We have fixed one security issue (XSS) on the public-side with comment-previews, which means that updates are strongly recommended. The relevance and potential attack vectors are described on wikipedia [type 1]. Since the authentification cookie is restricted to the admin-directory and not accessible from the front-end, in most cases this means “only” the info from the comment-data-cookie might be leaked. Users that run textpattern together with other software or third party plugins that set cookies might be at risk of having other data leaked, when a user can be tricked into following certain links.

Updates should be seamless for the vast majority of people, otherwise make sure that all plugins are also updated to their most recent version. There’s also a very minor, low-impact issue for 4.0.5rc1-testers, but I’ll write more about that in the next few days, but nothing that has any impact on updating to 4.0.5 final right away.

Download

File download

Zip format.
File size: 323 kB | Last modified:
File download

Gzip format.
File size: 281 kB | Last modified:

Changes since 4.0.4

Further reading

Forum thread for the announcement.