A new security/fix version of WordPress, 3.0.5, has been released today, as mentioned by Andrew Nacin. While it may seem like a small release, it provides some useful security patches that all WordPress systems should have.

Yesterday, WordPress 2.9.2 was released to correct a bug in which “trashed” blog posts are visible by potentially unauthorized users.

According to Ryan, this can occur when logged-in users attempt to browse the trash area; these users can view posts that belong to others, so sensitive or private information may be inappropriately accessible. Thomas Mackenzie first mentioned this on his blog a few days ago (with a lot of interesting details). An “unofficial” WordPress diff patch was posted for it to address the defect, and WordPress 2.9.2 was released shortly afterward in a couple of days.

This is a good upgrade for WordPress sites which allow for multiple users to log into the system and use different authorization levels to govern various user roles.

N.B.

You may have noticed that we’re starting to use the Tell.im URL shortener in some of our links, including in this post…

UPDATE: Thomas points out that this post had incorrectly attributed the unofficial diff patch to him. According to him, it originated from the WordPress folks.

WordPress 2.9.1 was released yesterday, after a relatively short beta and RC1 pair of cycles.

Some of you may recall the controversy surrounding WordPress 2.9, surrounding some defects that were discovered shortly after its release– although some people have mentioned that the problems, they felt, were present even in the previous versions of the software. As mentioned by Ryan at the WordPress development blog, those noticed defects were addressed by this release, as well as a few other minor issues selected to be included.

Operations Recommendations and Notes

Apparently, since the recent series of posts about WordPress 2.9 and the 2.9.1 beta came out, many of you have been sending E-mails and messages about providing more guidance to prod-ops teams and developers. The following recommendations should not be taken as gospel, since I strongly advocate sound development practices and practical management processes and more than a little common sense: rather, they should be considered in context with your current situation and deployment strategy.

Recommendation for Standard Operations Teams

At this time, the recommendation is that it is a worthwhile upgrade for most technically savvy production operations teams, as well as developers accustomed to using and manipulating WordPress. However, the customary testing procedure is strongly advised: download it, set it up in your testing environment and vet it through your test suite(s), prepare your CM machinery to handle the new version if it passes your tests, and deploy it to your production environment.

Recommendation for Agile Operations Teams

For the heavier types of agile development, if you have already cleared WordPress 2.9, you should be able to layer 2.9.1 on top of your previous iteration and restart your testing segment and merge back to your expected path. Once you have cleared it, you should be ready to deploy it to your staging/production environments.

For the aggro types, you probably have been tracking beta and RC1 versions of WordPress 2.9.1, but the latest changes for it should be considered as overriding the previous two changesets. If you are sweeper types, overlay 2.9.1 onto your outbound segment and restart testing. If you are satisfied with the results, you should be ready to deploy it to your staging/production environments.

Recommendation for Continuum Operations Teams

Yes, I know: this is somewhat redundant. But a couple of you have asked about continuum development recommendations, so here ’tis:

You most likely already know the outcome of your tests, but the question is in which order should your production environments be refreshed. The easy answer would be to use the exact order you have been using all along; however, some teams do have highly variable distribution orders, so the prevailing advice here would be to deploy into production prioritizing first in order of increasing code complexity and then in order of increasing network or traffic load. So your simpler outbound segments with lower traffic and integrations with other packages would be rolled out first, then you proceed upward in complexity and then frequency/traffic/load. For this version, avoid simultaneous or near-simultaneous rollouts unless your tests have already proven 0.00% disruption.

Hint: our tests showed ~4.33% disruption across all outbound segments, > 120.

N.B.

Other related Javamancy posts (in reverse chronological order):

• Stop the Insanity! Or, WordPress Development for 2010, a New Year’s Resolution
• Complaining About WordPress: Does That Make You a Bad Person?
• Uh-Oh: WordPress 2.9.1 Coming Soon?
• WordPress 2.9 Released

Other related Javamancy mini posts (in reverse chronological order):

• WordPress 2.9.1 Now Available
• WordPress 2.9 Now Available

Maybe this ought to be called “the FUD Edition”, Part II… After one year, remember the first FUD Edition?

As we count down the minutes to the start of 2010, let’s review some of the things that have captivated us (for lack of a better term) over the course of 2009:

• The world economy, and certainly the US economy, with odd “jobless recovery” seen in some of sectors in the stock market;
• Moderate improvement in gas prices and a lot of backpedaling from doom-and-gloom environmental prognosticators;
• Slow real estate recovery in a few select regions in the US market, leading pundits to wonder whether 2011, not 2010, is the year that consumers
• More revelations of of financial misdeeds at a variety of ostensibly “reputable” financial firms, all while their executives are cashing in BIG-TIME with huge bonuses and salary raises;
• Continued car industry collapses in the US due to [insert-your-reason-here], and attempts by a few of the big-name companies to return to relevancy in the minds of consumers, despite lackluster achievements in energy saving technologies;
• Further disastrous job loss woes in the US, depending on whom you ask… some people see the continued worsening as the unemployment rate surpasses 10% and even more people completely drop out of attempting to find jobs;
• Crazy reality show stunts, and stunts for publicity by certain individuals that revealed serious national security deficits, including at the White House itself;
• Active and even more planned tax hikes in various US jurisdictions;
• Return of the blockbuster gaming phenomenon, such as Modern Warfare 2 and Borderlands;
• …

And you can certainly add more items to the list.

So: the wrap-up message for 2009 has just got to be…

Better luck next year, and thanks for all the fish!

WordPress 2.9 was released yesterday, and with it comes several new features.

As announced by Matt at the WordPress development blog, WordPress 2.9 has come out of its release candidate status into FCS.

Unlike the previous several “minor” point releases of WordPress, which have been devoted toward security and stability fixes, WordPress 2.9 is intended to bring online new features… in addition to the expected security and stability fixes.

Recommendation for Production/Operations Teams

Of course, a new release like this will probably have a few bugs that may make you think twice before deciding whether to deploy it for production use.

Our recommendation is that you should withhold using this version until your QA or GPL-OSS test group has cleared the software.

Recommendation for Developers

On the other hand, for developers and readers who are savvy in their appreciation (and usage) of WordPress, our recommendation is a bit different. If you have a version of your site where you typically try cutting-edge software, or if you are already using one of the beta or release candidates of WordPress 2.9, congratulations: you will probably already be aware of the stability conditions of the software.

More importantly, you are probably already prepared to deal with any unusual behavior of the version, or you have already made your determination of it. Thus, our recommendation is to continue with your current course of action.

Javamancy Operations

Javamancy will not be upgrading to this latest version at this time; instead, it will be deployed to a few internal cycle beds for closer examination while we interpret some recent integration changes that are specific to our configurations.

Thanks for being patient, folks! Until then, version 2.8.6 will be in circulation for a while longer.

For those of you who were wondering whether to upgrade to WordPress 2.8.5, given the relative stability of 2.8.4, wonder no longer: you might as well upgrade to 2.8.6 instead. Yesterday, WordPress 2.8.6 was released, to address a couple of security vulnerabilities found since 2.8.5. Ryan discusses the fixes being provided in 2.8.6: our recommendation is that it is a worthwhile upgrade, particularly if you provide login privileges to some/all of your readers.

In summary: If you operate WordPress blogs and did not yet upgrade from an earlier version of WordPress 2.8.x, you should strongly consider upgrading to this version. The customary testing procedure is recommended: download it, set it up in your testing environment and vet it through your test suite(s), prepare your CM machinery to handle the new version if it passes your tests, and deploy it to your production environment.

As first mentioned over at Javamancy mini, WordPress 2.8.5 was just released. WordPress 2.8.4 has held steady for more than two months at this point, and it almost seemed as if we, the blogging community, would be able to make it to December and the WordPress 2.9 release. Alas, no… Of course, since this is an incremental release on a fairly stable version, this should not dramatically and adversely impact most current operations.

Security continues to be the focus for the 2.8.5 version, as mentioned in the release post. This is a good thing, as the number of  malicious actions against blogs and other social software sites has recently spiked. Some things that people have already observed are trackback DoS exploits and some suspicious plugins floating around the blogosphere. This version attempts to close some of these issues.

In addition, there is even mention of a newly-released plugin that helps to scan active systems for exploits and suspicious settings and content that may weaken the security of a WordPress installation.

If you operate WordPress blogs and did not yet upgrade from an earlier version of WordPress 2.8.x, you should strongly consider upgrading to this version. The customary testing procedure is recommended: download it, set it up in your testing environment and vet it through your test suite(s), prepare your CM machinery to handle the new version if it passes your tests, and deploy it to your production environment.

… And here ’tis, the seventeenth announced update to Javamancy the Weblog, Javamancy mini, and all of the other Web applications running at javamancy.com (that most of you don’t have to interact with, or even worry about!).

The majority of the update is, of course, the WordPress 2.8.4 release, which finally cleared our QA testing and CM automata a mere couple of hours past midnight. Rather than “sit on it” for a few more hours while new design and media elements were streaming through the CI cycle to join the completed WP 2.8.4 component on the staging areas for the multiple destinations, we decided to allow Update XVII to proceed alone with WP 2.8.4 and our code patches.

Thanks for hangin’ in there with us, folks!

Reporting Problems

If you notice any oddities, style related or otherwise, please let us know.

N.B.

Other related Javamancy posts (in reverse chronological order):

• WordPress 2.8.4 Fixes a Security Vulnerability
• Javamancy Updated XVI
• WordPress 2.8.3 Now Available
• Javamancy Updated XV
• WordPress 2.8.2 Fixes a Security Vulnerability

Related Javamancy mini items (in reverse chronological order):

• WordPress MU 2.8.4a is now available! I…
• In addition to WordPress 2.8.4 being rel…

Housekeeping

Some of you have been asking about when the “HTTP Mass Downloader” suite of products will be available to the public…

The question really should be: Will the “HTTP Mass Downloader” suite of products be available to the public?

At this time, although a few of you have been heavily involved in the testing of the various products in the “suite”, there will not be a public release– at least, not for the foreseeable future. And, gee whiz, people! Who keeps coughing up these funky names for my software?!? Let’s stick with their original names, okay? After all, it’s only a few different components: 0, 1, 10, 11, 100, 101, 110, 111, and 1000. How hard can it be to remember?

Less than two weeks ago, WordPress 2.8.3 was released in order to address a security vulnerability; before that, less than a month ago, WordPress 2.8.2 was released to address some other security issues…

Now we have WordPress 2.8.4, which according to Matt is a security release intended primarily to address a password reset vulnerability that allows baddies to sleaze past a password reset check.

If you operate WordPress blogs and did not yet upgrade from an earlier version of WordPress 2.8.x, you should strongly consider upgrading to this version. The customary testing procedure is recommended: download it, set it up in your testing environment and vet it through your test suite(s), prepare your CM machinery to handle the new version if it passes your tests, and deploy it to your production environment.

“Say it isn’t so!”

Well, for those of you who have been following this event intently– and who isn’t, if you’re an avid Twitterer, right?– Twitter appears to be the victim of a DoS attack that started around 9:00 AM ET today.

In a cruel twist of fate, in which other companies use Twitter to announce their own system outages, Twitter has resorted to its Tumblr-powered blog (yeah, it’s a tumblog) to report that today’s outage is a denial-of-service attack; they have not reported (yet) any estimated service reactivation.

N.B.

• Dan Frommer (SAI) has a post about this topic, from earlier today, that he’s been updating.
• Javamancy mini‘s post about the Twitter outage (earlier today).

In case you’re wondering, gentle readers, even Javamancy’s Twitter feed is impacted by the Twitter outage (‘natch).