Comments on: WordPress 1.5.2 Security FUD

By: WordPress Security Annoyances | no wow

WordPress Security Annoyances | no wow — Sat, 03 Mar 2007 03:11:39 +0000

[...] comments from the WordPress crowd are a bit weak in my opinion. If there’s FUD about WordPress’ [...]

By: logtar

logtar — Mon, 22 Aug 2005 20:42:16 +0000

Upgrading is SIMPLE, got it done, been so lazy lately.

By: WordPress Station » Blog Archive » WordPress 1.5.2 Security FUD

WordPress Station » Blog Archive » WordPress 1.5.2 Security FUD — Sun, 21 Aug 2005 17:50:41 +0000

[...] Dougal Campbell writes at hisgeek ramblings about the confusion and clarifications regarding the most recent security update, 1.5.2. [...]

By: Basic Thinking Blog » Wordpress: Ganz schlechtes Releasemanagement

Basic Thinking Blog » Wordpress: Ganz schlechtes Releasemanagement — Sun, 21 Aug 2005 15:56:30 +0000

[...] dear guys from Wordpress, dont mess with good versioning and information policy. Regarding the security story with WP 1.5.2, your reaction, still missing an official statement, i am somehow disappointed, that your information policy is that bad. Is it that hard to report all relevant news onto wordpress.org? [...]

By: Robert

Robert — Sun, 21 Aug 2005 15:25:30 +0000

How do i know if my WP 1.5.2. is ok or not?

By: The Ten Thousand Year Blog » Blog Archive » Newer version of WordPress (1.5.2) available for download

Fri, 19 Aug 2005 04:40:54 +0000

[...] Due to a security issue uncovered after the initial announcement of version 1.5.2 of WordPress, anyone who downloaded it late Sunday night (August 14, 02005) should check that they have the latest version of wp-settings.php, according to the WordPress Development Blog, and this interesting post and comments in Doug Campbell’s Geek Ramblings blog. [...]

By: POS Software

POS Software — Fri, 19 Aug 2005 01:27:29 +0000

Well, I fully agree with your comment.

BTW: I visited your blog earlier today and I just wanted to congratulate you on a well presented, and informative resource.

It’s not often that I come across a web site that offers a wealth of quality.

Martin (aka POS Software Man)

By: Stefan

Stefan — Thu, 18 Aug 2005 18:12:39 +0000

LOL @ Stefan (not Esser)

I wish people like you would not make things up to get arguments. Show me an instance, where I have disclosed stuff before the developer was contacted.

By: Stefan (not Esser)

Stefan (not Esser) — Thu, 18 Aug 2005 17:48:06 +0000

I don’t like the idea that the ends justify the means. I see a lot of people saying that they don’t agree with the way Stefan behaves but appreciate his work. While I can agree that he often makes a positive impact, I don’t think it’s unreasonable to expect more mature behavior. The point is, Stefan could make a really positive impact, but the harm he does often matches the good he does. With a bit more professionalism, he could do really great things for us all. I do appreciate his work, but I can’t help but be very disappointed with his behavior. And I’m not just talking about the way he talks, but also his actions.

I won’t point to specific instances, but he has a habit of public disclosure before a vulnerability has been fixed. There have even been cases where he has done this before notifying the developers. In cases where he does contact the developers first (like this one), he likes to publicize an exploit in the wild (if there is one) or “warn” users of the vulnerability, claiming that nothing short of irresponsibility could be the reason that no fix is available yet. This does not help.

So, while I find fault in the way Wordpress handled this particular event, I can’t excuse Stefan’s irresponsible and immature behavior. I say foul.

By: markku

markku — Thu, 18 Aug 2005 16:44:16 +0000

Dougal, releasing the updated package as version 1.5.2.1 or whatever unique version number would’ve been more advisable. It removes any confusion concerning the quality (with respect to the reported vulnerability) of the code that is within the hands of the users. I had 1.5.2, but I didn’t know I was still vulnerable.