Mandatory Update: WordPress 2.6.2

WordPress has released a new version, 2.6.2 to solve some security problems affecting users that allowed open registration.  You can read the full details in the release post or go directly to the download page.

The main culprit was that when open registration was enabled, attackers could craft a username to allow resetting another user’s password to a randomly generated password, which isn’t a security problem in itself.  If the attacker uses this with a weakneess in the random number seeding in mt_rand(), he or she could predict the randomly generated password, granting access to your blog (potentially under your members’ user names).

There are several other security updates/changes/additions to the code, so it may be necessary to perform backups of your current installation, database, and other files associated with your blog before performing the update.

Again, this is mandatory as long as you are running a blog with user accounts enabled and are not using the Suhosin plugin/work around for the vulnerability.

Further developments can be followed on the main WordPress blog.

Additional, Useful Links

• Bug Fixes
• Full Changeset and List of Changed Files
• Security Vulnerabilities: SQL Column Truncation | Weakness of mt_rand()

Update: After completing several updates/installs of WordPress 2.6.2, everything went well.  No new problems as far as I can see.  I strongly recommend the WordPress Automatic Upgrade Plugin, it alleviates any hassle of replacing files or doing a manual update.