas within the code where php code in variables was evaluated.
Switched the file upload functionality to be whitelisted for all users including Admins.
Retiring of the two importers of Tag data from old plugins.
It is recommended to download and upgrade to version 2.8.5 or use the automatic upgrade function of WordPress under Tools > Upgrade from the admin area.
