As we all anxiously await the official release of WordPress 3.6, news came last week that WordPress Version 3.5.2 has been made available to the public and can be updated to immediately via your WordPress Dashboard. Andrew Nacin, who works for Audrey Capital, WordPress founder Matt Mullenweg’s investment and research firm, posted recently that the latest release is aimed at overall maintenance and fixes a total of 12 bugs. However, the developer also went on to say that “this is a security release for all previous versions and we strongly encourage you to update your sites immediately. The WordPress security team resolved seven security issues, and this release also contains some additional security hardening.”
The complete list of bugs that have been fixed in this latest offering includes the initial gallery “Link To” setting not being applied as well as the wrong parameter order for stripos in wp-includes/functions.php. Of the 12 bugs, 10 were directly addressed by Nacin while the other two were resolved by fellow developers.
A list of security fixes was also provided by the WordPress core development team. According to Nacin, the fixes included the following:
“Blocking server-side request forgery attacks, which could potentially enable an attacker to gain access to a site.
Disallow contributors from improperly publishing posts, reported by Konstantin Kovshenin, or reassigning the post’s authorship, reported by Luke Bryan.
An update to the SWFUpload external library to fix cross-site scripting vulnerabilities. Reported by mala and Szymon Gruszecki.
Prevention of a denial of service attack, affecting sites using password-protected posts.
An update to an external TinyMCE library to fix a cross-site scripting vulnerability. Reported by Wan Ikram.
Multiple fixes for cross-site scripting. Reported by Andrea Santese and Rodrigo.
Avoid disclosing a full file path when a upload fails. Reported by Jakub Galczyk.”
Nacin applauded the responsible disclosure of the security issues that allow the development team to address specific needs in a timely manner while minimizing ongoing risks to WordPress users as much as possible.
WordPress 3.6 Official Launch Pending
WordPress 3.6 lead developer Mark Jaquith authorized the fourth beta version of WordPress 3.6 to go out publicly, but we are still awaiting a full-blown launch as its official release has been pushed back well over a month from its original deadline.
As most in the WordPress community already know, Post Formats UI have been removed from the final product and instead will be released separately as a plugin. This is important to know for WordPress users who rely on generating different formats within posts such as Quotes, Video, Gallery, etc.
Jaquith recommends that WordPress 3.6 Beta 4 only be used on testing sites and not on production websites themselves, as there are still major issues revolving around the 3.6 version that could cause significant problems for inexperienced webmasters. Those who would like to try out the latest beta can do so without risk to their own site by downloading on a test platform. The latest beta does provide a unique opportunity to continue testing the future launch against current themes and plugins that are in use on your site in order to ensure that they are fully compatible with one another.
Upcoming WordPress Events
There are two major WordCamps slated for this weekend: one in Chicago, Illinois and the other in Montreal, Quebec. The WordCamp in Chicago will run Friday through Sunday at the University Center, while the Montreal camp will take place Saturday and Sunday.
Topics discussed at both camps will range from general brainstorming on how to more effectively use the open-source platform to new ideas on mobile optimization. Those who would like to see if there is still time to attend should visit the respective websites by clicking on the following links.