Dougal Campbell's geek ramblings

WordPress, web development, and world domination.

WordPress 1.5.2 Security FUD

There is some misleading FUD going around about a vulnerability in WordPress 1.5.2.

Let’s get this out of the way plainly: There is not a code execution vulnerability in WordPress 1.5.2.

Now, a little more explanation of how this came into question: There was some communication between the person who discovered the problem (Stefan Esser, to the best of my knowledge) and Matt. Matt formulated a fix, which was checked into the repository and which went through a couple of iterations. At some point, Matt posted a new downloadable archive on wordpress.org. But then he realized that the bugfix wasn’t complete. He updated the code again, and posted a new archive for download. At this point, Matt posted the official announcement of the availability of WordPress 1.5.2.

Unfortunately, the security researcher downloaded the faulty 1.5.2 archive (before it was announced, remember), and concluded that the new release was still vulnerable. But again, this is not the case. If you downloaded the new version anytime after the official announcement was posted, then your version is safe from this problem.

The only problem here was one of communication. In the interest of fairness, Stefan acknowledged the update (though in a confrontational manner).

UPDATE: As pointed out in the comments, I was incorrect about the timeline of events. There was a period of time after the announcement of the new version when the faulty archive was still up. So, if you downloaded before approximately 05:00 UTC (09:00 EDT) on August 15, then you should re-download. Also, though I don’t necessarily like the way that Stefan has handled his end of things, I do appreciate that he provided the appropriate fixes to us.

About Dougal Campbell

Dougal is a web developer, and a "Developer Emeritus" for the WordPress platform. When he's not coding PHP, Perl, CSS, JavaScript, or whatnot, he spends time with his wife, three children, a dog, and a cat in their Atlanta area home.
This entry was posted in Blogs, Community, Security, Software, WordPress and tagged , . Bookmark the permalink.

29 Responses to WordPress 1.5.2 Security FUD

  1. Pingback: Planeta WordPress

  2. Pingback: ryan kennedy’s blog

  3. Pingback: The RSS Blog

  4. Pingback: SitePoint Blogs

  5. Pingback: alexking.org: Blog

  6. Pingback: Marc Abramowitz » Blog Archive » My opinion of the WordPress 1.5.2 debacle

  7. Pingback: no wow

  8. Pingback: WordPress 1.5.2 [rebelpixel productions]

  9. Pingback: The Ten Thousand Year Blog » Blog Archive » Newer version of WordPress (1.5.2) available for download

  10. Pingback: Basic Thinking Blog » Wordpress: Ganz schlechtes Releasemanagement

  11. Pingback: WordPress Station » Blog Archive » WordPress 1.5.2 Security FUD

  12. Pingback: WordPress Security Annoyances | no wow

  13. Pingback: The WordPress Security Update — SitePoint

Leave a Reply