ULTRAVIAS - Notebook, Laptop and mobile device reviews

As most o’ ye have likely already seen in yer Dashboard, yesterday afternoon saw th’ official WordPress 2.6.2 Release. And as mentioned in th’ comments on me intitial news break on th’ 2.6.2 Beta, th’ focus is on two security patches t’ cover weaknesses in PHP’s random number generation (which affects password encryption strength), and in MySQL’s field length checkin’. These weren’t (technically) security bugs in WordPress, per se, but in th’ underlyin’ PHP/MySQL stack. Fortunately, we’re able t’ route aroun’ them. This be mainly a problem if yer site allows users t’ register fer a user login, however, I would still recommend this upgrade fer all users, just t’ be on th’ safe side.

For those o’ ye who are PHP/MySQL developers yourselves, I highly recommend readin’ Stefan Esser’s explanation o’ th’ PHP mt_srand() bug and th’ MySQL SQL Column Truncation issue. The ornery cuss provides some really good detail o’ th’ problems. Stefan is also th’ developer o’ th’ PHP Suhosin module, which provides extra security-related features and protections t’ PHP.

It’s also important t’ note that these problems don’t just affect WordPress — many other PHP/MySQL applications could be vulnerable t’ future problems if they don’t examine and patch their code.

I’m surprised that I haven’t seen mention o’ this from other channels yet (official or unofficial), but two days ago, SVN revision 8561 o’ th’ WordPress 2.6 branch were labled as WordPress version 2.6.1-beta1. The log messages reveal that most changes since th’ 2.6 release are minor bug and typo fixes. A few o’ th’ more interestin’ bits that jump out at me are:

• Allow disablin’ password reset per-user.
• Query functions now allow a comma-separated list o’ post_status values.
• Several more link generation bits are made SSL-aware.
• Advertise th’ Atom 1.0 feed in th’ default theme.
• Atom API uses th’ newer WP authentication functions.
• Fix fer an object cachin’ bug in plugin updates.