WordPress Designer News – WordPress 3.9.2 Security Release
WordPress 3.9.2 is now available as a security release for all previous versions.
It is strongly recommended that you update your websites as soon as possible.
Within Security Release 3.9.2, there is a fix for a possible denial of service issue in PHP’s XML processing.
Originally reported by Nir Goldshlager of the Salesforce.com Product Security Team.
Security With A Smile
The Security issue has been fixed by Michael Adams and Andrew Nacin of the WordPress security team along with David Rothstein of the Drupal security team.
This is the first time the two organisations have coordinated a joint security release.
Hopefully this should bring widespread security much quicker to us all.
The Security update also contains some additional security hardening, like preventing cross-site scripting that could be triggered only by administrators.
WordPress 3.9.2 also contains other security changes, such as:
- Fixes a possible but unlikely code execution when processing widgets (WordPress is not affected by default) – Discovered by Alex Concha of the WordPress security team.
- Prevents information disclosure via XML entity attacks in the external GetID3 library – Reported by Ivan Novikov of ONSec (web application security and Audits).
- Adds protections against brute attacks against CSRF tokens – Reported by David Tomaschik of the Google Security Team.
Responsible disclosure of any issues should be reported directly to the WordPress security team.
Download WordPress 3.9.2 or go to Dashboard → Updates and click ‘Update Now’.
Websites that support automatic updates should have been updated to WordPress 3.9.2 . (If you are still on WordPress 3.8.3 or 3.7.3, you should have been updated to 3.8.4 or 3.7.4.
Older versions are no longer supported, update to 3.9.2.
If you are presently testing WordPress 4.0, then the third beta is now available, all the above security fixes have been implemented.