Well it was only a few weeks ago, but today, two new patches were released: 3.3.3 and 3.4.1.
The good news is, as they are patches, the updates should be fairly straight forward and should not cause much, if any, issues. It is important to note though that this is a Maintenance and Security release. On their official post they highlight the following items:
- Fixes an issue where a theme’s page templates were sometimes not detected.
- Addresses problems with some category permalink structures.
- Adds early support for uploading images on iOS 6 devices.
- Allows for a technique commonly used by plugins to detect a network-wide activation.
- Better compatibility with servers running certain versions of PHP (5.2.4, 5.4) or with uncommon setups (safe mode, open_basedir), which had caused warnings or in some cases prevented emails from being sent.
Naturally, we were curious to know more about the security specific items so we asked, and this is what we got in return:
Addressed in 3.4.1
Specifics on the 3.4.1 updates can be found here: http://codex.wordpress.org/Version_3.4.1#Summary
- Privilege Escalations / Cross-Site Scripting (XSS): Administrators and editors in multisite were accidentally allowed to use unfiltered_html for 3.4.0.
- Cross-site Request Forgery (CSRF): Additional CSRF protection in the customizer.
- Information Disclosure: Disclosure of post contents to authors and contributors (such as private or draft posts).
- Hardening: Deprecating wp_explain_nonce(), which could reveal unnecessary information.
- Hardening: Require a child theme to be activated with its intended parent only.
Addressed in 3.3.3 (and 3.4)
Specifcs on the 3.3.3 updates can be found here: http://codex.wordpress.org/Version_3.3.3#Summary
- Cross-Site Scripting: Fixed persistent XSS via editable slug fields.
- Information Disclosure: Restrict some post IDs when dealing with media uploading, which could leak some info (or attach media to a post the user doesn’t have privileges to)
- Information Disclosure: Hide post excerpts when the user cannot read the whole post (e.g. a contributor can’t read someone else’s draft beyond the title).
- Cross-Site Scripting (XSS): Hardening to escape the output of get_pagenum_link(). Note that this function was previously considered to have returned unescaped data, so this was not a vulnerability, but an enhancement.
- Cross-site Request Forgery (XSRF) Hardening: Prevent unfiltered HTML in comments when there is potential for clickjacking (i.e., when the front-end of the site is loaded in a frame).
Big thanks to Andrew Nacin, one of the Core Developers for providing more details around the security related issues in this release.
The item of most concern in this post is directed at Multisite users. If you have not already, you should update to 3.4.1. The one critical issue identified is most directly impacting you. As always, you should be running the latest version, which in this case is 3.4.1, but if you can’t for some reason, be sure to upgrade to 3.3.3 at a minimum.
For those that might find yourself wondering, “umm, why release 3.3.3 at all?” I have some info on that too.
For the past two years, +/-, the Core team has been maintaining two active branches – most, probably don’t know that. As the next big release, in this case 3.5, rears its ugly head in the form of a Beta release, support for 3.3.x will cease and focus will be put on maintaining 3.4.x and the upcoming release.
What’s important to note about this process is its specific to supporting security fixes specifically. The expectation is not that people opt out of the latest release, for an older version that is patched. Instead its designed to accommodate those setups that are unable to upgrade to a big release in a timely manner. The guidance and recommendation is, and will always be, if you’re capable, update.
If you have any questions or concerns about this post please do not hesitate to contact us at firstname.lastname@example.org.