Changes in 3.7 (http://codex.wordpress.org/Version_3.7):
* Background Updates
* Stronger Password Meter
* Improved Search
* Better Global Support
Changes in 3.7.1 (http://codex.wordpress.org/Version_3.7.1):
* Images with captions no longer appear broken in the visual editor.
* Allow some sites running on old or poorly configured servers to
continue to check for updates from WordPress.org.
* Avoid fatal errors with certain plugins that were incorrectly
calling some WordPress functions too early.
* Fix hierarchical sorting in get_pages(), exclusions in
wp_list_categories(), and in_category() when called with empty
values.
* Fix a warning that may occur in certain setups while performing
a search, and a few other notices.
ok ajacoutot@
- server-side request forgery vulnerability and remote port scanning
using pingbacks
(http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html)
- cross-site scripting via shortcodes and post content
- cross-site scripting vulnerability in the external library Plupload
ok merdely@
* Fixes some issues in the admin area where some older browsers (IE7,
in particular) may slow down, lag, or freeze.
* Fixes the use of multiple trackback URLs in a post.
Prevents improperly sized images from being uploaded as headers from
the customizer.
* Ensures proper error messages can be shown to PHP4 installs.
(WordPress requires PHP 5.2.4 or later.)
* Fixes handling of oEmbed providers that only return XML responses.
* Addresses pagination problems with some category permalink
structures.
* Adds more fields to be returned from the XML-RPC wp.getPost method.
* Avoids errors when updating automatically from very old versions of
WordPress (pre-3.0).
* Fixes problems with the visual editor when working with captions.
Tested on i386.
Ok merdely@
* Fixes an issue where a theme's page templates were sometimes not detected.
* Addresses problems with some category permalink structures.
* Better handling for plugins or themes loading JavaScript incorrectly.
* Adds early support for uploading images on iOS 6 devices.
* Allows for a technique commonly used by plugins to detect a
network-wide activation.
* Better compatibility with servers running certain versions of PHP
(5.2.4, 5.4) or with uncommon setups (safe mode, open_basedir), which
had caused warnings or in some cases prevented emails from being sent.
* Privilege Escalation/XSS. Critical. Administrators and editors in
multisite were accidentally allowed to use unfiltered_html for 3.4.0.
And others, tested on i386 and amd64.
Ok merdely@ (maintainer) aja@
From http://wordpress.org/development/2009/11/wordpress-2-8-6-security-release/:
2.8.6 fixes two security problems that can be exploited by registered,
logged in users who have posting privileges. If you have untrusted
authors on your blog, upgrading to 2.8.6 is recommended.
The first problem is an XSS vulnerability in Press This discovered by
Benjamin Flesch. The second problem, discovered by Dawid Golunski, is
an issue with sanitizing uploaded file names that can be exploited in
certain Apache configurations. Thanks to Benjamin and Dawid for finding
and reporting these.
