[wp-trac] [WordPress Trac] #39309: Secure WordPress Against Infrastructure Attacks

WordPress Trac noreply at wordpress.org
Mon Dec 18 04:23:28 UTC 2017


#39309: Secure WordPress Against Infrastructure Attacks
------------------------------------------+-----------------------
 Reporter:  paragoninitiativeenterprises  |       Owner:
     Type:  enhancement                   |      Status:  reopened
 Priority:  normal                        |   Milestone:
Component:  Upgrade/Install               |     Version:  4.8
 Severity:  normal                        |  Resolution:
 Keywords:  has-patch                     |     Focuses:
------------------------------------------+-----------------------
Changes (by paragoninitiativeenterprises):

 * status:  closed => reopened
 * resolution:  maybelater =>


Comment:

 Now that ext/sodium support has landed in PHP 7.2, and RFC 8032 (governing
 Ed25519) has been standardized by the IETF, I'm resuscitating this ticket.
 I'm including two patches.

 The first and second patch adds sodium_compat 1.4.0 to WordPress.

 The third patch updates the auto-updater to verify Ed25519 signatures for
 two example Ed25519 public keys. (Important: Replace these public keys
 with one owned by the WordPress core after applying the second patch!
 Unless you want Paragon to be able to sign updates for you, which might
 not be a bad idea, but I suspect your users won't be happy about us having
 that power.)

 This is step 1 in making all WordPress updates secure.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/39309#comment:21>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list