WordPress 3.1.3 was made available to the public yesterday. This release is not only a  security update for all previous versions but also offers some new features.

WordPress 3.1.3 contains the following security fixes and enhancements:

• Various security hardening.
• Taxonomy query hardening.
• Prevents sniffing out user names of non-authors by using canonical redirects.
• Media security fixes.
• Improved file upload security on hosts with dangerous security settings.
• Cleans up old WordPress import files if the import does not finish.
• Introduces “clickjacking” protection in modern browsers on admin and login pages.

For details, feel free to check out the change log. Download WordPress 3.1.3 or update automatically from the Dashboard → Updates menu in your site’s admin area.

Also, you may be curious enough and want to take a look at the original release announcement that not only talks about WordPress 3.1.3 but also talks about the availability of WordPress 3.2 Beta 2. We'll talk more about WordPress 3.2 later.

As much as I talk about Drupal here at CMS Report, I often don't talk about Drupal point releases that provide solely security and bug fixes and no new features. Every once in awhile though there is a new version of Drupal 6 that has been especially polished by Drupal's developers. Drupal 6.17 is one of those releases which contain significant changes I think are worthy a mention.

I'm probably most excited about the improvements made in Drupal 6 for better PHP 5.3 compatibility. A couple weeks ago I tried upgrading my server to PHP 5.3 and there were just too many annoying errors showing up in the Drupal 6 system logs.  I'm hoping with Drupal 6.17, I have better luck this time around (currently running this Drupal 6 sites with PHP 5.3).

With over 55 patches committed to improve Drupal 6, the following are the highlights of changes included in Drupal 6.17:

• Improvements of session cookie handling
• Better processing of big XML-RPC payload
• Improved PostgreSQL compatibility
• Better PHP 5.3 and PHP 4 compatibility (my fingers are crossed)
• Improved Japanese support in search module
• Better browser compatibility of CSS and JS aggregation
• Improved logging for login failures
• An incompatibility of Drupal 6.16's new lock subsystem with some contributed modules was also resolved

The latest version of Drupal may be downloaded from the project page at Drupal.org. Whether you're new to Drupal or currently maintaining a Drupal site, this latest release of Drupal is a clear indication that there is plenty of life and plenty of development taking place with the Drupal 6 release. Now what other Drupal 6 sites do I have that still need this upgrade to Drupal 6.17.

Drupal 6.5 and Drupal 5.11 were released yesterday.  These new versions of Drupal are maintenance releases fixing problems reported using the bug tracking system, as well as critical security vulnerabilities.  If you take a look at the release notes, you'll find that Drupal's core developers and security teams have been hard at work improving this open source content management system.  With all the hard work done for you, it only makes sense to upgrade your Drupal site today (yes, we're running Drupal 6.5).

Details and download links can be found at Drupal.org.  

Joomla! 1.5.4 was released yesterday.

The Joomla! community is pleased to announce the immediate availability of Joomla! 1.5.4 [Naiki]. This is a normal maintenance release which includes a few low to moderate security issues, many bug fixes, and several very nice improvements. It has been a little over ten weeks since Joomla! 1.5.3 was released on April 24, 2008. The Development Working Group's goal is to continue to provide regular, frequent updates to the Joomla! community containing the latest bug fixes and minor enhancements.

Click here for details.

The PHP development team started the month of May with the release of PHP 5.2.6. With over 120 bug fixes, this release is mainly focused on stability. There are however several security enhancements in PHP 5.2.6:

• Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin.
• Fixed integer overflow in printf() identified by Maksymilian Aciemowicz.
• Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh.
• Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz.
• Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser.
• Upgraded bundled PCRE to version 7.6

References: Release Announcement, PHP 5.2.6 ChangeLog, PHP.net Download page

The Joomla! community has released a new version of their CMS, Joomla 1.5.3.

The Joomla! community is pleased to announce the immediate availability of Joomla! 1.5.3 [Vahi]. This release is earlier than scheduled in order to correct a database name validation error introduced in 1.5.2. It has been a month since Joomla! 1.5.2 was released on March 23, 2008. The goal is to provide regular, frequent updates to the Joomla! end user community containing the latest bug fixes and minor enhancements.

Latest bug fixes and enhancements in this release includes:

• Database name validation
• xHTML compliance fixes
• Help screen updates
• JFilterInput infinite loop fix
• PDF fixes for PHP 4
• Minor CSS and RTL issues

Additional information about Joomla 1.5.3 as well as goals for a future release can be found at Joomla.org.

Updated versions of MediaWiki to address some security issues has been released for MediaWiki 1.11.1, 1.10.3, and 1.9.5.

This is a security and bugfix release of the Fall, Spring, and Winter 2007 snapshot releases of MediaWiki. A potential XSS injection vector affecting api.php only for Microsoft Internet Explorer users has been closed.

To work around the vulnerability without upgrading, you may disable the API if you don't need it:

~ $wgEnableAPI = false;

Complete Story

Mambo 4.6.3 was released earlier today in recent weeks. Besides the usual security improvements and bug fixes, this version of Mambo came with some new enhancements. Some of the more notable enhancements in Mambo 4.6.3 include:

• Mostlyce upgraded to 2.4
• Mostlydbadmin upgraded to 1.5
• Geshi upgraded to 1.0.7.20
• Enhanced editor initializing
• Enhanced weblinks component, so the target param is not confusing anymore

  New minor versions of Drupal were released this week, Drupal 4.7.11 and Drupal 5.6 (see excerpt below). In case you're wondering, I have already updgraded this site to Drupal 5.6...no problems, no worries.

Drupal 4.7.11 and 5.6 are now available for download. These are maintenance releases that fix problems reported using the bug tracking system, as well as security vulnerabilities.

Upgrading your existing Drupal sites is strongly recommended.

Download

• Download Drupal 5.6.
• Download Drupal 4.7.11.

read more

As a sidebar, Drupal 6 Release Candidate 2 is also out. I promise, we'll be one of the first sites to go Drupal 6 once the software goes "gold". We may break a few things, but well worth the price for some IT glory!