Path to this page:
Subject: CVS commit: pkgsrc/www/wordpress
From: Daniel Horecki
Date: 2020-11-01 16:06:09
Message id: 20201101150609.1E2C9FB28@cvs.NetBSD.org
Log Message:
Security and maintenance update to version 5.5.3.
5.5.3:
This maintenance release fixes an issue introduced in WordPress 5.5.2
which makes it impossible to install WordPress on a brand new website
that does not have an existing database connection configuration.
This release does not affect sites where a database connection is
already configured, for example, via one-click installers or
an existing wp-config.php file.
5.5.2:
Security updates:
- Props to Alex Concha of the WordPress Security Team for their work in \
hardening deserialization requests.
- Props to David Binovec on a fix to disable spam embeds from disabled sites on \
a multisite network.
- Thanks to Marc Montas from Sucuri for reporting an issue that could lead to \
XSS from global variables.
- Thanks to Justin Tran who reported an issue surrounding privilege escalation \
in XML-RPC. He also found and disclosed an issue around privilege escalation \
around post commenting via XML-RPC.
- Props to Omar Ganiev who reported a method where a DoS attack could lead to RCE.
- Thanks to Karim El Ouerghemmi from RIPS who disclosed a method to store XSS in \
post slugs.
- Thanks to Slavco for reporting, and confirmation from Karim El Ouerghemmi, a \
method to bypass protected meta that could lead to arbitrary file deletion.
- And a special thanks to @zieladam who was integral in many of the releases and \
patches during this release.
Maintenance updates:
#51130 Events displayed in venue timezone instead of user’s
#51659 Update Gutenberg Dependencies for WordPress 5.5.2
#50861 Remove Facebook and Instagram as an oEmbed Source
#50903 Set the local environment to a development environment type by default
#50949 Posts show wrong time when user is in a different time zone than the site’s
#51053 Video Embeds set to align left disappear in Gutenberg editor
#51175 Wrong reply box title
#51219 Theme editor page showing undefined variable notice
#51251 Fix PHP notice when opening the edit image popup
#51263 PHP warning when editing comments in the administration comment edit screen
#51320 PHP Notice while moving post to trash (post_type has 2 registered \
taxonomies both with default_term set)
#51400 Undefined index during automatic plugin/theme updates
#51595 Unable to make anonymous comments via XML-RPC
#51645 Undefined index: echo in core files
Files: