WordPress Releases 6.4.1 Maintenance Update to Address Critical Bug
WordPress contributors have been working diligently to address a critical bug that emerged from a change in the Requests library. This bug has caused issues with updates on servers running older versions of cURL. In response, WordPress has released a 6.4.1 maintenance update to mitigate the problem.
The bug was first reported by hosting companies, who noticed widespread impact on sites. Tom Sommer, from one of Denmark’s largest hosting companies, filed an issue on GitHub outlining how the cURL timeouts were affecting websites. The bug breaks downloads towards various sites, including https://api.wordpress.org/, when using Curl 7.29.0 and potentially other versions. It also causes issues with the REST API in Site Health and prevents WordPress plugin and core updates.
The severity of the bug prompted WordPress contributors to make it a top priority. Users were unable to receive an update, even if the bug was fixed immediately. This meant that manual updates would be the only option for users, which could lead to a bigger problem if left unresolved.
Nexcess reported that tens of thousands of sites were affected by the bug. Since it was beyond the capabilities of most users to patch it themselves, hosting providers had to find a way to update their customers’ sites. Users reported that their websites were locked after updating to WordPress 6.4, while those without updates were functioning normally. The bug was also causing potential issues with the Stripe API, WP-Admin, and site performance.
Tiffany Bridge, a product manager at Liquid Web/Nexcess, summarized how this problem arose. It started with a bug report regarding an interaction between an Intrusion Protection System and WordPress. The person who reported the bug submitted their own patch, but they were asked to write tests, which they did not do. Despite the lack of tests, the project lead merged the pull request anyway. As a result, hosts had to revert the change on their own fleets to ensure that customers could still receive core and plugin updates if they were running an affected cURL version.
To address the bug, WordPress released the 6.4.1 maintenance update, which updates the Requests library from version 2.0.8 to 2.0.9. This update serves as a hotfix to revert the problematic change that caused the bug. Additionally, version 6.4.1 includes fixes for three other separate issues. Automatic updates were sent out for sites that support automatic background updates.
Moving forward, WordPress core contributors will need to investigate how this bug was allowed through and take measures to prevent similar incidents from occurring on such a large scale in the future. A postmortem or other discussion will likely be conducted to address this issue thoroughly.
In conclusion, WordPress has swiftly responded to a critical bug that affected servers running older versions of cURL. The 6.4.1 maintenance update has been released to mitigate the problem and revert the problematic change in the Requests library. Users can now receive automatic updates, and WordPress core contributors will work to prevent similar incidents in the future.
