Whisker Menu is an application menu / launcher for Xfce that features a search function so you can easily find the application you want to launch. The menu supports browsing apps by category, you can add applications to favorites and more. The tool is used as the default Xubuntu application menu starting with the latest 14.04 release and in Linux Mint Xfce starting with version 15 (Olivia).
The Whisker Menu PPA was updated to the latest 1.4.0 version recently and you can use to both upgrade to the latest version obviously, as well as to install the tool in (X)Ubuntu versions for which Whisker Menu isn’t available in the official repositories (supported versions: Ubuntu 14.04, 13.10 and 12.04 and the corresponding Linux Mint versions). For see what is the difference with the previous release, see the changelog in its main website.
Submitted by: Andrew
Please join us in testing utopic and helping the next release of ubuntu become the best it can be. Hope to see everyone there!
P.S. We have a team calendar that can help you keep track of the release schedule along with this and other events. Check it out!
in discussions at the last Online Summit and afterwards it became clear that we need to bring the summit dates closer to our release dates again. With the Unicorn being released on Oct 23, we decided to pick the following dates for the next Online Summit:
4th – 6th November 2014
This unfortunately won’t leave too much room for a mid-cycle UOS, as it’d get too close to Feature Freeze and other release/freeze dates. Michael Hall will start a discussion on ubuntu-devel-discuss@ about the subject of Ubuntu Online Summit soon, so we can discuss changes and start general planning. Your feedback and help are much appreciated.
If you should want to have any ad-hoc, public planning sessions before the next UOS, we’d like to remind you of Ubuntu On Air, which is a good way to get your discussion recorded and where you can very easily get people involved for the subject. Find out more info on https://wiki.ubuntu.com/OnAir
Originally posted to the community-announce mailing list on Tue Jul 8 10:42:20 UTC 2014 by Daniel Holbach
The following is a guest post from Curtis Hovey, the Juju release manager. You can find the original announcement on the Juju mailing list.Juju 1.20.0 is released
A new stable release of Juju, juju-core 1.20.0, is now available.Getting Juju
juju-core 1.20.0 is available for utopic and backported to earlier series in the following PPA:
- High Availability
- Availability Zone Placement
- Azure Availability Sets
- Juju debug-log Command Supports Filtering and Works with LXC
- Constraints Support instance-type
- The lxc-use-clone Option Makes LXC Faster for Non-Local Providers
- Support for Multiple NICs with the Same MAC
- MAAS Network Constraints and Deploy Argument
- MAAS Provider Supports Placement and add-machine
- Server-Side API Versioning
The juju state-server (bootstrap node) can be placed into high availability mode. Juju will automatically recover when one or more the state-servers fail. You can use the ‘ensure-availability’ command to create the additional state-servers:juju ensure-availability
The ‘ensure-availability’ command creates 3 state servers by default, but you may use the ‘-n’ option to specify a larger number. The number of state servers must be odd. The command supports the ‘series’ and ‘constraints’ options like the ‘bootstrap’ command. You can learn more details by running ‘juju ensure-availability –help’Availability Zone Placement
Juju supports explicit placement of machines to availability zones (AZs), and implicitly spreads units across the available zones.
When bootstrapping or adding a machine, you can specify the availability zone explicitly as a placement directive. e.g.juju bootstrap --to zone=us-east-1b juju add-machine zone=us-east-1c
If you don’t specify a zone explicitly, Juju will automatically and uniformly distribute units across the available zones within the region. Assuming the charm and the charm’s service are well written, you can rest assured that IaaS downtime will not affect your application. Commands you already use will ensure your services are always available. e.g.juju deploy -n 10 <service>
When adding machines without an AZ explicitly specified, or when adding units to a service, the ec2 and openstack providers will now automatically spread instances across all available AZs in the region. The spread is based on density of instance “distribution groups”.
State servers compose a distribution group: when running ‘juju ensure-availability’, state servers will be spread across AZs. Each deployed service (e.g. mysql, redis, whatever) composes a separate distribution group; the AZ spread of one service does not affect the AZ spread of another service.
Amazon’s EC2 and OpenStack Havana-based clouds and newer are supported. This includes HP Cloud. Older versions of OpenStack are not supported.Azure availability sets
Azure environments can be configured to use availability sets. This feature ensures services are distributed for high availability; as long as at least two units are deployed, Azure guarantees 99.95% availability of the service overall. Exposed ports will be automatically load balanced across all units within the service.
New Azure environments will have support for availability sets by default. To revert to the previous behaviour, the ‘availability-sets-enabled’ option must be set in environments.yaml like so:availability-sets-enabled: false
Placement is disabled when ‘availability-sets-enabled’ is true. The option cannot be disabled after the environment is bootstrapped.Juju debug-log Command Supports Filtering and Works with LXC
The ‘debug-log’ command shows the consolidate logs of all juju agents running on all machines in the environment. The command operates like ‘tail -f’ to stream the logs to the your terminal. The feature now support local-provider LXC environments. Several options are available to select which log lines to display.
The ‘lines’ and ‘limit’ options allow you to select the starting log line and how many additional lines to display. The default behaviour is to show the last 10 lines of the log. The ‘lines’ option selects the starting line from the end of the log. The ‘limit’ option restricts the number of lines to show. For example, you can see just 20 lines from last 100 lines of the log like this:juju debug-log --lines 100 --limit 20
There are many ways to filter the juju log to see just the pertinent information. A juju log line is written in this format:<entity> <timestamp> <log-level> <module>:<line-no> <message>
The ‘include’ and ‘exclude’ options select the entity that logged the message. An entity is a juju machine or unit agent. The entity names are similar to the names shown by ‘juju status’. You can exclude all the log messages from the bootstrap machine that hosts the state-server like this:juju debug-log --exclude machine-0
The options can be used multiple times to select the log messages. This example selects all the message from a unit and its machine as reported by status:juju debug-log --include unit-mysql-0 --include machine-1
The ‘level’ option restricts messages to the specified log-level or greater. The levels from lowest to highest are TRACE, DEBUG, INFO, WARNING, and ERROR. The WARNING and ERROR messages from the log can seen thusly:juju debug-log --level WARNING
The ‘include-module’ and ‘exclude-module’ are used to select the kind of message displayed. The module name is dotted. You can specify all or some of a module name to include or exclude messages from the log. This example progressively excludes more content from the logsjuju debug-log --exclude-module juju.state.apiserver juju debug-log --exclude-module juju.state juju debug-log --exclude-module juju
The ‘include-module’ and ‘exclude-module’ options can be used multiple times to select the modules you are interested in. For example, you can see the juju.cmd and juju.worker messages like this:juju debug-log --include-module juju.cmd --include-module juju.worker
The ‘debug-log’ command output can be piped to grep to filter the message like this:juju debug-log --lines 500 | grep amd64
You can learn more by running ‘juju debug-log –help’ and ‘juju help logging’Constraints Support instance-type
You can specify ‘instance-type’ with the ‘constraints’ option to select a specific image defined by the cloud provider. The ‘instance-type’ constraint can be used with Azure, EC2, HP Cloud, and all OpenStack-based clouds. For example, when creating an EC2 environment, you can specify ‘m1.small’:juju bootstrap --constraints instance-type=m1.small
Constraints are validated by all providers to ensure values conflicts and unsupported options are rejected. Previously, juju would reconcile such problems and select an image, possibly one that didn’t meet the needs of the service.The lxc-use-clone Option Makes LXC Faster for Non-Local Providers
When ‘lxc-use-clone’ is set to true, the LXC provisioner will be configured to use cloning regardless of provider type. This option cannot be changed once it is set. You can set the option to true in environments.yaml like this:lxc-use-clone: true
This speeds up LXC provisioning when using placement with any provider. For example, deploying mysql to a new LXC container on machine 0 will start faster:juju deploy --to lxc:0 mysql Support for Multiple NICs with the Same MAC
Juju now supports multiple physical and virtual network interfaces with the same MAC address on the same machine. Juju takes care of this automatically, there is nothing you need to do.
Caution, network settings are not upgraded from 1.18.x to 1.20.x. If you used juju 1.18.x to deploy an environment with specified networks, you must redeploy your environment instead of upgrading to 1.20.0.
The output of ‘juju status’ will include information about networks when there is more than one. The networks will be presented in this manner:machines: ... services: ... networks: net1: provider-id: foo cidr: 0.1.2.0/24 vlan-tag: 42 MaaS Network Constraints and Deploy Argument
You can specify which networks to include or exclude as a constraint to the deploy command. The constraint is used to select a machine to deploy the service’s units too. The value of ‘networks’ is a comma-delimited list of juju network names (provided by MaaS). Excluded networks are prefixed with a “^”. For example, this command specify the service requires the “logging” and “storage” networks and conflicts with the “db” and “dmz” networks.juju deploy mongodb --constraints networks=logging,storage,^db,^dmz
The network constraint does not enable the network for the service. It only defines what machine to pick.
Use the ‘deploy’ command’s ‘networks’ option to specify service-specific network requirements. The ‘networks’ option takes a comma-delimited list of juju-specific network names. Juju will enable the networks on the machines that host service units.
Juju networking support is still experimental and under development, currently only supported with the MaaS provider.juju deploy mongodb --networks=logging,storage
The ‘exclude-network’ option was removed from the deploy command as it is superseded by the constraint option.
There are plans to add support for network constraint and argument with Amazon EC2, Azure, and OpenStack Havana-based clouds like HP Cloud in the future.MAAS Provider Supports Placement and add-machine
You can specify which MAAS host to place the juju state-server on with the ‘to’ option. To bootstrap on a host named ‘fnord’, run this:juju bootstrap --to fnord
The MAAS provider support the add-machine command now. You can provision an existing host in the MAAS-based Juju environment. For example, you can add running machine named fnord like this:juju add-machine fnord Server Side API Versioning
The Juju API server now has support for a Version field in requests that are made. For this release, there are no RPC calls that require anything other than ‘version=0’ which is the default when no Version is supplied. This should have limited impact on existing CLI or API users, since it allows us to maintain exact compatibility with existing requests. New features and APIs should be exposed under versioned requests.
For details on the internals (for people writing API clients), see this document.Finally
We encourage everyone to subscribe the mailing list at juju-dev at lists.canonical.com, or join us on #juju-dev on freenode.
PS. Juju just got 20% more amazing.
- file locking - exercise file locking with one or more processes (the more processes the better).
- fallocate - this allocates a 4MB file, sync's, truncates to zero size and syncs repeatedly
- yield - this loops on sched_yield() to repeatedly relinquish the CPU forcing a high context switch rate when run with multiple yielding processes.
- --sched and --sched-prio options to specify the scheduler type and priority
- --ionice-class and --ionice-level options to tweak I/O niceness
- --vm-populate option to populate (pre-fault) page tables for a mapping for the --vm stress test.
Greg Kroah-Hartman had the pleasure of announcing earlier today, July 1, that the third maintenance release for the current stable 3.15 branch of the Linux kernel is available for download, urging users to upgrade as soon as their Linux distributions update the respective packages on the official software repositories.
The Linux kernel 3.15.3 is a pretty standard release that introduces various updated drivers, some filesystem improvements, especially for Btrfs and EXT4, random mm and Bluetooth fixes, and the usual architecture enhancements (ARM, ARM64, IA64, SPARC, PowerPC, s390, and x86).
Be aware, though, that upgrading to a new Linux kernel package might break some things on your system, so it is preferable to wait a few days and see if anyone complains about it on the official channels of your distribution.
Submitted by: Marius Nestor
- Review ACTION points from previous meeting
- U Development
- Server & Cloud Bugs (caribou)
- Weekly Updates & Questions for the QA Team (psivaa)
- Weekly Updates & Questions for the Kernel Team (smb, sforshee)
- Ubuntu Server Team Events
- Open Discussion
- Announce next meeting date, time and chair
- ACTION: meeting chair (of this meeting, not the next one) to carry out post-meeting procedure (minutes, etc) documented athttps://wiki.ubuntu.com/ServerTeam/KnowledgeBase
- Alpha 1 for server was released on Thursday July 26th: http://fridge.ubuntu.com/2014/06/27/ubuntu-14-10-utopic-unicorn-alpha-1-released/
- bug 1317587 is in progress
Next meeting will be on Tuesday, July 8th at 16:00 UTC in #ubuntu-meeting.
Additional logs @ https://wiki.ubuntu.com/MeetingLogs/Server/20140701
Welcome to the Ubuntu Weekly Newsletter. This is issue #374 for the weeks of June 23 – July 6, 2014, and the full version is available here.
In this issue we cover:
- Ubuntu 14.10 (Utopic Unicorn) alpha-1 released!
- Ubuntu Stats
- People Wanted for OLF/UbuCon Talks
- Making it easier for LoCos to share news/stories
- FOSSETCON in Florida – Coming Next September!
- Adam Stokes: Ubuntu Openstack Installer
- Ubuntu GNOME: Acting Team Leader & HR Sub-Team
- Lubuntu: LXQt now has “full” Qt5 support
- The Fridge: Community Donations Funding Report, Q1 2014
- Svetlana Belkin: Doc Team Wiki Page Clean Up
- Ubuntu App Developer Blog: 100,000 App Downloads
- Ubuntu GNOME: [Guide] Learn About Ubuntu GNOME Community
- Utopic test writing hackfest
- Unity8 & Mir update July 1, 2014
- HP Publishes OpenStack on Ubuntu Reference Architecture
- In The Blogosphere
- In Other News
- Other Articles of Interest
- Featured Audio and Video
- Weekly Ubuntu Development Team Meetings
- Upcoming Meetings and Events
- Updates and Security for 10.04, 12.04, 13.10 and 14.04
- And much more!
The issue of The Ubuntu Weekly Newsletter is brought to you by:
- Elizabeth K. Joseph
- Jose Antonio Rey
- And many others
Except where otherwise noted, content in this issue is licensed under a Creative Commons Attribution 3.0 License BY SA Creative Commons License
Back in April and June the Community Council put out a call to restaff the Ubuntu Membership Board for several open spots on the board.
Today I’m happy to announce that the Community Council has appointed (or renewed membership of) the following individuals:
For the 1200 UTC time slot:
For the 2200 UTC time slot:
Thanks to all nominees for putting their names forward for consideration and thanks to the outgoing members who have served on the board these past couple of years!
Elizabeth K. Joseph, on behalf of the Community Council
KDE Frameworks 5 is due out today, the most exciting clean-up of libraries KDE has seen in years. Use KDE classes without brining in the rest of kdelibs. Packaging for Kubuntu is almost all green and Rohan should be uploading it to Utopic this week.
Plasma 5 packages are being made now. We're always looking for people to help out with packaging, if you want to be part of making your distro do join us in #kubuntu-devel
The Beta version of SteamOS, a Debian-based distribution developed by Valve to be used in its hybrid PC / console, has just received an update and numerous packages.
Valve has two builds for SteamOS. One is a stable version (sort of) and the other one is a Beta (Alchemist). The two versions are not all that different from one another, but the Valve developers are using the Beta release to test some of the new updates before they hit the stable branch.
This is just the Beta version of SteamOS and not all of the packages included are stable. It will take a while until all these chages will be added to the Stable branch. The system requirements for Steam OS haven’t changed and have been pretty much the same since the beginning: an Intel or AMD 64-bit capable processor, 4GB or more memory, a 250GB or larger disk, NVIDIA, Intel, or AMD graphics card, and a USB port or DVD drive for installation. Check the official announcement for more details about this release.
Submitted by: Silviu Stahie
Noticeably absent from the trial and much of the media attention are the phone companies. Did they know their networks could be so systematically abused? Did they care?
In any case, the public has never been fully informed about how phones have been hacked. Speculation has it that phone hackers were guessing PIN numbers for remote voicemail access, typically trying birthdates and inappropriate PIN numbers like 0000 or 1234.There is more to it
Those in the industry know that there are additional privacy failings in mobile networks, especially the voicemail service. It is not just in the UK either.
There are various reasons for not sharing explicit details on a blog like this and comments concerning such techniques can't be accepted.
Nonetheless, there are some points that do need to be made:
- it is still possible for phones, especially voicemail, to be hacked on demand
- an attacker does not need expensive equipment nor do they need to be within radio range (or even the same country) as their target
- the attacker does not need to be an insider (phone company or spy agency employee)
The bottom line is that the only way to prevent voicemail hacking is to disable the phone's voicemail service completely. Voicemail is not really necessary given that most phones support email now. For those who feel they need it, consider running the voicemail service on your own private PBX using free software like Asterisk or FreeSWITCH. Some Internet telephony service providers also offer third-party voicemail solutions that are far more secure than those default services offered by mobile networks.
To disable voicemail, simply do two things:
- send a letter to the phone company telling them you do not want any voicemail box in their network
- in the mobile phone, select the menu option to disable all diversions, or manually disable each diversion one by one (e.g. disable forwarding when busy, disable forwarding when not answered, disable forwarding when out of range)
Hello and welcome to Ubuntu GNOME Community Guide for Newcomers
If you are interested to join Ubuntu GNOME Community as a volunteer to help ‘or’ you have joined already and you are a newcomer to Ubuntu GNOME Community, then this simple guide is for you.
3-Simple Simple Steps:
- First, you need to read Ubuntu GNOME Community Wiki Page.
- If you require further details, here is a list of ALL Ubuntu GNOME Wiki Pages.
- If the above two steps were not enough, please Contact Us.
That is all what you need to know and/or do if you are interested to join Ubuntu GNOME Team or you have already joined but you can’t find your way easily and need some help
For those who would like even further details, here is our Getting Involved Guide. This guide will explain to you from A-Z how to get involved with Ubuntu GNOME.
As always, thank you for choosing and joining Ubuntu GNOME!
Ubuntu GNOME Leaders Board
A few interesting things happened after I got a macbook air.
Firstly, I got a lot of shit from my peers and friends about it. This was funny to me, nothing really bothered me about it, but I can see this becoming really tiresome at events like hackathons or conferences.
As a byproduct, there’s a strong feeling in the hardcore F/OSS world that Apple hardware is the incarnation of evil.
As a result of both of the above, hardcore F/OSS (and Distro hackers) don’t buy apple hardware.
Therefore, GNU/Linux is complete garbage on Apple hardware. Apple’s firmware bugs don’t help, but we’re BAD.
Some might ask why this is a big deal. The fact is, this is one of the most used platforms for Open Source development (note I used that term exactly).
Are we to damn these users to a nonfree OS because we want to maintain our purity?
I had to give back my Air, but I still have a Mac Mini that i’ve been using for testing bugs on OSX in code I have. Very soon, my Mac Mini will be used to help fix the common bugs in the install process.
Some things you can do:
- Consider not giving off an attitude to people with Apple hardware. Be welcoming.
- Consider helping with supporting your favorate distro on Apple hardware. Props to Fedora for doing such a great job, in particular, mjg59 and Peter Jones for all they do with it.
- Help me make Debian Apple installs one-click.
In : lp
Out: <launchpadlib.launchpad.Launchpad at 0x7f49ecc649b0>
In : lp.distributions
Out: <launchpadlib.launchpad.DistributionSet at 0x7f49ddf0e630>
In : lp.distributions['ubuntu']
Out: <distribution at https://api.launchpad.net/1.0/ubuntu>
In : lp.distributions['ubuntu'].display_name
In : lp.distributions['ubuntu'].summary
Out: 'Ubuntu is a complete Linux-based operating system, freely available with both community and professional support.'
In : import sys; print(sys.version)
3.4.1 (default, Jun 9 2014, 17:34:49)
There is not much yet, but it's a start. python3 port of launchpadlib is coming soon. It has been attempted a few times before and I am leveraging that work. Porting this stack has proven to be the most difficult python3 port I have ever done. But there is always python-libvirt that still needs porting ;-)
Some of above is just merge proposals against launchpadlib & lazr.restfulclient, and requires not yet packaged modules in the archive. When trying it out, I'm still getting a lot of run-time asserts and things that haven't been picked up by e.g. pyflakes3 and has not been unit-tested yet.
Following the success of our new stand design at MWC earlier this
year, we applied the same design principles to the Ubuntu stand at
last months Mobile Asia Expo in Shanghai.
With increased floor space, compared to last year, and a new stand
location that was approachable from three key directions, we were
faced with a few new design challenges:
- How to effectively incorporate existing 7m wide banners into
the new 8m wide stand?
- How to make the stand open and approachable from three sides
with optimum use of floor space and maintaining the maximum
amount storage space possible?
- How to maintain our strong brand presence after any necessary
Proposed layout ideas
The final design utilised maximum floor space and incorporated the
positioning of our bespoke demo pods, that proved successful at MWC.
Along with strong branding featuring our folded paper background
with large graphics showcasing app and scope designs and a new aisle
banner. The main stand banners were then positioned in an alternating
arrangement aligned to the left and to the right above the stand.
This is my monthly summary of my free software related activities. If you’re among the people who made a donation to support my work (168.17 €, thanks everybody!), then you can learn how I spent your money. Otherwise it’s just an interesting status update on my various projects.Debian LTS
After having put in place the infrastructure to allow companies to contribute financially to Debian LTS, I spent quite some time to draft the announce of the launch of Debian LTS (on a suggestion of Moritz Mühlenhoff who pointed out to me that there was no such announce yet).
I’m pretty happy about the result because we managed to mention a commercial offer without generating any pushback from the community. The offer is (in my necessarily biased opinion) clearly in the interest of Debian but still the money doesn’t go to Debian so we took extra precautions. When I got in touch with the press officers, I included the Debian leader in the discussion and his feedback has been very helpful to improve the announce. He also officially “acked” the press release to give some confidence to the press officers that they were doing the right thing.
Lucas also pushed me to seek public review of the draft press release, which I did. The discussion was constructive and the draft got further improved.
The news got widely relayed, but on the flip side, the part with the call for help got almost no attention from the press. Even Linux Weekly News skipped it!
On the Freexian side, we just crossed 10% of a full-time position (funded by 6 companies) and we are in contact with a few other companies in discussion. But we’re far from our goal yet so we will have to actively reach out to more companies. Do you know companies who are still running Debian 6 servers ? If yes, please send me the details (name + url + contact info if possible) to firstname.lastname@example.org so that I can get in touch and invite them to contribute to the project.Distro Tracker
In the continuation of the Debian France game, I continued to work together with Joseph Herlant and Christophe Siraut on multiple improvements to distro tracker in order to prepare for its deployment on tracker.debian.org (which I just announced \o/).Debian France
Since the Debian France game was over, I shipped the rewards. 5 books have been shipped to:
- Joseph Herlant and Christophe Siraut for their distro-tracker work
- Dylan Aissi for his help within the Debian Med team
- Samuel Dorsaz and Thomas Debesse for their work towards better support of Brother printers
I orphaned sql-ledger and made a last upload to change the maintainer to Debian QA (with a new upstream version).
After having been annoyed a few times by dch breaking my name in the changelog, I filed #750855 which got quickly fixed.
I disabled a broken patch in quilt to fix RC bug #751109.
I filed #751771 when I discovered an incorrect dependency on ruby-uglifier (while doing packaging work for Kali Linux).
I tested newer versions of ruby-libv8 on armel/armhf on request of the upstream author. I had reported him those build failures (github ticket here).Thanks
See you next month for a new summary of my activities.
Here’s a reminder about next Monday’s 7th of July Ubuntu HTML5 apps session in Barcelona.
At this free event, I’ll be presenting Ubuntu’s HTML5 development story, together with a live coding session and a Q&A round at the end. You’ll learn how to use the Ubuntu SDK and the UI toolkit to easily reuse your web skills to create stunning Ubuntu apps.
HTML5 is the other side of the coin of the Ubuntu app developer offering, where both web and native are first class citizens, offering a very flexible yet focused approach for application development. Teaming up with BeMyApp meetups, the session will start at 7 p.m. at Barcelona’s Mobile World Centre.
I look forward to seeing you there!
Maybe do you remember, last year I mentored a Google Summer of code whose aim was to replace our well known Package Tracking System with something more modern, usable by derivatives and more easily hackable. The result of this project is a new Django-based software called Distro Tracker.
With the help of the Debian System Administrators, it’s now setup on tracker.debian.org!
This service is also managed by the Debian QA team, it’s deployed in /srv/tracker.debian.org/ (on ticharich.debian.org, a VM) if you want to verify something on the live installation. It runs under the “qa” user (so members of the “qa-core” group can administer it).
That said you can reproduce the setup on your workstation quite easily, just by checking out the git repository and applying this change:--- a/distro_tracker/project/settings/local.py +++ b/distro_tracker/project/settings/local.py @@ -10,6 +10,7 @@ overrides on top of those type-of-installation-specific settings. from .defaults import INSTALLED_APPS from .selected import * +from .debian import * ## Add your custom settings here
Speaking of contributing, the documentation includes a “Contributing” section to get you up and running, ready to do your first contribution!
Versions less than 1.0.7 of the Wordpress plugin Diagnostic Tool, contain several vulnerabilities:
Persistent XSS in the Outbound Connections view. An attacker that is able to cause the site to request a URL containing an XSS payload will have this XSS stored in the database, and when an admin visits the Outbound Connections view, the payload will run. This can be trivially seen in example by running a query for http://localhost/<script>alert(/xss/)</script> on that page, then refreshing the page to see the content run, as the view is not updated in real time. This is CVE-2014-4183.
Reflected XSS in DNS resolver test page. When a reverse lookup is performed, the results of gethostbyaddr() are inserted into the DOM unescaped. An attacker who (mis-) configures a DNS server to send an XSS payload as a reverse lookup may be able to either trick the administrator into performing a lookup, or (more likely) use the CSRF vulnerability documented below to trigger the XSS.
AJAX handlers do not have any CSRF protection on them. This allows an attacker to trigger the server into sending test emails (low severity), perform DNS lookups (high severity when combined with the reflected XSS above) and request the loading of pages by the server (including URLs that contain XSS payloads, triggering the persistent XSS documented above). Additionally, the last 2 vulnerabilities could be used to trigger an information leak for Wordpress servers that are behind a DDoS protection service (e.g., Cloudflare) or are being run as TOR anonymous services by forcing the server to request a page from the attacker's server or perform a DNS query against the attackers DNS server, allowing the attacker to learn the real IP of the server hosting Wordpress. This is CVE-2014-4182.
- 2014/06/15: Vulnerabilities discovered & reported to developers.
- 2014/06/30: Developers release Diagnostic Tool 1.0.7, fixing issues.
- 2014/07/04: Public disclosure.