WordPress 3.5.2 released

Estimated reading time: 1 minute.

WordPress 3.5.2 fixes several security vulnerabilities. Given the recent worldwide attacks against WordPress-based web sites, all WordPress sites should be upgraded to the new version as soon as possible.

One of the vulnerabilities fixed in version 3.5.2 is CVE-2013-2173, a Denial-of-Service (DoS) vulnerability recently disclosed on the VND blog. The vulnerability and a Proof of Concept were disclosed on that site one week after the author reported the issue to the WordPress security team. Concerned that a single email might have been caught in a spam filter, I posted a link to the report in two of the WordPress IRC channels (#wordpress and #wordpress-dev), and soon after that I was told that the security team had been notified. It was later disclosed that the original report had indeed been caught by a spam filter, even though the reporter had received a ‘we received your report’ auto-response. The lessons here are: 1) security email inboxes should not have spam filters; 2) don’t use an auto-responder on security email inboxes; and 3) don’t stop reporting a security issue until you’ve heard back from a human being, confirming receipt of your report.

About jrivett

Jeff Rivett has worked with and written about computers since the early 1980s. His first computer was an Apple II+, built by his father and heavily customized. Jeff's writing appeared in Computist Magazine in the 1980s, and he created and sold a game utility (Ultimaker 2, reviewed in the December 1983 Washington Apple Pi Journal) to international markets during the same period. Proceeds from writing, software sales, and contract programming gigs paid his way through university, earning him a Bachelor of Science (Computer Science) degree at UWO. Jeff went on to work as a programmer, sysadmin, and manager in various industries. There's more on the About page, and on the Jeff Rivett Consulting site.

Leave a Reply