WordPress 2.6.5 Security Update

According to the WordPress announcement, WordPress 2.6.5 is immediately available and fixes one security problem and three bugs.

We recommend everyone upgrade to this release.

The security issue is an XSS exploit discovered by Jeremias Reith that fortunately only affects IP-based virtual servers running on Apache 2.x. If you are interested only in the security fix, copy wp-includes/feed.php and wp-includes/version.php from the 2.6.5 release package.

2.6.5 contains three other small fixes in addition to the XSS fix. The first prevents accidentally saving post meta information to a revision. The second prevents XML-RPC from fetching incorrect post types. The third adds some user ID sanitization during bulk delete requests. For a list of changed files, consult the full changeset between 2.6.3 and 2.6.5.

Note that we are skipping version 2.6.4 and jumping from 2.6.3 to 2.6.5 to avoid confusion with a fake 2.6.4 release that made the rounds. There is not and never will be a version 2.6.4.

Read more on the development blog.

Download WP 2.6.5 here.

I have just upgraded this blog, but really guys! This is getting beyond a joke! For those of us who actually have lives and especially those who have multiple sites to manage, stability and security of the code is important - and upgrading every few weeks does not encourage new users of open source software to think its reliable.

Let's look at how many upgrades there have been in recent months.

Are you happy to upgrade your blog every few weeks? Are you, like me, finding that you are just completing upgrades to all your sites, only to have to start over again? Let me know what you think.

If you enjoyed this post, make sure you subscribe to my RSS feed!