Security patches from 5.7.1

Go here: https://www.ads-software.com/download/releases/

Download the latest 5.7 release — security patches have been backported.

Thanks Steve. The site I’m working with is 5.6 and can’t be upgraded just yet, so I’m looking to try and patch as a short term solution.

I can’t tell which tickets in the release are related to the security issues so I can get the change sets. I understand they may not apply to 5.6, in that case we’ll manually apply the changes.

Backports have also been made to 5.6. Install 5.6.8

Just wondering — why can’t the site be updated?

I’m not 100% certain, I’m just trying to assist another project team. Sounds like they have some custom modules (I’m a Drupal guy) that might need to be adjusted to work with the upgraded version.

Yeah, that’s really not a thing in the WordPress world that an update of WP will break a lot of stuff. Some stuff, from time to time, yes, but not a total recoding of your entire life, like with Drupal.

Hello again. Just wondering if anyone could help me locate the changes specific to the security issues that were fixed in 5.7.1. The team managing the site doesn’t have the bandwidth to handle a 5.6.8 upgrade at this time either. However they should be able to deal with patching those 2 specific issues as a stopgap until a full upgrade can be achieved.

* XXE vulnerability within the media library affecting PHP 8.
* Data exposure vulnerability within the REST API.

Thanks,
Phillip

If your team can’t handle a simple WP upgrade, well then, maybe you need a new team? Or at least hire a WP expert? IN any case, your team should be able to diff the version you’re using with the most recent release in that series and make patches. WP does not distribute the patches.

Team bandwidth aside, that’s still not super helpful. We’ve already done the diff and there are 247 changes between 5.6 and 5.6.8. I need to know which of these tickets addresses the security issue. I’m used to working in a project where issues/tickets related to security are clearly marked as such. Thanks.

https://core.trac.www.ads-software.com/query?milestone=5.7.1&group=component&col=id&col=summary&col=milestone&col=owner&col=type&col=status&col=priority&order=priority

Team bandwidth aside, that’s still not super helpful.

It is helpful. It is the right answer. Bear with me while I explain and attempt to use mild humor about coffee.

*Drinks coffee, so good.*

Here’s the thing and if what you wrote above is correct then you should get this.

Your site, according to an above post from you, is running WordPress 5.6. You are asking about back porting security patches from 5.7.1 and that’s not going to work ever. Too much supporting architecture code has changed and the idea that you can do that is optimistic at best. It just wont work.

You can go from 5.6 to 5.6.8 (latest version in that tree I think, I have not checked) and that will address any security issues with a reasonable expectation that it will not break anything on your installation. Make sure you back up your site first just in case.

*Finishes coffee*

Don’t take my word for it. Download WordPress 5.6, download WordPress 5.7.1 and run a diff between the two source trees. I’ve not done that, nor will anyone else but I expect there to be hundreds of lines of code in hundreds of files that are different.

Once you have reconciled all those differences then you may be patched for that security issue.

Or, you know, you can upgrade to the latest version in the 5.6 tree and move on. It’s your choice.

@pcavejr Unlike Drupal, updates in WordPress do not generally cause incompatibilities. WordPress strives for backwards compatibility.

Assuming that they’re running 5.6, then there is likely no reason that they cannot update to 5.9.2.

If, for whatever reason, they are skittish about staying on 5.6, then they can update to the 5.6.8 version. This one will have the security patches backported to it.

There is no way to give you a diff and ask you to patch it yourself. That is not how WordPress works. Each patch builds on that which came before it. The fixes that were made in 5.7.1 would have been backported to the 5.6.3 patch. However, there have been later security updates which went into 5.6.4, 5.6.5, etc. This is why they are recommending 5.6.8. Any previous versions in the 5.6 line are *not secure*. Only 5.6.8 is safe in the 5.6 branch.

In other words, all of those “247 changes” you found are security related. Every single one. Once each new branch is released, only security updates get backported to older branches. Once 5.7 came out, 5.6 received no further updates except security backports.

However, again, you likely can just update to 5.9.2 without any compatibility issues. You’re worrying over nothing, most likely.