Geof's Relentless Kvetching About WordPress

Thoughts and Complaints About WordPress

Start the Clock on WP 2.2.2

with 5 comments

There’s a vulnerability in WP 2.2.1. BlogSecurity is who brought it to my attention. After being burned by vulnerabilities before—and having gotten absolutely slammed over the weekend with HTTP requests—I worry about this security hole.

Note: Coblentz discovered the bug on 21 Jun reported the bug on 22 Jun. When did WP reply? 5 Jul, three days after a second notification. Indeed, the first notification came the same day as Matt Mullenweg raked Wincent Colaiuta over the coals.

Getting people to upgrade web software is hard. We work as best we can with hosting companies, but a consideration is that it’s best to roll several security fixes into one release. It’s not responsible to do a release if we know of another problem, so sometimes there is a lag between an initial report and a final release, not to mention the testing required of a product used as much as WP.

Indeed, it is. In fact, it’s possible that there are other security fixes in the works for WP 2.2.2, ones that have been reported to the devs and not put out on SecurityFocus. Maybe WP 2.2.2 drops tonight. But in the meantime, I have a nagging worry and no response. Unsettling.

Written by Geof F. Morris

Mon 09-Jul-2007 at 19:29

Posted in On WordPress

5 Responses

Subscribe to comments with RSS.

  1. I think you’re getting drawn in by sensationalists.

    Matt

    Tue 10-Jul-2007 at 00:30

  2. Perhaps I am, Matt, but that’s because Nature abhors a vacuum, and we’re getting nothing from the WP devs—no scope of the bug’s reach, no determination of its severity, no timeline for having the fix published. I’d argue that you have a much bigger PR problem than you have a code problem.

    Geof F. Morris

    Tue 10-Jul-2007 at 07:06

  3. What exactly do you want us to say?

    If it’s important, then we’re working as fast as we can to get a release out and promote the heck out of it. (Think 2.1.1.) If we consider it low priority, then it waits for the next regular release, but we get raked over folks who think every little problem is the sky falling.

    Matt

    Tue 10-Jul-2007 at 16:48

  4. This seems like an extremely low-risk problem. All you can do with it is redirect from one site to another. Okay, so that could be the cause of other issues, but it’s not like anybody can break into your site with this or anything.

    Otto

    Wed 11-Jul-2007 at 09:47

  5. […] Appropriate Response August 4th, 2007 Back in July when I last wrote here, Matt asked: What exactly do you want us to […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: