Logging into your WordPress website today will give you the familiar notice that the next update of WordPress is available and to – Please Update!.
Here is what the dev team over at WordPress.org says regarding fixes and a security update:
The security issue is an XSS exploit discovered by Jeremias Reith that fortunately only affects IP-based virtual servers running on Apache 2.x. If you are interested only in the security fix, copy wp-includes/feed.php and wp-includes/version.php from the 2.6.5 release package.
2.6.5 contains three other small fixes in addition to the XSS fix. The first prevents accidentally saving post meta information to a revision. The second prevents XML-RPC from fetching incorrect post types. The third adds some user ID sanitization during bulk delete requests. For a list of changed files, consult the full changeset between 2.6.3 and 2.6.5.
Note that we are skipping version 2.6.4 and jumping from 2.6.3 to 2.6.5 to avoid confusion with a fake 2.6.4 release that made the rounds. There is not and never will be a version 2.6.4.
The team over at Blogs About explain the security exploit: only affects IP-based virtual servers running on Apache 2.x.
Bottom line: need to upgrade WordPress.
Approach 1: Download the entire WordPress 2.6.5 version and follow the normal upgrade instructions
Approach 2: Find the changed files and only replace these files. (full changeset) This is the diff from 2.6.3 to 2.6.5. A very time efficient approach and having this list of files allows you to move quickly through a large number of installs.
Here are the files compressed and available for your downloading pleasure.WordPress 2.6.3 to 2.6.5 diff
Other files are available – just give a shout out in the response form if you’re looking for either of the following:
2.6.2 to 2.6.3 diff
2.6.1 to 2.6.2 diff
Gotta love WordPress!
