Start the Clock on WP 2.2.2
Mon 09-Jul-2007There’s a vulnerability in WP 2.2.1. BlogSecurity is who brought it to my attention. After being burned by vulnerabilities before—and having gotten absolutely slammed over the weekend with HTTP requests—I worry about this security hole.
Note: Coblentz discovered the bug on 21 Jun reported the bug on 22 Jun. When did WP reply? 5 Jul, three days after a second notification. Indeed, the first notification came the same day as Matt Mullenweg raked Wincent Colaiuta over the coals.
Getting people to upgrade web software is hard. We work as best we can with hosting companies, but a consideration is that it’s best to roll several security fixes into one release. It’s not responsible to do a release if we know of another problem, so sometimes there is a lag between an initial report and a final release, not to mention the testing required of a product used as much as WP.
Indeed, it is. In fact, it’s possible that there are other security fixes in the works for WP 2.2.2, ones that have been reported to the devs and not put out on SecurityFocus. Maybe WP 2.2.2 drops tonight. But in the meantime, I have a nagging worry and no response. Unsettling.
Tue 10-Jul-2007 at 00:30
I think you’re getting drawn in by sensationalists.
Tue 10-Jul-2007 at 07:06
Perhaps I am, Matt, but that’s because Nature abhors a vacuum, and we’re getting nothing from the WP devs—no scope of the bug’s reach, no determination of its severity, no timeline for having the fix published. I’d argue that you have a much bigger PR problem than you have a code problem.
Tue 10-Jul-2007 at 16:48
What exactly do you want us to say?
If it’s important, then we’re working as fast as we can to get a release out and promote the heck out of it. (Think 2.1.1.) If we consider it low priority, then it waits for the next regular release, but we get raked over folks who think every little problem is the sky falling.
Wed 11-Jul-2007 at 09:47
This seems like an extremely low-risk problem. All you can do with it is redirect from one site to another. Okay, so that could be the cause of other issues, but it’s not like anybody can break into your site with this or anything.
Sat 04-Aug-2007 at 20:37
[...] Appropriate Response August 4th, 2007 Back in July when I last wrote here, Matt asked: What exactly do you want us to [...]