Categories: Hostripples Featured

WordPress 3.6.1 Latest Update Released – Includes Many Security Fixes

Table of Contents

The WordPress team just pushed out a new version of WordPress. WordPress 3.6.1 is a maintenance release that includes some security bug fixes. Straight from their release post, these are the security changes:

  1. Block unsafe PHP unserialization that could occur in limited situations and setups, which can lead to remote code execution. Reported by Tom Van Goethem.
  2. Prevent a user with an Author role, using a specially crafted request, from being able to create a post “written by” another user. Reported by Anakorn Kyavatanakij.
  3. Fix insufficient input validation that could result in redirecting or leading a user to another website. Reported by Dave Cummo, a Northrup Grumman subcontractor for the U.S. Centers for Disease Control and Prevention.

One of those restrictions included the removal of some upload types, to include .swf, and .exe. Also removed was the ability to upload .html and .htm files if the user doesn’t have the ability to post unfiltered HTML. This makes sense really, and seems a little silly to allow Authors the ability to upload an .html file, but not allow them to use < script > for example.

Quick Diff List

There weren’t a significant amount of changes for this maintenance release. Below is a quick reference of files changed, and a list of the actual changes from the branch logs.

Files Changed

 

readme.html
wp-admin/about.php
wp-admin/nav-menus.php
wp-admin/includes/post.php
wp-admin/includes/update-core.php
wp-admin/includes/template.php
wp-admin/network/upgrade.php
wp-admin/js/common.js
wp-includes/pluggable.php
wp-includes/comment-template.php
wp-includes/post-template.php
wp-includes/version.php
wp-includes/theme.php
wp-includes/functions.php
wp-includes/ms-functions.php
wp-includes/link-template.php
wp-includes/class-http.php
wp-includes/js/jquery/jquery.js
wp-includes/js/tinymce/plugins/wordpress/editor_plugin.js
wp-includes/js/tinymce/plugins/wordpress/editor_plugin_src.js
wp-includes/js/tinymce/wp-tinymce.js.gz
Change Log

 

 

@25345 Avoid error in ms-files.php after [25317] (merged as [25322]). Merges …
@25341 Avoid string offset notices in [25319] (merged as [25324]). Merges [25340] …
@25339 Improve clarity and speed of [25320] (merged as [25325]). Merges [25338] …
@25336 Update TinyMCE for [25187]. see #25131.
@25326 3.6.1-RC1
@25325 Loose validation for is_serialized() in maybe_serialize(). Merges [25320] …
@25324 Better protocol validation in set_url_scheme(). Merges [25319] to 3.6.
@25323 Validate referrers to prevent off-domain redirects. Merges [25318] to 3.6.
@25322 Tighten allowed upload file types. Merges [25317] to 3.6.
@25321 Ignore user ID post data. Merges [25316] to 3.6.
@25247 3.6.1-beta1.
@25236 Fix 'html5' theme support. * Merge, rather than replace, on second add. …
@25233 Remove display of 'Previously restored by' in the revisions meta box as it …
@25232 Nav menus: Allow assigning a new menu to an existing location when no …
@25198 Case sensitivity for is_email_address_unsafe(). Merges [25197] to the 3.6 …
@25192 Hide 'Database Upgrade Required' on admin/network/upgrade.php when you are …
@25187 TinyMCE: fix editor focus issues after ontouchstart event on the parent …
@25185 Fix menu folding on new installs. fixes #24921 for 3.6.
@25184 Revert [23307] so new users in multisite are not automatically subscribers …
@25152 Make sure $args is an array before treating it as such. fixes #25151 for …
@25118 Avoid displaying multiple instances of the same feature pointers on a …
@25074 The 3.6 branch is 3.6.1-alpha.
@25073 Remove sourceMappingURL from jquery.min.js. Merges [25072] to the 3.6 …
@25052 WP_HTTP: Curl: When using Stream-to-file on servers using …
@25014 Remove zero-byte files that were meant to be deleted in [23446]. see …


Please make sure to update as soon as you can, it’s not super awesome to be running 
around with old and insecure versions of any software 
 

 

 


Vishwajit Kale
Vishwajit Kale blazed onto the digital marketing scene back in 2015 and is the digital marketing strategist of Hostripples, a company that aims to provide affordable web hosting solutions. Vishwajit is experienced in digital and content marketing along with SEO. He's fond of writing technology blogs, traveling and reading.

Recent Posts

AI – Powered Customer Support in Hosting: Chatbots & Virtual Assistants

Customer support has always been the backbone of the web hosting industry. From helping users set up domains to troubleshooting…

2 weeks ago

ChatGPT: Your Ultimate AI Content Generation Tool

Content is the most vital asset for businesses navigating the digital era. But creating high-quality, engaging content consistently can be…

4 weeks ago

Discover Ollama: How It Works, Features & Everything?

Welcome to the exciting world of Ollama, a revolutionary open-source tool that's democratizing access to Large Language Models (LLMs). If…

1 month ago

Connecting to Amazon EC2 via WinSCP (SFTP): A Complete Guide

Managing files on your Amazon EC2 instances can often feel like navigating a complex maze, especially when you prefer a…

2 months ago

How Can I Connect to a Database with MySQL Workbench?

Welcome to the world of database management with MySQL Workbench! If you're new to databases or looking for a powerful,…

2 months ago