Just so no one else out there thinks that they have lost their mind, there was never a wordpress 2.6.4, instead there was a bogus version of wordpress floating around that wasn’t legit so the guys at AutoMattic in an effort to stay ahead of the folks issuing 2.6.4 have opted to skip that version and go directly to 2.6.5.
WordPress 2.6.5 is a pretty important update in that it fixes a small hole that could possibly be exploited via XSS. I have been updating our hosting wordpress solutions this morning and should have all of our clients updated in the next 20 minutes or so.
WordPress 2.6.5 is immediately available and fixes one security problem and three bugs. We recommend everyone upgrade to this release.
The security issue is an XSS exploit discovered by Jeremias Reith that fortunately only affects IP-based virtual servers running on Apache 2.x. If you are interested only in the security fix, copy
wp-includes/feed.phpandwp-includes/version.phpfrom the 2.6.5 release package.2.6.5 contains three other small fixes in addition to the XSS fix. The first prevents accidentally saving post meta information to a revision. The second prevents XML-RPC from fetching incorrect post types. The third adds some user ID sanitization during bulk delete requests. For a list of changed files, consult the full changeset between 2.6.3 and 2.6.5.
Note that we are skipping version 2.6.4 and jumping from 2.6.3 to 2.6.5 to avoid confusion with a fake 2.6.4 release that made the rounds. There is not and never will be a version 2.6.4.
[…] See the rest here […]