Our first focus was around improving the discussion and support around plugins.

You’ll now notice that threads about a plugin are pulled directly into a “support” tab on the plugin page — each plugin has its own forum. We’ve made authors much more prominent and with bigger Gravatars and better placement, so you can get a sense of who made the plugin you’re using. And finally to show how active and well-supported a plugin is, you can see  ”16 of 75 support threads in the last two weeks have been resolved.” Finally, if you’re logged in you get access to the new “favorites” feature that lets you mark the plugins you use the most so you can share them on your profile page and find them quickly later. We soft-launched favorites a few days ago and there have already been 2,000 saved!

If you’re a plugin author, we’ve started with a short threshold (2 weeks) for the resolved stats so it’s easy to catch up and stay on top of it. (It’ll eventually go to two months.) You also now have the ability to set stickies on your plugin forum to put FAQs or important information at the top, and of course any person you put as a committer on the plugin will have moderation access. People on the forum tag will see your custom header and links to the other resources attached to your plugin.

We’ve tightened up the styling a bit on the forums and plugin pages, though still some cleanups to do there. Some older improvements you might have missed, but are still useful for users and developers alike:

All of this will continue to evolve as we get feedback and see usage, but we’re happy to have been able to make some key improvements in just a few days while hanging out in Memphis. (This is why WordCamps usually have BBQ — it imparts magical coding powers.)

Core code isn’t the only way to contribute to the WordPress project. We have an active theme review team, support forum volunteers, people writing documentation, plugin managers, community event organizers, translators, and more. The teams have been siloed for too long, so we’ve recently begun the process of bringing them together by having teams elect representatives to facilitate more communication between the contributor groups. These reps will form the nucleus of the contributor summit now being planned for a long weekend at the end of October in Tybee Island, GA. This is completely different from a WordCamp. It will be a combination of co-working, unconference, and discussions among the project leaders, and participation will be by invitation.

In addition to bringing together the active contributor team reps to work together, I think it’s important to include community members who don’t fall into that category (at least not yet!). Successful WordPress-based business, authors of popular plugins and themes, and people using WordPress in unexpected but intriguing ways should have a place at the table, too. That said, part of the magic of the core team meetup is the small size; it allows every voice not only to be heard, but to engage. Since this is my first attempt at bringing together so many groups and points of view, I want to try and keep it small enough to retain that personal atmosphere while at the same time ensuring that the best possible mix of people and businesses in the WordPress ecosystem is represented. This is where you come in!

Taking a cue from events with limited availability like AdaCamp (attendance) and the jQuery conference (speaker roster), I want you to nominate people and/or WordPress-based businesses to participate in the summit. Yes, you can nominate yourself.* You can nominate up to 10 additional people — be prepared to provide URLs and the reason you think they should participate. You can also nominate up to 10 WordPress-based businesses without naming individual people, so if there’s a theme or hosting company (for example) that you think should be there, you don’t need to go looking for employee names. This nomination process will hopefully ensure that we don’t overlook someone who is making a difference in our community when it comes time to issue invitations.

Nominations will be open for a week, after which the survey will be closed and the process of analyzing the results** will begin. The nominations process will lead to invitations in June, confirmations in July, planning in August and September, and the summit itself in October. Hopefully we can stream and/or record some of the activity to share online at WordPress.tv. Additional invitations may be extended up until the event if there are people/businesses that become more active in the community. If you’re thinking to yourself that maybe now’s the perfect time to start contributing time to the WordPress project, good thinking! In the meantime, if you want to weigh in, fill in the community summit nomination form. Thanks, and wish us luck!

* Nominating yourself: Do nominate yourself if you fall into one of the categories described in the post above, or if you believe that you have a unique point of view. Please do not nominate yourself if you just think it would be cool to hang out with this group. This is a working event, and everyone is expected to bring something special to the table.

** I (and/or a helpful community volunteer) will sift through the nominations and compile a shortlist of the most-nominated people/businesses and the most intriguing underdogs. This list will be reviewed by the summit planning committee (made up of team reps) to create the invitation list.

The releases complete a fix for a vulnerability in CGI-based setups (CVE-2012-2311). Note: mod_php and php-fpm are not vulnerable to this attack.

PHP 5.4.3 fixes a buffer overflow vulnerability in the apache_request_headers() (CVE-2012-2329). The PHP 5.3 series is not vulnerable to this issue.

For source downloads of PHP 5.4.3 and PHP 5.3.13 please visit our downloads page, Windows binaries can be found on windows.php.net/download/. The list of changes are recorded in the ChangeLog.

One way to address these CGI issues is to reject the request if the query string contains a '-' and no '='. It can be done using Apache's mod_rewrite like this: RewriteCond %{QUERY_STRING} ^[^=]*$ RewriteCond %{QUERY_STRING} %2d|\- [NC] RewriteRule .? - [F,L] Note that this will block otherwise safe requests like ?top-40 so if you have query parameters that look like that, adjust your regex accordingly.

Another set of releases are planned for Tuesday, May, 8th. These releases will fix the CGI flaw and another CGI-related issue in apache_request_header (5.4 only).

We apologize for the inconvenience created with these releases and the (lack of) communication around them.

So, requests that do not have a "=" in the query string are treated differently from those who do in some CGI implementations. For PHP this means that a request containing ?-s may dump the PHP source code for the page, but a request that has ?-s&=1 is fine.

A large number of sites run PHP as either an Apache module through mod_php or using php-fpm under nginx. Neither of these setups are vulnerable to this. Straight shebang-style CGI also does not appear to be vulnerable.

If you are using Apache mod_cgi to run PHP you may be vulnerable. To see if you are, just add ?-s to the end of any of your URLs. If you see your source code, you are vulnerable. If your site renders normally, you are not.

To fix this, update to PHP 5.3.12 or PHP 5.4.2.

We recognize that since CGI is a rather outdated way to run PHP, it may not be feasible to upgrade these sites to a modern version of PHP. An alternative is to configure your web server to not let these types of requests with query strings starting with a "-" and not containing a "=" through. Adding a rule like this should not break any sites. For Apache using mod_rewrite it would look like this:

If you are writing your own rule, be sure to take the urlencoded ?%2ds version into account.

Making a bad week worse, we had a bug in our bug system that toggled the private flag of a bug report to public on a comment to the bug report causing this issue to go public before we had time to test solutions to the level we would like. Please report any issues via bugs.php.net.

For source downloads of PHP 5.3.12 and PHP 5.4.2 please visit our downloads page, Windows binaries can be found on windows.php.net/download/. A ChangeLog exists.

I know a lot of you have been eagerly awaiting this new release so we
are please to announced we have freshly baked new Ubuntu 12.04 (Precise
Pangolin) images available for immediate deployment. Along with a slew
of updated packages comes Linux [kernel] version 3.2.

But most exciting of all, this release is special as it is a “long-term
support” (LTS) edition. In English, that means this new version of
Ubuntu will be supported and actively maintained for a whopping 5 years!
For this reason we highly recommend it for all new Ubuntu server
installations.

Enjoy.

DevConf is the ultimate meeting place for russian-speaking web-developers, combining several language-specific conferences under one roof.

This year DevConf will include the following sections:

Each section will feature several talks from the active contributors/authors of the language. Among the invited speakers are Derick Rethans (XDebug creator), David Soria Parra (active PHP contributor), Andrey Aksyonov (author of Sphinx), Alexander Makarov (one of the main contributors to Yii), Sergey Petrunya (of MariaDB fame), Ilya Alekseev (OpenStack Nova contributor) and many others, see more details on the official website.

Security Enhancements for both PHP 5.3.11 and PHP 5.4.1:

Security Enhancement affecting PHP 5.3.11 only:

Key enhancements in these releases include:

For a full list of changes in PHP 5.3.11 and PHP 5.4.1, see the ChangeLog. For source downloads please visit our downloads page, Windows binaries can be found on windows.php.net/download/.

All users of PHP are strongly encouraged to upgrade to PHP 5.3.11 or PHP 5.4.1.

Three external libraries included in WordPress received security updates:

Thanks to Neal Poole and Nathan Partlan for responsibly disclosing the bugs in Plupload and SWFUpload, and Szymon Gruszecki for a separate bug in SWFUpload.

WordPress 3.3.2 also addresses:

These issues were fixed by the WordPress core security team. Five other bugs were also fixed in version 3.3.2. Consult the change log for more details.

Download WordPress 3.3.2 or update now from the Dashboard → Updates menu in your site’s admin area.

Our development of WordPress 3.4 development continues. Today we are proud to release Beta 3 for testing. Nearly 90 changes have been made since Beta 2, released 9 days ago. (We are aiming for a beta every week.)

This is still beta software, so we don’t recommend that you use it on production sites. But if you’re a plugin developer, a theme developer, or a site administrator, you should be running this on your test environments and reporting any bugs you find. (See the known issues here.) If you’re a WordPress user who wants to open your presents early, take advantage of WordPress’s famous 5-minute install and spin up a secondary test site. Let us know what you think!

Version 3.4 Beta 3 includes all of the fixes included in version 3.3.2. Download WordPress 3.4 Beta 3 or use the WordPress Beta Tester plugin.