WordPress 3.4.1 Maintenance and Security Release

WordPress 3.4.1 is now available for download. WordPress 3.4 has been a very smooth release, and copies are flying off the shelf — 3 million downloads in two weeks! This maintenance release addresses 18 bugs with version 3.4, including:

  • Fixes an issue where a theme’s page templates were sometimes not detected.
  • Addresses problems with some category permalink structures.
  • Better handling for plugins or themes loading JavaScript incorrectly.
  • Adds early support for uploading images on iOS 6 devices.
  • Allows for a technique commonly used by plugins to detect a network-wide activation.
  • Better compatibility with servers running certain versions of PHP (5.2.4, 5.4) or with uncommon setups (safe mode, open_basedir), which had caused warnings or in some cases prevented emails from being sent.

Version 3.4.1 also fixes a few security issues and contains some security hardening. The vulnerabilities included potential information disclosure as well as an bug that affects multisite installs with untrusted users. These issues were discovered and fixed by the WordPress security team.

Download 3.4.1 now or visit Dashboard → Updates in your site admin to update now.

Green was a bit green
We have hardened it up some
Update WordPress now

CVE-2011-4940

The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding. (CVSS:2.6) (Last Update:2013-05-14)

[BSA-073] Security Update for strongswan

Micah Anderson uploaded new packages for strongswan which fixed the
following security problems:

CVE-2012-2388

 An authentication bypass issue was discovered by the Codenomicon CROSS
 project in strongSwan, an IPsec-based VPN solution. When using
 RSA-based setups, a missing check in the gmp plugin could allow an
 attacker presenting a forged signature to successfully authenticate
 against a strongSwan responder.

For the squeeze-backports distribution the problems have been fixed in
version 4.5.2-1.4~bpo60+1