Die Entwickler haben am 11. Januar 2016 WordPress Version 4.7.1 allgemein freigegeben. Es handelt sich um ein Sicherheits-Update, welches einige Sicherheitsanfälligkeiten schließt und zügig installiert werden sollte.
Anzeige
Mir wurde dieses Update die Nacht im Blog angeboten und dann auch problemlos installiert. Es empfiehlt sich aber, vor der Installation ein Update der Datenbank anzufertigen. Blog-Inhalte kann man im Dashboard z.B. über Werkzeuge – Daten exportieren lokal speichern lassen.
WordPress 4.7.1-Korrekturen
Hier im Blog hatte ich ja über die Sicherheitslücke im PHP-Mailer berichtet (PwnScriptung: PHPMailer-Lücke macht WordPress angreifbar). Die Lücke hielt sich zwar in Grenzen und konnte hier im Blog nicht ausgenutzt werden. Aber es gab weitere unschöne Sachen, wie die Möglichkeit, Benutzerkontennamen über die REST API zu sammeln. Das Thema hatte ich im Blog-Beitrag WordPress: REST API ermöglicht "Konten-Harvesting" angerissen – hier im Blog verhindert eine Firewall diesen Angriff.
Jedenfalls hat das WordPress-Entwicklerteam reagiert und mit der WordPress Version 4.7.1 folgende Lücken geschlossen bzw. Änderungen durchgeführt (siehe).
- Remote code execution (RCE) in PHPMailer – No specific issue appears to affect WordPress or any of the major plugins we investigated but, out of an abundance of caution, we updated PHPMailer in this release.
- The REST API exposed user data for all users who had authored a post of a public post type. WordPress 4.7.1 limits this to only post types which have specified that they should be shown within the REST API.
- Cross-site scripting (XSS) via the plugin name or version header on
update-core.php
. - Cross-site request forgery (CSRF) bypass via uploading a Flash file.
- Cross-site scripting (XSS) via theme name fallback.
- Post via email checks
mail.example.com
if default settings aren't changed. Reported by John Blackbourn of the WordPress Security Team. - A cross-site request forgery (CSRF) was discovered in the accessibility mode of widget editing.
- Weak cryptographic security for multisite activation key.
WordPress 4.7.1 also fixes 61 bugs from Version 4.7, including:
Anzeige
Bootstrap/Load
- #39132 – WP 4.7, object-cache.php breaks the site if APC is not enabled in php
Build/Test Tools
- #39327 – Database connection errors in unit tests on 4.7
Bundled Theme
- #39138 – wordpress 4.7 default theme does not get installed when upgrading
- #39272 – Twenty Seventeen: Incorrect $content_width
- #39302 – Twenty Seventeen: Featured image not displayed on single template
- #39335 – Twenty Seventeen: customize-controls.js incorrectly assumes theme_options section is always present
- #39109 – Twenty Seventeen: starter content array needs a filter
- #39489 – Twenty Seventeen: Bump version and update changelog
Charset
- #37982 – 4.6.1 Breaks apostrophes in titles and utf-8 characters
Comments
- #39280 – comment permalink wrong in WordPress 4.7
- #39380 – wp_update_comment can cause database error with new filter
Customize
- #39009 – Customizer: the preview UI language should be the user language
- #39098 – Customize: Clicking on child elements of preview links fails to abort navigation to non-previewable links
- #39100 – Customize: Edit shortcuts do not work if page hasn't been saved and published
- #39101 – Customize: edit shortcuts for custom menu widgets do not work
- #39102 – Customize: Shift-click on placeholder nav menu items fails to focus on the nav menu item control
- #39103 – Customize: menus aren't deleted
- #39104 – Customize: starter content home menu item needs to be a link, not a page
- #39125 – Customize: Video Header YouTube field has issues when whitespace is inserted at beginning or end of URL
- #39134 – Customize: custom CSS textarea is scrolled to top when pressing tab
- #39145 – custom-background URL escaped
- #39175 – Customizer assumes url is passed with replaceState and pushState
- #39194 – Invalid parameters in Custom CSS and Changeset queries
- #39198 – Customize: Apostrophes in custom CSS cause false positives for validation errors
- #39259 – 'custom_css_post_id' theme mod of `-1` doesn't prevent queries
- #39270 – Use a higher priority on wp_head for inline custom CSS
- #39349 – Customizer (mobile preview) site title extra padding
- #39444 – Text Decoration Underline removes on hover in Customizer
Editor
- #39276 – Link Editor bug – target="_blank" not removed
- #39313 – Add New button not disappearing in Distraction-free Writing mode
- #39368 – .page-template-default body class in editor doesn't appear in initial post/page load.
External Libraries
- #37210 – Update PHPMailer to 5.2.21
Feeds
- #39066 – `fetch_feed()` changes REST API response `Content-Type`
- #39141 – RSS feeds have incorrect lastBuildDate when using alternate languages
General
HTTP API
- #37839 – wp_remote_get sometimes mutilates the response body
- #37991 – fsockopen logic bug
- #37992 – fsockopen hard codes port 443 when http scheme used
- #38070 – RegEx to remove double slashes affects query strings as well.
- #38226 – "cURL error 23: Failed writing body" when updating plugins or themes
- #38232 – Setting `sslverify` to false still validates the hostname
Media
- #39195 – Undefined index: extension in class-wp-image-editor-imagick.php on line 152
- #39231 – Allow the pdf fallback_intermediate_image_sizes filter to process add_image_size() sizes.
- #39250 – Undefinded Variable in Media-Modal
Posts, Post Types
- #39211 – is_page_template could return true on terms
REST API
- #38700 – REST API: Cannot send an empty or no-op comment update
- #38977 – REST API: `password` is incorrectly included in arguments to get a media item
- #39010 – REST API: Treat null and other falsy values like `false` in 'rest_allow_anonymous_comments'
- #39042 – REST API: Allow sanitization_callback to be set to null to bypass `rest_parse_request_arg()`
- #39070 – WP-API JS client can't use getCategories for models returned by collections
- #39092 – REST API: Add support for filename search in media endpoint
- #39150 – Empty JSON Payload Causes rest_invalid_json
- #39293 – WordPress REST API warnings
- #39300 – REST API Terms Controller Dynamic Filter Bug
- #39314 – WP-API Backbone Client: buildModelGetter fails to reject deferred on fetch error
Taxonomy
- #39215 – Support for string $args in wp_get_object_terms() broken in 4.7
- #39328 – Adding terms without AJAX strips "taxonomy" query arg
Themes
- #39246 – Theme deletion has a JS error that prevents multiple themes from being deleted.
Upgrade/Install
- #39047 – Installer tries to create nonce before options table exists
- #39057 – FTP credentials form doesn't display the SSH2 fields on the Updates screen
Ähnliche Artikel:
WordPress Version 4.7 verfügbar
WordPress-Auto-Update als Sicherheitsrisiko
PwnScriptung: PHPMailer-Lücke macht WordPress angreifbar
WordPress: REST API ermöglicht "Konten-Harvesting"
Anzeige