WordPress 3.3.2 (and WordPress 3.4 Beta 3)
WordPress 3.3.2 is available now and is a security update for all previous versions.
Three external libraries included in WordPress received security updates:
- Plupload (version 1.5.4), which WordPress uses for uploading media.
- SWFUpload, which WordPress previously used for uploading media, and may still be in use by plugins.
- SWFObject, which WordPress previously used to embed Flash content, and may still be in use by plugins and themes.
Thanks to Neal Poole and Nathan Partlan for responsibly disclosing the bugs in Plupload and SWFUpload, and Szymon Gruszecki for a separate bug in SWFUpload.
WordPress 3.3.2 also addresses:
- Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances, disclosed by Jon Cave of our WordPress core security team, and Adam Backstrom.
- Cross-site scripting vulnerability when making URLs clickable, by Jon Cave.
- Cross-site scripting vulnerabilities in redirects after posting comments in older browsers, and when filtering URLs. Thanks to Mauro Gentile for responsibly disclosing these issues to the security team.
These issues were fixed by the WordPress core security team. Five other bugs were also fixed in version 3.3.2. Consult the change log for more details.
Download WordPress 3.3.2 or update now from the Dashboard → Updates menu in your site’s admin area.
WordPress 3.4 Beta 3 also available
Our development of WordPress 3.4 development continues. Today we are proud to release Beta 3 for testing. Nearly 90 changes have been made since Beta 2, released 9 days ago. (We are aiming for a beta every week.)
This is still beta software, so we don’t recommend that you use it on production sites. But if you’re a plugin developer, a theme developer, or a site administrator, you should be running this on your test environments and reporting any bugs you find. (See the known issues here.) If you’re a WordPress user who wants to open your presents early, take advantage of WordPress’s famous 5-minute install and spin up a secondary test site. Let us know what you think!
Version 3.4 Beta 3 includes all of the fixes included in version 3.3.2. Download WordPress 3.4 Beta 3 or use the WordPress Beta Tester plugin.
WordPress 3.3 Release Candidate 3
The third (and hopefully final!) release candidate for WordPress 3.3 is now available. Since RC2, we’ve done a handful of last-minute tweaks and bugfixes that we felt were necessary.
Our goal is to release version 3.3 early next week, so plugin and theme authors, this is your last pre-release chance to test your plugins and themes to find any compatibility issues before the final release. We’ve published a number of posts on the development blog that explain important things you need to know as you prepare for WordPress 3.3. Please review this information immediately if you have not done so already.
If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. Or, if you’re comfortable writing a reproducible bug report, file one on WordPress Trac. Known issues that crop up will be listed here, but let’s all keep our fingers crossed for a quiet Sunday so we can get these new features into your hands early next week!
To test WordPress 3.3, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the release candidate here (zip).
WordPress 3.3 Release Candidate 2
The second release candidate for WordPress 3.3 is now available!
As the first release candidate was well-received, we think we’re really close to a final release. Primarily, we’ve ensured that new toolbar (the admin bar in 3.2) has a consistent appearance across all browsers, and the API for developers is now final. You can check our bug tracker for the complete list of changes.
Plugin and theme authors, please test your plugins and themes now, so that if there is a compatibility issue, we can figure it out before the final release. On our development blog, we’ve published a number of posts that explain important things you need to know as you prepare for WordPress 3.3.
If you haven’t tested WordPress 3.3 yet, now is the time — please though, not on your live site unless you’re adventurous. Once you install RC2, you can visit About WordPress page (hover over the WordPress logo in the top left) to see an overview of what’s to come in WordPress 3.3 (and what to test, of course).
If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. Or, if you’re comfortable writing a reproducible bug report, file one on WordPress Trac. Known issues that crop up will be listed here.
Enjoy!
To test WordPress 3.3, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the release candidate here (zip).
Sometimes time slows down
between releases – like now
This is RC2
WordPress 3.2 Release Candidate
The first release candidate (RC1) for WordPress 3.2 is now available.
An RC comes after the beta period and before final release. We think we’re done, but with tens of millions of users, a variety of configurations, and thousands of plugins, it’s possible we’ve missed something. So if you haven’t tested WordPress 3.2 yet, now is the time! Please though, not on your live site unless you’re extra adventurous.
Things to keep in mind:
- With more than 350 tickets closed, there are plenty of changes. Plugin and theme authors, please test your plugins and themes now, so that if there is a compatibility issue, we can figure it out before the final release.
- Users are also encouraged to test things out. If you find problems, let your plugin/theme authors know so they can figure out the cause.
- Twenty Eleven isn’t quite at the release candidate stage. Contents may settle.
- If any known issues crop up, you’ll be able to find them here.
If you are testing the release candidate and think you’ve found a bug, there are a few ways to let us know:
- Post it to the Alpha/Beta area in the support forums or wp-testers
- Join the development IRC channel and tell us live at irc.freenode.net #wordpress-dev
- File a bug ticket on the WordPress Trac
To test WordPress 3.2, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the release candidate here (zip).
Happy testing!
If you’d like to know which levers to pull in your testing, check out a list of features in our Beta 1 post.
WordPress 3.1.3 (and WordPress 3.2 Beta 2)
WordPress 3.1.3 is available now and is a security update for all previous versions. It contains the following security fixes and enhancements:
- Various security hardening by Alexander Concha.
- Taxonomy query hardening by John Lamansky.
- Prevent sniffing out user names of non-authors by using canonical redirects. Props Verónica Valeros.
- Media security fixes by Richard Lundeen of Microsoft, Jesse Ou of Microsoft, and Microsoft Vulnerability Research.
- Improves file upload security on hosts with dangerous security settings.
- Cleans up old WordPress import files if the import does not finish.
- Introduce “clickjacking” protection in modern browsers on admin and login pages.
Consult the change log for more details.
Download WordPress 3.1.3 or update automatically from the Dashboard → Updates menu in your site’s admin area.
WordPress 3.2 Beta 2 also available
In other news, our development of WordPress 3.2 development continues right on schedule. We released Beta 1 thirteen days ago, and today we’re putting out Beta 2 for your testing pleasure.
This is still beta software, so we don’t recommend that you use it on production sites. But if you’re a plugin developer, a theme developer, or a site administrator, you should be running this on your test environments and reporting any bugs you find. If you’re a WordPress user who wants to open your presents early, take advantage of WordPress’ famous 5-minute install and spin up a secondary test site. Let us know what you think!
The plan is to start putting out release candidates in early June, and to release WordPress 3.2 by the end of the month. The more you help us iron out issues during the beta period, the more likely we are to hit those dates. To misappropriate and mangle a quote from Mahatma Gandhi: “Be the punctuality you want to see in the WordPress.” In other words, test now!
Here are some of the things that changed since Beta 1:
- Google Chrome Frame is now supported in the admin, if you have it installed. This is especially useful for IE 6 users (remember, IE 6 is otherwise deprecated for the admin).
- The admin is less ugly in IE 7.
- The blue admin color scheme has caught up to the grey one, and is ready for testing.
- We are now bundling jQuery 1.6.1. You should test any JS that uses jQuery. WordPress JavaScript guru Andrew Ozz has a post with more info.
