Jetpack

Jetpack 2.9.3: Critical Security Update

Jetpack version 2.9.3 contains a critical security update, and you should update your site and any you help manage as soon as possible. You can update through your dashboard, or download Jetpack manually here.

During an internal security audit, we found a bug that allows an attacker to bypass a site’s access controls and publish posts. This vulnerability could be combined with other attacks to escalate access. This bug has existed since Jetpack 1.9, released in October 2012.

Fortunately, we have no evidence of this being used in the wild. However, now that this update is public, it’s just a matter of time before exploits occur. To avoid a breach, you should update your site as soon as possible. (The vulnerability has been disclosed on the MITRE Common Vulnerabilities and Exposures system as CVE-2014-0173.)

This is a bad bug, and Jetpack is one of the most widely used plugins in the WordPress world. We have been working closely with the WordPress security team, which has pushed updates to every version of the plugin since 1.9 through core’s auto-update system. We have also coordinated with a number of hosts and network providers to install network-wide blocks to mitigate the impact of this vulnerability, but the only sure fix is updating the plugin.

Over the next few hours, we will reach out to individuals whose sites are still running an insecure version. Sites that don’t update may be disconnected from the Jetpack service for their own security, and will be able to reconnect as soon as their version of Jetpack is updated.

If you host a large number of Jetpack-powered blogs, please leave your contact information in the comments so we can be in touch in the future. We have prepared and shipped point releases for all eleven vulnerable branches of the Jetpack codebase: 1.9.42.0.6, 2.1.4, 2.2.7, 2.3.7, 2.4.4, 2.5.2, 2.6.3, 2.7.2, 2.8.2, and 2.9.3. If you can force these upgrades for your hosted users, it will prevent their sites from being compromised.

Finding and fixing bugs is a key part of software development. I can’t promise there will never be another issue like this, but I can promise that when a problem is found we will do everything in our power to protect as many people as possible, as quickly as possible. We care deeply about each and every WordPress user.

Posted in Releases | 92 Comments

New Release: Jetpack 2.6

After two months of silence, here comes Jetpack 2.6! Chock-full of enhancements and goodness, we can’t wait for you to try it out.

New Modules: Single Sign On and Jetpack Monitor

Single Sign On replaces the previous WordPress.com Connect module, added in 2.4. Improving on the WPCC module’s setup process, Single Sign On takes one click to activate, then you’re off to the races! It will also streamline subsequent log ins, as you’ll no longer need a manual approval at sites where you’ve previously been authenticated.

Our other new module, Jetpack Monitor, is an uptime monitor that will check your site every five minutes. If it ever looks like your site is down, we’ll fire off an email to give you a heads-up. Easy, right?

We’ve also included a pile of other enhancements. We’ve switched the code editor in our Custom CSS module, and bundled new filters, new custom post types, and new widgets. We’ve added performance improvements across many modules, as well as support for WP-CLI. We now also make sure that your Publicize connections haven’t expired in the background as you write.

We’re tremendously proud of our latest release, and hope you’ll give it a shot.

- The Jetpack Team

Eight automatticians swimming in the carribean

The Jetpack Team recently spent a week collaborating on the awesomeness of this release down in Puerto Rico! Interested in joining us? You should apply!

Posted in Releases | 25 Comments

Jetpack 2.3.4

Jetpack 2.3.4 is out! Included are a number of bug fixes and enhancements — from using the freshest Genericon assets to improving many of our translations, it’s the best Jetpack yet.

We’ve also lightened the load by dropping many of the “retina display” versions of WordPress Core assets that core has had come bundled with since 3.5. If you’re still running WordPress 3.4, it may be time to look at upgrading!

For a full changelog, check out http://wordpress.org/plugins/jetpack/changelog/

Posted in Uncategorized | Tagged , , | 4 Comments

Photon and Themes

Theme crafters often ask whether Photon — the free Image Content Delivery Network module in Jetpack — can be used to speed up page loads and save on bandwidth when delivering images from their themes. The short answer: Yes! Read on for the how-to.

(more…)

Posted in Features, Uncategorized | Tagged , , | 20 Comments

Security & Maintenance Release: Jetpack 2.3.1

Howdy, Jetpack Community!

We’ve just released v2.3.1 to the plugins repository.  This is both a security release, and fixes a number of minor bugs that we’ve found in the past few weeks.

The security aspect related to a missing capability check that permitted a non-intuitive, but feasible method for authenticated users to activate modules, but not to view or change any configurations. We added in the proper checks to ensure that this never happens in the future, and are currently looking at retooling the administrative UI for the next release.

Other changes include:

  • Comments: We added in some additional classes to the comment form markup to mirror the upcoming changes in core.
  • Debug: We improved the test results output by making the error messages clearer and more succinct.
  • Likes: We fixed a static warning, and added some styling if you’ve got MP6 enabled.
  • Omnisearch: We fixed a couple strict warnings from newer versions of PHP, delayed the inclusion and declaration of providers until admin_init, and made it easier to search custom post types.
  • Sharing: We applied a couple of layout patches including: updating the Pinterest element width when necessary, adjusting length to better fit tweets, and migrating the LinkedIn button to their official sharing link.
  • Social Links: We refactored the class for a more consistent codebase.
  • Twitter Timeline Widget: We started applying some better data validation for the widget dimensions.
  • We added a MINUTE_IN_SECONDS and related constants for backward compatability with WordPress 3.4

As always, please let us know if you have any issues cropping up, so that we can quickly deal with them!

Posted in Uncategorized | Tagged | 11 Comments
Follow

Get every new post delivered to your Inbox.

Join 61,494 other followers