The software behind OUCS blogs has been updated to include security fixes released by the WordPress team last week.
Announcement of the much awaited release of WordPress 3.1.1 should bring relief to those suffering from side-effects of the WordPress 3.1 pill: key features include improved security of media uploads, performance improvements, and various bug fixes. It also addresses three security vulnerabilities. Users are advised to update “promptly”.
The official announcement followed the general availability of 3.1.1 by a few days, and was quickly followed by a deluge of derivative announcements which, bar a few more considered posts, appear to offer little more than regurgitated snippets from the original. The release announcement ends with a haiku suggesting that since only geeks will know what’s it’s all about you should just apply the update and not worry about the details.
What if you’re a geek who uses WordPress though? Surely any security announcement bears some evaluation before taking the risks associated with an upgrade. In fact there is a release note which details the changesets / trac tickets associated with each of the security issues. These are genuinely significant, although perhaps not as terminal as some commentators appear to suggest; Will all unpatched servers be out-of-service by Monday? Probably not.
If you are already running WordPress 3.1 then this update appears to offer several worthwhile benefits, and the overall changeset is relatively small. For anyone still on WordPress 3.0 (e.g. users of Debian squeeze which includes WordPress 3.0.5) then you may be considering whether its viable to backport the fixes. Good news – this is actually rather trivial. Just pick up the changesets identified in the release note and you’ll find that two of them apply as-is (XSS and CSRF vulnerabilities), and the small change to mitigate PHP crashes on “deviously devised devilish links in comments” is easy enough to apply, just a few lines too early for `patch` to cope by default.