The MU forums have moved to WordPress.org

Why isn't there a security release? (28 posts)

  1. xknown
    Member
    Posted 17 years ago #

    I know of at least two critical security holes* in the latest version of WPMU (1.2.1). They are already fixed in the trunk but I don't understand why there isn't a new release.

    *: they were originally reported in Wordpress.

    PS. Sorry for my bad English, I'm not a native speaker

  2. lunabyte
    Member
    Posted 17 years ago #

    Patience is a virtue.

  3. drmike
    Member
    Posted 17 years ago #

    Becuase most of us are updating right out of the trac and not waiting for releases.

    Same thing as windows. Do you update every so often or did you wait for Vista to solve all of XP's woes?

    If you haven't updated your own WPMu install, that's your fault.

    Actually I think it was suggested in another thread that 1.2.2 get released.

  4. alexz
    Member
    Posted 17 years ago #

    Do you cut and paste?

    Or do you do it in another way?

  5. drmike
    Member
    Posted 17 years ago #

    Copy and paste if you've made modifications to the core files like I have. Just replace the modified files is you haven't. I keep tabs and everything.

    If you look at each change in the trac, there's links to display the updated file and it'll list what files have been changed.

    Either that or pull a copy via SVN.

    But, yes, I also would like to see 1.2.2 released. i think since now that Donncha has pretty much caught up, with the change in widgets, the upgraded tinymce that will help safari users, and the change in the layour of the Write page, it should be released.

  6. Peavy
    Member
    Posted 17 years ago #

    Does it mean that:

    * we have to be connected to the trunc to be informed of security fixes ?

    * the major security fixes do not necessary lead to a new public release on the mu website and...

    * ... consequently latest fixes must be downloaded directly from Subversion ?

    What do you think about proposing an announcement mailing list like Wp ?

    Peavy 8)

  7. drmike
    Member
    Posted 17 years ago #

    I haven't a clue as to what Donncha does to determine when he makes a new version. Most of us are just checking the trac every day. Takes five minutes if that usually. If you can't spare five minutes...

    Could have sworn we had a wpmutrac mailing list...

  8. demonicume
    Member
    Posted 17 years ago #

    whats the nature of these 'critical issues'. my site was beatdown this morning.

  9. drmike
    Member
    Posted 17 years ago #

    You know what. I'm not seeing anything in the trac either except for the big one at 972 since 1.2.1 got released.

    http://trac.mu.wordpress.org/changeset/972

    And I don't remember any security issues within that one but I can't load the page. :)

    edit: We did have the security issue with the kubrick/ home theme but we discussed that here in the forums.

  10. dsilverman
    Member
    Posted 17 years ago #

    Most of us are just checking the trac every day. Takes five minutes if that usually. If you can't spare five minutes...

    With all due respect, doesn't that attitude strike you as a bit, err, simplistic for what is supposed to be a large scale project releasing production-ready code? Truth is I *don't* have 5 minutes a day to look at Trac updates for every major web app I run, that's why it's nice to have things like mailing lists for announcing new releases along with some indication if whether the code in its present form is stable and ready for production machines.

    In fact I'm grateful that there are releases at all now, when we first setup our WPMU we *did* have to pull from SVN and we're happy to now finally be migrating to what I hope is a stable release with a clear upgrade path.

  11. drmike
    Member
    Posted 17 years ago #

    With all due respect, doesn't that attitude strike you as a bit, err, simplistic for what is supposed to be a large scale project releasing production-ready code?

    No, not really. We run update on all of our servers everyday and 99% of the time, something is updated. Sounds normally actually.

    Why not just update via SVN every day and drop it into place? If you don't have any of the code modified, should go fairly smooth. (I've got to copy and paste myself since I'm on thse locked down terminals all the time)

  12. Farms2
    Member
    Posted 17 years ago #

    I have to say I'd like a list for critical issues.

  13. Peavy
    Member
    Posted 17 years ago #

    So do I !
    And andrewbillits on too I guess (see http://mu.wordpress.org/forums/topic.php?id=5156&replies=11#post-30113)

    Or at least, go on like putting one sticky announcement on the forums like this one: http://mu.wordpress.org/forums/topic.php?id=5163&replies=7

    Might be better to have one unique sticky announce we can follow via a RSS feed rather than creating new stickies each time an exploit is discovered (because in that case we'll need to go to the forum daily while with one unique RSS feed we just have to update the feed).

    What do you thing guys ?

    Best regards,

    Peavy 8)

  14. geniosity
    Member
    Posted 17 years ago #

    How about using a Security tag that we could then subscribe (via RSS) to. Then instead of us following one thread with everybody's comments, we can follow each security thread as far as we want, and each thread having a different title will allow us to see if there's a new security issue.

  15. xknown
    Member
    Posted 17 years ago #

    Do'h! I'm not a WMPU user and I was only asking why you didn't release a new version because of security bugs.

    I've reported a moderate xmlrpc issue in Wordpress, but the same bug[1] in WPMU is easily exploitable.

    [1] http://mu.wordpress.org/forums/topic.php?id=5163

  16. drmike
    Member
    Posted 17 years ago #

    That's why it's a sticky....

  17. Bike
    Member
    Posted 17 years ago #

    Hi there,

    Frankly I checked the SW and forums a few weeks ago, but when noticing that at that time the downloadable version came with security hole included I ran away and am now peaking around the corner again :)

    I noticed that the stickyness was remove, so I assume the current 1.2.2 that is offered here for download http://mu.wordpress.org/download/ is 'safe' to install?

    There seems to be no mailinglist or announcements for critical updates, and it appears to be acceptable to have the download version contain security leaks, even if they are already fixed.

    Can there at least be an admin-controlled announcement thread where critical bugs are reported?
    Every message just needs a title description ending with one of these:
    - <solved> (which should mean it is fixed in the download version, but if not
    - <solved in trac/svn>
    - <critical>: not fixed yet

    Where every post links to a thread where the bug is discussed with links to solutions?

    Then at least we can subscribe to the feed of the bugs topic. (though of course a mailinglist/announcement would be much better, safer, quicker and probably easier to do for the admins). Thanks.

  18. drmike
    Member
    Posted 17 years ago #

    Why not just take five minutes and pay attention to the trac's timeline? if you're not keeping up to date on what's current and available, mail list or not, gotta admit that it's your own fault.

    Mailing list: http://lists.automattic.com/mailman/listinfo/wpmu-trac

    Been in existance since October 2006

  19. Bike
    Member
    Posted 17 years ago #

    thanks for that, I have just added myself as subscriber number 27, so either there are not many MU users or not many people know about this list, so hopefully this helps others.

    I agree that it is up to me if I want to incorporate available changes or not, I was referring to critical updates like the previous XML-RPC bug, which turned the downloadable version into a trojan for a long time, that cannot be good for the reputation of this great piece of software.

    It would be great if those critical changes are sent out for those who do not have the possibility to trac(k) every change, I assume that is what the mailinglist is for?
    It should also be easy and not much work to start one topic about critical updates for potential and current users? It would save yourself from having to write a lot of 'please use the search' remarks :)

  20. drmike
    Member
    Posted 17 years ago #

    Actually I noticed that changesets are not put out over that list. (At least I haven't seen any)

    Donncha, if you see this, can those be added in some way? I note that you mark versions via a changeset instead of Milestones.

    And, as per the other thread:

    Complain when there's a security release...

    Complain when there's not a security release...

    Are you guys sure you're not channeling my ex mother in law?

  21. donncha
    Key Master
    Posted 17 years ago #

    If you go to http://trac.mu.wordpress.org/timeline you'll find two RSS feeds there. Thi one includes changeset summaries.

    And if you're not using an RSS reader yet, then shame on you! Go to bloglines.com or reader.google.com straight away!

  22. drmike
    Member
    Posted 17 years ago #

    But he wants a mailing list....

  23. Bike
    Member
    Posted 17 years ago #

    Thanks Donncha, that is constructive and useful, I subscribed.

    ps: DrMike, that cynicism is again not needed, why do you keep bashing new (and old) members of this community when they point out that communication streams are absent or not clear or that some people are not full-time developers? It took 20 posts before a useful answer was placed, even though the worries of the original poster -and many with him- have not been addressed

    It took me a long time to sign up for this forum as I saw how newcomers (whether their questions were stupid or valid, answered before or not) were treated by some, mostly you. Some of us do not have enough inside knowledge to add to the code itself, but show their appreciation by adding to community instead and pointing out things that might help.

    FYI: I wrote:
    >>Can there at least be an admin-controlled announcement thread where critical bugs are reported?
    <snip> Where every post links to a thread where the bug is discussed with links to solutions?
    --> Then at least we can subscribe to the feed of the bugs topic.<-- (arrows added)

    It would also prevent a lot of vaguely half-related and difficult-to-find-posts all over the place in the forum if vulnerabilities are announced in a dedicated board or at least thread. But hey, I am new, so what do I know.

    And so what if I and others prefer an optional/additional mailinglist as well, does that make me a lesser person than you? I rather get two notices that my site is vulnerable than zero. Even 5 minutes per day at trac can be not enough when a hole is discovered. I rather get an email and fix my site if needed than anything else I might have been doing if I hadn't been alerted.

    FYI:
    a different open source project, SMF, does send out emails to all members, but only when:
    - there is a new version available, triggered by a hotfix or not, with link to a forum post with details

    Of course they would update the public downloadable version as well, the moment they found out that it had a hole in it.

    If you would have logged in as Admin with SMF then you might have seen the same announcement as well, together with literally 3 click install/update. But the SMF development team realize that not all webmasters are sitting at home constantly refreshing the admin's homepage (or trac in this case) waiting for bad things to have happened.
    I think that is a safe realization helping them to get both more users and feedback. But this is WPMU and not SMF and hey, I am new, so what do I know.

  24. lunabyte
    Member
    Posted 17 years ago #

    -- As long as SMF's server is working... <cough>1.1.3 update emails</cough>

    But hey, what do I know? Well, besides both MU and SMF like the back of my hand. lol

    On that note, I can't see Doc being cynical anywhere up there.

  25. LanceGrigsby
    Member
    Posted 15 years ago #

    Good information on this thread ... I've signed up for the trac list, but I'm curious about 2 things: SMF server and "Why not just update via SVN." What are these, and how can I take advantage of them to stay ahead of the curve?

  26. andrea_r
    Moderator
    Posted 15 years ago #

    SMF is a forum. Not really applicable to the discussion.

    SVN is a method to sync with trac.

  27. tdjcbe
    Member
    Posted 15 years ago #

  28. Col. Panick
    Member
    Posted 15 years ago #

    Cool links, thanks.

About this Topic

  • Started 17 years ago by xknown
  • Latest reply from Col. Panick