The Development Working Group’s goal is to continue to provide regular, frequent updates to the Joomla community.

The Development Working Group’s goal is to continue to provide regular, frequent updates to the Joomla community.

For a more comprehensive look at everything that has improved in 3.0 check out 3.0′s Codex page or the long list of issues in Trac. (We’re trying to keep these announcement posts shorter.) Whew! That’s a lot packed into one release. I can’t think of a better way to kick off the 3.X cycle we’ll be in for the next two and a half years.

The Future

Normally this is where I’d say we’re about to start work on 3.1, but we’re actually not. We’re going to take a release cycle off to focus on all of the things around WordPress. The growth of the community has been breathtaking, including over 10.3 million downloads of version 2.9, but so much of our effort has been focused on the core software it hasn’t left much time for anything else. Over the next three months we’re going to split into ninja/pirate teams focused on different areas of the around-WordPress experience, including the showcase, Codex, forums, profiles, update and compatibility APIs, theme directory, plugin directory, mailing lists, core plugins, wordcamp.org… the possibilities are endless. The goal of the teams isn’t going to be to make things perfect all at once, just better than they are today. We think this investment of time will give us a much stronger infrastructure to grow WordPress.org for the many tens of millions of users that will join us during the 3.X release cycle.

It Takes a Village

I’m proud to acknowledge the contributions of the following 218 people to the 3.0 release cycle. These are the folks that make WordPress what it is, whose collaboration and hard work enable us to build something greater than the sum of our parts. In alphabetical order, of course.

The coolest new stuff from a user point of view is:

1. Global undo/”trash” feature, which means that if you accidentally delete a post or comment you can bring it back from the grave (i.e., the Trash). This also eliminates those annoying “are you sure” messages we used to have on every delete.
2. Built-in image editor allows you to crop, edit, rotate, flip, and scale your images to show them who’s boss. This is the first wave of our many planned media-handling improvements.
3. Batch plugin update and compatibility checking, which means you can update 10 plugins at once, versus having to do multiple clicks for each one, and we’re using the new compatibility data from the plugins directory to give you a better idea of whether your plugins are compatible with new releases of WordPress. This should take the fear and hassle out of upgrading.
4. Easier video embeds that allow you to just paste a URL on its own line and have it magically turn it into the proper embed code, with Oembed support for YouTube, Daily Motion, Blip.tv, Flickr, Hulu, Viddler, Qik, Revision3, Scribd, Google Video, Photobucket, PollDaddy, and WordPress.tv (and more in the next release).

2.9 provides the smoothest ride yet because of a number of improvements under the hood and more subtle improvements you’ll begin to appreciate once you’ve been around the block a few times. Here’s just a sampling:

• We now have rel=canonical support for better SEO.
• There is automatic database optimization support, which you can enable in your wp-config.php file by adding define('WP_ALLOW_REPAIR', true);.
• Themes can register “post thumbnails” which allow them to attach an image to the post, especially useful for magazine-style themes.
• A new commentmeta table that allows arbitrary key/value pairs to be attached to comments, just like posts, so you can now expand greatly what you can do in the comment framework.
• Custom post types have been upgraded with better API support so you can juggle more types than just post, page, and attachment. (More of this planned for 3.0.)
• You can set custom theme directories, so a plugin can register a theme to be bundled with it or you can have multiple shared theme directories on your server.
• We’ve upgraded TinyMCE WYSIWYG editing and Simplepie.
• Sidebars can now have descriptions so it’s more obvious what and where they do what they do.
• Specify category templates not just by ID, like before, but by slug, which will make it easier for theme developers to do custom things with categories — like post types!
• Registration and profiles are now extensible to allow you to collect things more easily, like a user’s Twitter account or any other fields you can imagine.
• The XML-RPC API has been extended to allow changing the user registration option. We fixed some Atom API attachment issues.
• Create custom galleries with the new include and exclude attributes that allow you to pull attachments from any post, not just the current one.
• When you’re editing files in the theme and plugin editors it remembers your location and takes you back to that line after you save. (Thank goodness!!!)
• The Press This bookmarklet has been improved and is faster than ever; give it a try for on-the-fly blogging from wherever you are on the internet.
• Custom taxonomies are now included in the WXR export file and imported correctly.
• Better hooks and filters for excerpts, smilies, HTTP requests, user profiles, author links, taxonomies, SSL support, tag clouds, query_posts and WP_Query

All of this and more is reflected in the over 500 tickets, bugs, and enhancements that WP developers in this release cycle.

The first problem is an XSS vulnerability in Press This discovered by Benjamin Flesch.  The second problem, discovered by Dawid Golunski, is an issue with sanitizing uploaded file names that can be exploited in certain Apache configurations. Thanks to Benjamin and Dawid for finding and reporting these.

The Development Working Group’s goal is to continue to provide regular, frequent updates to the Joomla community.

Release Notes

Check the Joomla 1.5.15 Post-Release FAQs to see if there are important items and helpful hints discovered after the release.

If you have modified core template overrides, please be sure to back them up before upgrading.

Security

Two security issues were fixed in this release:

• Moderate Priority – Core – Front-End Editing. More information »
• Low Priority – Core – XML File View. More information »

For additional information, visit the Joomla Security Center.

Components

• Allowed search to use the Itemid of the current Menu Item (15780)
• Removed unnecessary quotes in search results (16919)
• Fixed problem when using relative URL’s in editor with SEF enabled. (16445)
• Fixed formatting problem in Category List layout with Internet Explorer (17110)
• Fixed problem with entering HTML in user confirmation messages (17259)
• Fixed Media Manager issues in Windows (17337)
• Fixed problem with Archived Article filters when cache is enabled (17470)
• Fixed RSS feed problem with ampersand in page title (18343)

Modules

• Allowed underscore character in menu names (16086)
• Fixed problem with mod_newsflash and altenative read-more text (17231)
• Fixed problem with Alias Menu Item Type not opening in new window (18240)
• Fixed problem with UTF-8 characters in breadcrumbs (18493)

Plugins

• Fixed problem with email cloaking and non-ASCII characters (11578)
• Fixed TinyMCE configuration error (16982)
• Fixed problem with multiple editor instances on one page (17043)
• Fixed problem whereby TinyMCE stripped some image HTML (17057)
• Fixed TinyMCE Extended Valid Elements problem (17121)
• Fixed problem with TinyMCE blockquote (17215)
• Allowed Firefox inline spell check to work in TinyMCE (17356)
• Fixed problem saving changes in TinyMCE (17367)
• Fixed TinyMCE problem with caption.js and filtering (17379)
• Fixed TinyMCE bullet issue with Internet Explorer (17414)
• Made image title names consistent in front and back end (17430)
• Fixed issue with email cloaking and images (17692)
• Fixed problem in email cloaking syntax (17964)
• Fixed caption alignment when image alignment is not set (18010)
• Fixed JavaScript error in TinyMCE (18192)
• Added option to create templates in TinyMCE editor (18245)
• Fixed problem with TinyMCE Sql (18246)
• Fixed problem when using email cloaking and JavaScript (18310)
• Fixed problem with email cloaking when using images (18481)

Legacy

• No legacy issues were fixed for this release

Templates

• Fixed problem with missing template CSS files (16609)
• Fixed problem with linked images in Beez template (16804)
• Added default text color for backend error messages (16914)
• Added missing spinner.gif (17432)
• Fixed problem when copying Beez template to new name (17559)
• Fixed error in JA_Purity template with Internet Explorer 8 (18070)

Language

• Added TinyMCE Language file for Toggle Editor button (17332)
• Added Ulaanbaatar in timezones (17577)
• Fixed problem with localisation of pagination strings (17618)
• Added missing Display # language string (18124)
• Added missing com_media language strings (18349)
• Improved tooltip text for mod_search (18518)
• Fixed problem with version information for core languages (18522)

Administrator

• Fixed problem with FTP fields auto-completing (18297)

System

• Don’t show password in configuration.php file (16484)
• Fixed problem when Itemid does not exist (16927)
• Fixed PHP 5.3 compatibility issues (17150)
• Fixed problem with caching for com_weblinks and com_contact (17475)
• Fixed additional PHP 5.3 compatibility issues (18008)
• Fixed problem with warnings in system_config.php file (18054)
• Added missing JEXEC checks in code (18080)
• Fixed problem converting UTF-8 characters to ASCII (18142)
• Added option to disallow users to view extension XML files (18353)
• Fixed problem with onAfterDisplayTitle event and PHP 5.3 (18430)
• Fixed problem with displaying error messages with right-to-left languages (18537)

Statistics

Statistics for the 1.5.15 release period:

• Joomla 1.5.15 contains:
  • 60 issues fixed in SVN
  • 59 commits
• Tracker activity resulted in a net increase of 15 active issues:
  • 185 new reports
  • 110 closed
  • 60 fixed in SVN
• At the time the 1.5.15 release was packaged, the tracker had 220 active issues:
  • 103 open
  • 92 confirmed
  • 25 pending

As you know over the past couple of months we have been working on the new features for WordPress 2.9. We have also been working on trying to make WordPress as secure as possible and during this process we have identified a number of security hardening changes that we thought were worth back-porting to the 2.8 branch so as to get these improvements out there and make all your sites as secure as possible.

The headline changes in this release are:

• A fix for the Trackback Denial-of-Service attack that is currently being seen.
• Removal of areas within the code where php code in variables was evaluated.
• Switched the file upload functionality to be whitelisted for all users including Admins.
• Retiring of the two importers of Tag data from old plugins.

We would recommend that all sites are upgraded to this new version of WordPress to ensure that you have the best available protection.

If you think your site may have been hit by one of the recent exploits and you would like to make sure that you have cleared out all traces of the exploit then we would recommend that you take a look at the WordPress Exploit Scanner.  This is a plugin which searches the files on your website, and the posts and comments tables of your database for anything suspicious. It also examines your list of active plugins for unusual filenames.  You can read more about this plugin here – “WordPress Exploit Scanner“ ]]> http://www.acs-itsolutions.com/?feed=rss2&p=108 0 http://www.acs-itsolutions.com/?p=106 http://www.acs-itsolutions.com/?p=106#comments Wed, 12 Aug 2009 07:29:15 +0000 admin http://www.acs-itsolutions.com/?p=106

Yesterday a vulnerability was discovered: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying.

We fixed this problem last night and have been testing the fixes and looking for other problems since then. Version 2.8.4 which fixes all known problems is now available for download and is highly recommended for all users of WordPress. ]]> http://www.acs-itsolutions.com/?feed=rss2&p=106 0