The security fix in 4.2.1 was critical, so it was back-ported to 4.1.4 and 4.0.4, whose branches were also affected by the vulnerability.
Lower branches are only updated for critical security releases. Major version updates, x.x (like 4.2) include feature and functionality changes, and some people stay on older versions because of that. We don’t want them to go without critical security fixes on publicly known vulnerabilities just because of that.
Also, if you have not disabled automatic updates, minor updates are applied in the background. Which means that anyone on 4.1.3 got 4.1.4 automatically, but they would need to first manually trigger the update to 4.2 if they wanted to move up to the 4.2 branch.
In short, when a critical security vulnerability is irresponsibly publicly disclosed, as this one was, it’s just better to get an update out there in a way that can be automatically applied to as many blogs as possible as quickly as possible.
Personally, I’d love for everyone to be on 4.2.1, but I can understand the few who are not quite ready to jump on the 4.2.x branch yet.
Thread Starter
mscott
(@mscott)
So what are safe versions of WordPress?
4.2.1
4.1.4
4.0.4
???
How long has WordPress been supporting multiple release trees? I really didn’t know they were still supporting the 4.0 tree.
The problem I have with this (and I realize I may be preaching to the choir) is it makes it difficult for web hosts to know what is and isn’t secure on their servers.
Up until WordPress 4.2 was released, I didn’t know that multiple release trees were being used. When WordPress 4.1 was released, I assumed that WordPress 4.0 died and everyone should be using WordPress 4.1.
This made it easy to scour through our web hosting servers and find any WordPress script that wasn’t WordPress 4.1(.X) which we then encouraged users to upgrade or face security risks.
Now – I guess – I’ll have to start looking for WordPress 4.0.4, 4.1.4, and 4.2.1. It would be easier if there was only ONE version – WordPress 4.2.1. If users don’t have to upgrade – featureset wise – then they won’t. This will lead to a lot of confusion (IMHO) later on. The more release trees you support, the multiple of the headaches involved.
In the interim, it would be nice to have a page on WordPress’s website that ALWAYS lists what the latest version(s) are.
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
In the interim, it would be nice to have a page on WordPress’s website that ALWAYS lists what the latest version(s) are.
The safe version of WordPress is always the latest and greatest. As of this writing that is version 4.2.1. No ifs, ands or buts about it and there is one version of WordPress. The current one. 😉
That doesn’t necessarily mean that old versions are unsafe (though that has been true in the past), especially if they’ve been patched to address a critical security bug. And as you’ve pointed out that is exactly what happened with those earlier releases.
How long has WordPress been supporting multiple release trees? I really didn’t know they were still supporting the 4.0 tree.
Supporting old releases is an optional thing. It’s not always done and no one should reply on that support. It’s the latest version that is maintained and always has been.
This time the older releases were patched. Next time that decision may not work out that way.
Thread Starter
mscott
(@mscott)
See, that’s where the confusion settles in.
“WordPress 4.2.1 is the only, safe version”
…
“except for WordPress 4.1.4 and WordPress 4.0.4 right now… That may change later… or not”
You can’t support older versions and not support the older versions at the same time.
I’m all for forcing everyone to upgrade to WordPress 4.2.1 if they want to be secure. If people don’t like it, then they can use something else.
You can’t say that there’s only ONE version of WordPress and then claim that WordPress 4.2.1, WordPress 4.1.4, and WordPress 4.0.4 are safe versions. You can say that there are THREE versions and list those accordingly as 4.2.1, 4.1.4 and 4.0.4. OR you can say there is ONE version, 4.2.1.
That’s my two-cents anyway.
4.0.x and 4.1.x will only be updated for critical security flaws. They will not receive bug fixes (a number of bugs in 4.1.x were addressed only in 4.2), and they may not even receive minor security fixes.
Critical security fixes are issued for the older branches simply because it would be cruel not to, and we aren’t cruel people.
If you want the best WordPress experience, you should be on the most current version, and that’s 4.2.1. We do not recommend anyone stay on 4.1.4 or 4.0.4, but if you really need to, at least they don’t have any known security vulnerabilities.
