Dougal Campbell's geek ramblings - WordPress, web development, and world domination.

WordPress 1.5.2 Security FUD

There is some misleading FUD going around about a vulnerability in WordPress 1.5.2.

Let’s get this out of the way plainly: There is not a code execution vulnerability in WordPress 1.5.2.

Now, a little more explanation of how this came into question: There was some communication between the person who discovered the problem (Stefan Esser, to the best of my knowledge) and Matt. Matt formulated a fix, which was checked into the repository and which went through a couple of iterations. At some point, Matt posted a new downloadable archive on wordpress.org. But then he realized that the bugfix wasn’t complete. He updated the code again, and posted a new archive for download. At this point, Matt posted the official announcement of the availability of WordPress 1.5.2.

Unfortunately, the security researcher downloaded the faulty 1.5.2 archive (before it was announced, remember), and concluded that the new release was still vulnerable. But again, this is not the case. If you downloaded the new version anytime after the official announcement was posted, then your version is safe from this problem.

The only problem here was one of communication. In the interest of fairness, Stefan acknowledged the update (though in a confrontational manner).

UPDATE: As pointed out in the comments, I was incorrect about the timeline of events. There was a period of time after the announcement of the new version when the faulty archive was still up. So, if you downloaded before approximately 05:00 UTC (09:00 EDT) on August 15, then you should re-download. Also, though I don’t necessarily like the way that Stefan has handled his end of things, I do appreciate that he provided the appropriate fixes to us.

Server trouble

My server has experienced some downtime over the last couple of days. Probably my own fault, due to some changes I made in some service monitor scripts. After trying to manually wrangle things for a while and still experiencing mysterious performance issues, I finally rebooted the box this morning. Hopefully this will return the site to a more acceptible level of performance. So far, so good.

WordPress 1.5.2

Announcing WordPress 1.5.2, now available for download. Owen Winkler has a good plain-English description of the changes.

There is a security-related bugfix in this release, which affects servers that have register_globals turned on (which you shouldn’t). If this is the case for your server, or if you aren’t sure, then you definitely should upgrade.

Other changes include:

New API hooks relating to comment notification emails
New category-related API hooks
Improvements to the RSS feed for comments
Posting new articles is now faster
There is now a “Save and Continue Editing” button for Pages, like there is for Posts
Bugfixes related to posting via the XML-RPC interface (content encoding, categories, and API hooks)
Bugfixes for pingbacks (which were sometimes sent, even when turned off)
Various and sundry other bugfixes and legacy code cleanups

blo.gs update

An update on the ongoing problem with blo.gs updates…

Blo.gs is still reporting erroneous updates. Not as many as before, but still enough to be a problem. And I know why. As previously theorized, after Yahoo! took over the service, they began feeding it updates from their RSS sources. The problem is that there are many feeds for comments which (obviously) update more frequently than the main site content. Unfortunately, there’s probably not a foolproof way for Yahoo! to differentiate between a “content feed” and a “comment feed”.

I think that they could fix most of the problem programatically, though. It will require that they do some cross-checking, and store additional data about which feed for a site is the “main” one. They need to look at the <link> element for a feed and see where it points. Then check that URI, and see which feeds it lists. The first RSS/Atom feed listed should be considered authoritative for that site. It’s not a 100% guarantee, but I bet it would fix most of the problems, without too many bad side-effects.

I’ve sent this idea to my contact at Yahoo!, though I’m sure that they probably have already kicked plenty of ideas around, and are probably quietly working on their own solution. Hopefully we’ll continue to see improvements in the quality of the blo.gs data as time goes on.

That’s a bad thing?

There’s no telling how this post is going to affect my Google ads or my status in certain website blocking systems, but here we go…

We’ve all seen television commercials for Viagra, Cialis and other “male performance enhancement” medications. And depending on your particular sensitivities, you might be embarassed, amused, or intrigued by these things. I probably fall in the middle group. What I love about these advertisements are the legal disclaimers.

“Certain sexual side-effects may occur.”

What, exactly, do they mean by a “sexual side-effect”? I mean, is that a bad thing? Be more specific, please. If the “sexual side-effect” is that it allows men to have multiple orgasms, then sign me up!

“If an erection lasts more than four hours, consult your doctor immediately.”

Heck, if the erection lasts more than four hours, you’re probably too busy with your wife to worry about calling your doctor. Again, they say this like it’s a bad thing, and I just don’t get that.

The Real Round Up

Whoops, I forgot to rename that previous post, since I didn’t actually post the round up. So, this post will be the real round up… Sort of. I had some other links I wanted to post, but I lost them.

Confirmed: Water on Mars! (that image is my new desktop background)
Space Shuttle Discovery returns safely
Google News offers feeds
IE 7 really will fix lots of CSS bugs (I’m curious to see what’s going to happen on pages that currently use lots of hacks to work around bugs in other versions of IE)
Firefox Tip: pasting multi-line URLs

Round up

I was going to post several small items yesterday, to make up for the lull in activity, but my server was down for the better part of the day. When the other admin finally got it rebooted, some of the database tables had some minor corruption, so if you visited late yesterday you might have seen some warning messages. I was able to run some repairs, and everything seems to be happy again, now.

I already run automated backups of all my database tables, which get mailed to an external email account. And there is also an automated backup of the rest of the system, run by the hosting company, but I don’t have direct access to those. So, the long downtime yesterday reminded me that there’s a lot of things on this server that I don’t have local backups of (my web site designs, vhost config customizations, email lists, and various other programs and files). I need to correct that.

We recently got Susan a laptop of her own, since I’ve been monopolizing our “shared” laptop for quite a while now. What I’ll probably do now is to backup some data from my VAIO, nuke it (maybe dual boot WinXP & Linux), and with the newly freed space, I should be able to keep most of my critical stuff rsynched between it and the server.

Review: Wolfgang Puck’s Gourmet French Vanilla Latte

A so-so product in a nifty can

Aug 3, 2005

by Dougal Campbell
product

Wolfgang Puck’s Gourmet French Vanilla Latte

?????

This morning, I tried out one of those self-heating coffee drinks, in particular the French Vanilla Latte from Wolfgang Puck. Many geeks have been interested in discussing the can technology, which is simple, yet interesting. But what about the beverage itself?

Okay, before I discuss how the “latte” tastes, let me say this: the self-heating can is pretty cool — er, I mean hot. I followed the instructions, and a few minutes later, I had a beverage hot enough to burn my tongue. I do find it mildly annoying, however, that the first couple of steps require you to start with the can upside-down. I don’t know why that bugs me, but it does. Surely they’ll eventually redesign these things to reduce the acrobatics.

Okay, so I’ve got a hot beverage. How does it taste? Let’s just say that it’s nothing to write home about. In fact, I was pretty disappointed. My overall impression: too watery, too sweet, and a definite “artificial flavor” aftertaste. If I was Douglas Adams, I’d probably describe it as something almost, but not quite entirely, unlike a latte. Sorry, Wolfie, but I’d much rather spend my two bucks on an ice-cold can of Starbucks Doubleshot. It tastes much better, and they have a good ad campaign, to boot.

Yarrr!

Don’t forget: Talk Like a Pirate Day is only about six weeks away. I’m going to get a customized golf shirt made for the occassion. It’s pretty convenient to have in-laws who own an embroidery business.

<plug>
Visit Hometown Threads, Your Embroidery Headquarters!
Located inside the Wal-Mart on Highway 92 in Woodstock, Georgia
770-591-9264
</plug>

I’ve picked out the main pirate design that I want on the shirt. I just need to decide what text I want on it. Pictures to come…

A brief musical interlude

Mahna mahna!