WordPress 3.9.2 Sicherheitsupdate
Für WordPress wurde die Version 3.9.2 zum download bereit gestellt.
Die Version behebt eine Lücke die es in einem unwarscheinlichen fall ermöglichen könnte Code beim verabeiten eines Widgets ausführen könnte. Außerdem verhindert sie die Möglichkeit Informationen über die GetID3 Bibliothek zu erlangen, der Schutz gegen brute force Angriffe gegen CSRF Tokens wurde genau wie der Schutz gegen cros-site scripting verbessert.
Lesen sie den original Beitrag von Andrew Nacin
WordPress 3.9.2 is now available as a security release for all previous versions. We strongly encourage you to update your sites immediately. This release fixes a possible denial of service issue in PHP’s XML processing, reported by Nir Goldshlager of the Salesforce.com Product Security Team. It was fixed by Michael Adams and Andrew Nacin of the WordPress security team and this release was also coordinated with the Drupal security team. WordPress 3.9.2 also contains other security changes:
- Fixes a possible but unlikely code execution when processing widgets (WordPress is not affected by default), discovered by Alex Concha of the WordPress security team.
- Prevents information disclosure via XML entity attacks in the external GetID3 library, reported by Ivan Novikov of ONSec.
- Adds protections against brute attacks against CSRF tokens, reported by David Tomaschik of the Google Security Team.
- Contains some additional security hardening, like preventing cross-site scripting that could be triggered only by administrators.
We appreciated responsible disclosure of these issues directly to our security team. For more information, see the release notes or consult the list of changes. Download WordPress 3.9.2 or venture over to Dashboard → Updates and simply click “Update Now”. Sites that support automatic background updates will be updated to WordPress 3.9.2 within 12 hours. (If you are still on WordPress 3.8.3 or 3.7.3, you will also updated to 3.8.4 or 3.7.4. We don’t support older versions, so please update to 3.9.2 for the latest and greatest.) Already testing WordPress 4.0? The third beta is now available (zip) and it contains these security fixes.