[wp-trac] [WordPress Trac] #39309: Secure WordPress Against Infrastructure Attacks
WordPress Trac
noreply at wordpress.org
Mon Dec 18 04:23:28 UTC 2017
#39309: Secure WordPress Against Infrastructure Attacks
------------------------------------------+-----------------------
Reporter: paragoninitiativeenterprises | Owner:
Type: enhancement | Status: reopened
Priority: normal | Milestone:
Component: Upgrade/Install | Version: 4.8
Severity: normal | Resolution:
Keywords: has-patch | Focuses:
------------------------------------------+-----------------------
Changes (by paragoninitiativeenterprises):
* status: closed => reopened
* resolution: maybelater =>
Comment:
Now that ext/sodium support has landed in PHP 7.2, and RFC 8032 (governing
Ed25519) has been standardized by the IETF, I'm resuscitating this ticket.
I'm including two patches.
The first and second patch adds sodium_compat 1.4.0 to WordPress.
The third patch updates the auto-updater to verify Ed25519 signatures for
two example Ed25519 public keys. (Important: Replace these public keys
with one owned by the WordPress core after applying the second patch!
Unless you want Paragon to be able to sign updates for you, which might
not be a bad idea, but I suspect your users won't be happy about us having
that power.)
This is step 1 in making all WordPress updates secure.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39309#comment:21>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list