If you use the WordPress 2.5 blog software on your site, be sure to upgrade to WordPress 2.5.1 as soon as possible. The upgrade contains an important security fix. (We’ve updated our own blog, and it was painless.)
Although all WordPress users should upgrade right away, we’ve also added a security rule to our servers to try and protect our customers who haven’t yet upgraded. Other people may also find the security rule useful if they use mod_security on Apache Web servers. The rest of this post contains more technical details.
Read the rest of this entry »
We’ve installed MySQL and PHP 5 security updates. Customers should not notice any changes; the updates just fix several security issues in PHP 5 and MySQL.
The updates were performed in such a way that new Web server connections were delayed during the 30 seconds or so that PHP and MySQL were unavailable on each server. That should mean that as far as scripts on your Web site were concerned, there was zero downtime.
Read the rest of this entry »
We applied a MySQL security update tonight. The version number remains 5.0.32, and customers should not notice any changes; the update just fixes several security issues.
The update was performed in such a way that new Web server connections were delayed during the 30 seconds or so that MySQL was unavailable on each server. That should mean that as far as scripts on your Web site were concerned, there was zero MySQL downtime.
We’ve updated several things on our servers today:
- Ruby on Rails was updated from version 1.2.3 to 1.2.6. (If you use Rails on your site, our page explaining how to freeze Rails explains how you can get total control of Rails updates.)
- phpMyAdmin was updated from version 2.11.2.1 to 2.11.2.2.
- The WordPress software that runs this blog was updated to version 2.3.1. That doesn’t directly affect our customers — but if you’ve installed your own version of WordPress on your own site, this is a good reminder to update it: some older versions have security vulnerabilities. (We found that the update from 2.2.X to 2.3.1 was painless.)
We’ve updated phpMyAdmin to version 2.11.2. (In case you aren’t familiar with phpMyAdmin, it’s a Web-based system for managing MySQL databases without requiring you to use the command line; you can find more details on the phpMyAdmin home page.)
If you write your own PHP scripts that allow file uploads, we’ve discovered an unusual issue that might affect you. The “permissions” PHP gives to newly uploaded files aren’t always the same — and a recent change to our servers may have altered the permissions your script sees.
Read the rest of this entry »
Our Web-based MySQL interface, phpMyAdmin, has been updated to version 2.10.2. This version includes some security and general bug fixes. Customers should not notice any major changes.
We’ve installed several security updates recently. We’ve updated PHP 4, PHP 5, the ClamAV antivirus scanner, and some XFree86 libraries. In addition, we’ve updated our own blog to use WordPress 2.2 — if you use WordPress, make sure you’ve done the same.
Read the rest of this entry »
We’ve updated PHP 5 on our servers to cover sixteen recently identified security issues. This only affects customers who have chosen to use PHP 5 — but since this upgrade only fixes security bugs, even those customers shouldn’t notice any changes.
Read the rest of this entry »
We’ll be talking a lot about “security updates” on the blog, so a word about what these are and how we handle them is probably in order.
There are literally thousands of software programs on our servers, most of which are written by other people and used by many companies. From time to time, “security vulnerabilities” with these kinds of programs are discovered. A security vulnerability is something that could allow a “hacker” (or “cracker”, for purists, although that battle has been lost) to take advantage of a programming bug to do something unauthorized with the program, such as send spam or delete files.
Read the rest of this entry »
