Subscribe Via RSSWordPress Jetpack Emergency Update
Jetpack Emergency Update: bug has existed since Jetpack 1.9, released Oct 2012. Update Now.
Just received this message from JustHost Support regarding a WordPress Jetpack Emergency update 2.9.3 which was released by WordPress Jetpack on 10th April 2014:
Jetpack has released a critical security update for their plugin. In a recent security audit, Jetpack discovered a vulnerability in their plugin that would allow an attacker to bypass a site’s access controls and publish posts to your WordPress installation(s).
Over the next 24 hours we will be making every attempt to upgrade your Jetpack plugin(s) to the newest versions containing the security patch. The secure versions are 1.9.4, 2.0.6, 2.1.4, 2.2.7, 2.3.7, 2.4.4, 2.5.2, 2.6.3, 2.7.2, 2.8.2, and 2.9.3, depending upon the version(s) of WordPress installed. We strongly encourage you to check your plugin version(s) to make sure it is on the newest version. We also strongly recommend you update your WordPress installation(s) to the most current version 3.8.2.
To check this, login to your WordPress admin control panel and click on Plugins (located on the left panel). Scroll down and find Jetpack in the list, the version number will be listed in the description. If a WordPress plugin update is available, it will be shown on the Dashboard Panel, an alert on the Plugin’s menu title, and on the Plugin List.
From: JustHost Support.
This bug has existed since Jetpack 1.9, released in October 2012.
Fortunately, Jetpack have no evidence of this being used in the wild. However, now that this update is public, it’s just a matter of time before exploits occur. To avoid a breach, you should update your site as soon as possible. (The vulnerability has been disclosed on the MITRE Common Vulnerabilities and Exposures system as CVE-2014-0173.)
This is a bad bug, and Jetpack is one of the most widely used plugins in the WordPress world. Jetpack have been working closely with the WordPress security team, which has pushed updates to every version of the plugin since 1.9 through core’s auto-update system. Jetpack have also coordinated with a number of hosts and network providers to install network-wide blocks to mitigate the impact of this vulnerability, but the only sure fix is updating the plugin.
Over the next few hours, Jetpack will reach out to individuals whose sites are still running an insecure version. Sites that don’t update may be disconnected from the Jetpack service for their own security. You will be able to reconnect as soon as your version of Jetpack is updated.
Many thanks to JustHost Support for this info. For more information on the Jetpack critical security update, visit http://jetpack.me/2014/04/10/jetpack-security-update/.
