False Positives on Site Health page with Debian servers

  • Resolved JohnP

    (@johnp)


    6 days, 21 hours ago

    Ever since the Site Health feature was added to core, all my sites have displayed a warning: “critical issue: There are 23 curl vulnearabilities.” I contacted my previous host as the instructions advise, and was told that the warning is an error, so I’ve been ignoring it ever since.

    I have just moved to a new VPS that I am certain has had all available updates applied – the critical error warning is still there!

    According to Gemini, this is because the site health function does not really find vunerabilities – it just checks the curl version numbers to see if they are current. Apparently the WordPress devs didn’t understand (or care) that on Debian servers security updates are backported to stable versions of curl without changing the version number.

    I hope I am not stumbling into some ancient religious war here, but this is not a good situation.

    It makes WordPress look bad to anyone who discovers that every brand new install has “critical errors”.
    It makes anyone using WordPress professionally look bad because they can’t hand over a new site with the site health green circle.
    But worse, it trains users that the appropriate response to “critical errors” is to ignore them.

    Is there a way to disable this faulty test? Or can the error message be suppressed?

Viewing 5 replies - 1 through 5 (of 5 total)
  • Moderator threadi

    (@threadi)

    6 days, 20 hours ago

    I have many projects running on Debian-based servers and have never seen a message like this before. I can’t find the text you mentioned in the WordPress core either: https://github.com/search?q=repo%3AWordPress%2FWordPress%20curl%20vulnearabilities&type=code

    My guess is therefore that this is coming from a plugin you’re using. You might be able to tell by the button next to the message or by the details provided.

    If you don’t see that, check which plugins you’re using. I’m guessing a security plugin is the cause of this.

    Thread Starter JohnP

    (@johnp)

    6 days, 16 hours ago

    You are indeed correct threadi – the culprit turned out to be the wp-vulnerability plugin. I’ve only just started using this and didn’t realise it could affect the site health page.

    Thanks for your advice

    Thread Starter JohnP

    (@johnp)

    6 days, 11 hours ago

    Just in case anyone else encountering this issue wants to know the solution; add these lines to wp-config:

    /* WPVulnerability optimizations to ignore Debian backported patches */
    define( ‘WPVULNERABILITY_HIDE_CURL’, true );
    define( ‘WPVULNERABILITY_HIDE_IMAGEMAGICK’, true );
    define( ‘WPVULNERABILITY_HIDE_OPENSSL’, true );
    define( ‘WPVULNERABILITY_HIDE_PHP’, true );
    define( ‘WPVULNERABILITY_HIDE_SQLITE’, true );

    Javier Casares

    (@javiercasares)

    5 days, 13 hours ago

    Hello. The main problem is that there is no way to detect and match patch versions with vulnerabilities, because each OS patches them differently. So, yes, the solution you are using is one of the best possible.

    Moderator Yui

    (@fierevere)

    永子

    5 days, 11 hours ago

    Indeed, it will be good to have some kind of subscription to your OS distribution security newsletter, so you wont miss security notices and termination notices when your OS version will stop to receive security updates.

Viewing 5 replies - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.