As most of you have probably already seen in your Dashboard, yesterday afternoon saw the official WordPress 2.6.2 Release. And as mentioned in the comments on my intitial news break on the 2.6.2 Beta, the focus is on two security patches to cover weaknesses in PHP’s random number generation (which affects password encryption strength), and in MySQL’s field length checking. These weren’t (technically) security bugs in WordPress, per se, but in the underlying PHP/MySQL stack. Fortunately, we’re able to route around them. This is mainly a problem if your site allows users to register for a user login, however, I would still recommend this upgrade for all users, just to be on the safe side.
For those of you who are PHP/MySQL developers yourselves, I highly recommend reading Stefan Esser’s explanation of the PHP mt_srand() bug and the MySQL SQL Column Truncation issue. He provides some really good detail of the problems. Stefan is also the developer of the PHP Suhosin module, which provides extra security-related features and protections to PHP.
It’s also important to note that these problems don’t just affect WordPress — many other PHP/MySQL applications could be vulnerable to future problems if they don’t examine and patch their code.