Updates

  • John Walker posted an update in the group Group logo of UpdatesUpdates 5 months, 1 week ago

    2020 June 25

    Starting at 06:10:24 UTC, the site came under an intense attack
    from 185.174.40.173, part of a class C, 185.174.40.0/24,
    registered to "Libertas Network UK", but whose abuse contact is,
    for some reason, in Antigua and Barbuda.  The attack began with
    a fairly conventional scan for WordPress vulnerabilities,
    hammered in at a rate of around two per second.  Apparently,
    having found no vulnerability which could be exploited, the
    attack then switched into nihilistic destruction mode, in which
    it began to hit the home page at a rate of around ten times per
    second.  This, of…

    [Read more]

  • John Walker posted an update in the group Group logo of UpdatesUpdates 5 months, 1 week ago

    2020 June 24

    Updated the Raw HTML plug-in to version 1.6.3.  This is an
    utterly trivial update which just changed a few lines in four
    files, only two of which are actually executable code.  It fixes
    a problem in compatibility with some versions of PHP, which is a
    stupid programming language used by stupid programmers to write
    stupid programs.  We have no local code in this plug-in, so I
    simply syntax checked the modified files and applied the update
    kit.  Everything looks hunky-dory after the installation.
    
    There being no apparent problems with the update installation, I
    committed…

    [Read more]

  • John Walker posted an update in the group Group logo of UpdatesUpdates 5 months, 1 week ago

    2020 June 19

    Updated the Inline Spoilers plug-in to version 1.5.1.  This is
    an update which does not affect us at all, but simply remedies
    the plug-in's interaction with the disastrous "Gutenberg" "block
    editor" introduced by WordPress in their quest for
    self-immolation.  The README for the plug-in manages to misspell
    the editor as "Guttenberg"; given how many WordPress sites it
    has eviscerated, this may be appropriate.  There were two files
    (all administrivia) modified and two added to cope with
    Gutenberg.  We have no local code in this plug-in.  After syntax
    checking, I applied…

    [Read more]

  • John Walker posted an update in the group Group logo of UpdatesUpdates 5 months, 2 weeks ago

    2020 June 17

    Updated the Really Simple SSL plug-in to version 3.3.4.  This is
    a trivial update that modified 8 files and makes no functional
    changes whatsoever: all it does is mess around with the "Review
    this plug-in" nag message to avoid interference with other
    plug-ins, twiddle the CSS for the administrator pages, and
    fiddle with WordPress's idiotic "multisite" feature that we
    don't use.  We have no local code in this plug-in.  I syntax
    checked the modified files, made an update kit, and applied it.
    Everything appears to be in order after installation.
    
    The Really Simple SSL…

    [Read more]

  • John Walker posted an update in the group Group logo of UpdatesUpdates 5 months, 2 weeks ago

    2020 June 12

    Updated WordPress to version 5.4.2.  This is a "security and
    maintenance release" with 23 "fixes and enhancements", mostly
    corrections to the cross-site scripting vulnerabilities which
    continue to plague WordPress even in new feature code because
    its developers are morons and there is no adequate code review
    or configuration management of what they scribble in crayon
    before it is shipped to millions of customers.  They're forever
    giving out "Props" to the third parties who scrutinised their
    shoddy product and found these flaws they couldn't be bothered
    to discover…

    [Read more]

  • John Walker posted an update in the group Group logo of UpdatesUpdates 5 months, 3 weeks ago

    2020 June 8

    Updated the WP Mail SMTP plug-in to version 2.1.1.  This update,
    which includes 2.1.0 and the "fixes to fixes" patch 2.1.1
    modifies 81 files, deletes one directory, and adds six files all
    for a bunch of useless crap which will make not a scintilla of
    difference to us.  We have no local code in this plug-in, so I
    simply prepared an update kit, syntax checked it, and applied
    it.
    
    After applying the update kit, I verified that everything looked
    all right and there were no errors in the error_log, and sent a
    test E-mail, which was delivered successfully.
    
    I can't see…

    [Read more]

  • John Walker posted an update in the group Group logo of UpdatesUpdates 5 months, 3 weeks ago

    2020 June 7

    Updated the User Role Editor plug-in to version 4.55.1.  The
    version 4.55 update which we installed on 2020-06-03 introduced
    a horrific security flaw which, fortunately, did not affect our
    site.  If administrators had delegated the "edit_users"
    capability to other users, they could escalate the privileges of
    still other users beyond those to which they were entitled to
    grant.  Since we have no non-administrators who have been
    granted this capability, we were not at risk.  There is also
    some noodling around with the uninstall code to make uninstall
    of the "Pro" version…

    [Read more]

  • John Walker posted an update in the group Group logo of UpdatesUpdates 5 months, 4 weeks ago

    2020 June 3

    Updated the User Role Editor plug-in to version 4.55.  This is
    an administration-only update which changes how the plug-in
    uninstalls itself.  Since we do not intend to uninstall it, this
    doesn't affect us.  We have no local code in this plug-in, so I
    simply syntax checked the changes and applied the update kit.
    Nothing seemed to break after I did so.
    
    Committed the User Role Editor version 4.55 update (Build 473)
    and published to GitHub.
    
  • John Walker posted an update in the group Group logo of UpdatesUpdates 6 months ago

    2020 June 2

    Updated the Stop Spammers plug-in to version 2020.4.2.  Not to
    be left behind in the "fixes to fixes" sweepstakes, the Stop
    Spammers plug-in weighs in with another update just two days
    after the 2020.4.1 release.  This is literally a one-liner,
    which simply comments out a hook call which shouldn't have been
    there in the first place.  Since we don't use the code in
    question, it is of no consequence to us.  I integrated our local
    code into the two files in which it appears with no conflicts.
    After syntax checking and verifying correct integration of local
    code, I applied…

    [Read more]

  • John Walker posted an update in the group Group logo of UpdatesUpdates 6 months ago

    2020 May 31

    Updated the Stop Spammers plug-in to version 2020.4.1.  This is
    a minor update which adds 2500 disposable E-mail domains to an
    already long list in the hopeless quest to squash the locusts
    faster than they breed.  The idiotic image files with spaces in
    their names that wrecked source code management tools all over
    the world were replaced with files with dashes in their names.
    A couple of options were added that we won't use, and more
    up-selling spam was added to irritate administrators.  We have
    local code in two files: one was unchanged in the update and the
    other had…

    [Read more]

  • John Walker posted an update in the group Group logo of UpdatesUpdates 6 months ago

    2020 May 29

    At 08:54:27 UTC we came under an intense site-scraping attack
    from 195.140.225.115, who first hit the site four seconds
    earlier and retrieved the home page.  It then appears to have
    instaneously fired off GET requests for every link: posts,
    profiles, tags, categories, etc. on the page, with a total of
    112 submitted in that single second.  This immediately blew up
    the PHP-FPM worker process memory allocation and started to
    throw 500 errors, thankfully mostly directed at the attacker.
    The attack resumed a few seconds later, with 102 hits recorded
    in the single second…

    [Read more]

  • John Walker posted an update in the group Group logo of UpdatesUpdates 6 months, 1 week ago

    2020 May 23

    Updated the WP-UserOnline plug-in to version 2.87.5.  This is a
    completely trivial update which simply adds some bots to the
    table of known bots.  The release notes claim they update the
    WordPress compatibility claim to 5.4, but in fact they forgot to
    do that in the code.  We have no local code in this plug-in. I
    syntax checked the modified files and applied the update kit.
    Everything looks OK.
    

    Committed the WP-UserOnline plug-in version 2.87.5 update (Build 470).
  • John Walker posted an update in the group Group logo of UpdatesUpdates 6 months, 2 weeks ago

    2020 May 18

    Updated the Really Simple SSL plug-in to version 3.3.3.  This is
    a "fixes to fixes to fixes" update of the last two attempts, all
    devoid of any content useful to customers, and all aimed at
    up-selling and nagging users to leave reviews.  Of course, these
    were bungled, requiring two rounds (so far) of fixes.  This
    milestone in human achievement modified three files, two
    trivially.  Since they didn't change anything of consequence, I
    went ahead and committed the changes (Build 469) and published
    them to GitHub.
    
  • John Walker posted an update in the group Group logo of UpdatesUpdates 6 months, 2 weeks ago

    2020 May 16

    Re-implemented the ~/bin/muzzle feature to show drop counts for
    both IPv4 and IPv6 when called with no IP address argument.
    This was removed when support for ipset was added, since ipset
    doesn't collect statistics on individual IP addresses, but it
    remains useful for monitoring the total number of packets
    dropped by ipset rules, as well as any specific IP addresses
    dropped by direct iptables rules.
    
    The BuddyPress version 6.0.0 update didn't blow up or otherwise
    misbehave overnight so I committed the changes (Build 468) and
    published to GitHub.
    
    Between 02:58:09 and…

    [Read more]

  • John Walker posted an update in the group Group logo of UpdatesUpdates 6 months, 2 weeks ago

    2020 May 15

    Updated the BuddyPress plug-in to version 6.0.0.  This is
    described as a "major feature release", but when you look under
    the hood, among the cobwebs and fouine poop, what you actually
    see is some minor fiddling around with the handling of avatars
    and cover images in the Members component (moving out some stuff
    which used to be in the "extended profile"), changes to the
    "Nouveau" theme which we don't use, and extensions to the REST
    API, which nobody in their right mind would enable, as it is a
    gaping security hole just waiting to be probed by every drooling
    moron that…

    [Read more]

  • John Walker posted an update in the group Group logo of UpdatesUpdates 6 months, 2 weeks ago

    2020 May 13

    Between 14:00:41 and 14:07:48 we were subjected to an intense
    attempted SQL injection attack from 93.99.104.101, in an IP
    block belonging to FinalTek.com in the Czech Republic.  The SQL
    attack was futile, but that didn't keep them from pumping in a
    total of 244 POST requests all targeting, bizarrely, the
    s-p-q-ratburger group.  The requests came in bursts which
    averaged more than one packet per second, which inflated the
    number of php-fpm worker processes to 35, taking free memory
    down to 64900, provoking six memory allocation failures that
    torpedoed legitimate user…

    [Read more]

  • John Walker posted an update in the group Group logo of UpdatesUpdates 6 months, 3 weeks ago

    2020 May 12

    The iptables firewall was getting completely out of hand.
    Between IPv4 and IPv6, we have a total of 4225 banned IP
    addresses or ranges, and since iptables uses a purely linear
    process of rule application, every legitimate packet that makes
    it through the firewall has to run the gauntlet of every rule
    within its protocol family.  This slows things down and imposes
    a CPU burden on the kernel, which is probably single-threaded at
    that point.  The solution for large iptables lists is called
    ipset:
        .https://howto.lintel.in/use-ipset-command-linux-block-bulk-ips/…

    [Read more]

    • It is amazing the detail here. I love it.

      Nothing like getting blamed as a user because the site changes from using a http to an https and my http bookmark, there since the site started, no will not automatically redirect to the https, and thus i cannot automatically log in, and the stupid tech guy can’t figure out why for a year, then *blames me* for not being technical enough.

      Thank you John

      2+
      avataravatar
    • Lax DeMoux?

      0
  • John Walker posted an update in the group Group logo of UpdatesUpdates 6 months, 3 weeks ago

    2020 May 11

    Updated the Stop Spammers plug-in to version 2020.3. After the
    2020-04-18 version 2020.2 update, whose entry in the change log
    read simply "Plugin audit and cleanup", along comes 2020.3,
    which has no change log entry at all.  Perhaps they were
    embarrassed: the 9 files modified are almost entirely fiddling
    with "Premium" version up-selling and trivial presentation
    changes.  We have local code in two files of this plug-in, and
    in neither case did the changes conflict with our code, so
    integration was straightforward. I syntax checked the modified
    files, ran ../t/ratdiff to…

    [Read more]

  • John Walker posted an update in the group Group logo of UpdatesUpdates 6 months, 3 weeks ago

    2020 May 10

    Updated the WP External Links plug-in to version 2.46.  It was
    just two days ago that we installed 2.45, a minor update which
    affected things we don't use, and now in a goofer twofer,
    they're back with 2.46, which changes one file to correct a
    problem which wrecked the "save post" functions for bubbleheads
    who use the "block editor" (Gutenberg) on their sites.  This is
    involved with the REST API, a bubbling tar pit of security
    vulnerabilities which we, like all sane sites, have disabled.
    The only other changes are to the version number and the README
    file, which…

    [Read more]

  • John Walker posted an update in the group Group logo of UpdatesUpdates 6 months, 3 weeks ago

    2020 May 8

    Updated the Really Simple SSL plug-in to version 3.3.2.  This is
    a minor update which fixes compatibility with other plug-ins and
    themes that we don't use.  They got rid of the review nag which
    irritated administrators.  Only five files were modified, and
    those changes were minimal.  We have no local code in this
    plug-in, so I simply syntax checked the modified files, prepared
    an update kit, and installed it.  Everything looks OK after the
    installation.
    
    No problems have occurred since the installation of the Really
    Simple SSL plug-in version 3.3.2 update so I committed…

    [Read more]

  • Load More