Automatic Update on All Sites

  • Resolved chargeup

    (@chargeup)


    1 year, 5 months ago

    WooCommerce Stripe Payment Gateway autoupdated on all of my sites. Some of the sites were using 7.5.0 and got updated to 7.5.1. I don’t see any mention of a security patch on the internet anywhere like we had last summer.

    Unlike the other user I didn’t have the download link. The email didn’t look malicious to me.

    Any explanation for the autoupdates?

Viewing 5 replies - 1 through 5 (of 5 total)

  • According to the changelog there was a security fix in the latest release (“Add nonce check to OAuth flow.”) that also got backported to older releases. Due to the severity it’s likely that an auto-update was forced by the plugins team for affected sites.

    I presume the plugin developers will make this more public once the risk has been mitigated and sites have updated.

    Plugin Support Shameem R. a11n

    (@shameemreza)

    Hi @chargeup

    Did you mean to update from version 7.6.0 to 7.6.1 or 7.5.0 to 7.6.1? To clarify, we never released version 7.5.1. Instead, we jumped straight from 7.5.0 to 7.6.0.

    However, if you got forced auto update from version 7.6.0 to 7.6.1 or 7.5.0 to 7.6.1, then it was indeed a security update. As @swissspidy mentioned, the latest release included a security fix (“Add nonce check to OAuth flow.”) which was also backported to older releases.

    Our developer team initiated the automatic updates due to the severity of the security issue. It’s a standard procedure to protect all our users from potential risks. Our developers will likely make a public announcement once the risk has been fully mitigated and all sites have been updated. However, you can track all the changes made in our GitHub repo: https://github.com/woocommerce/woocommerce-gateway-stripe/compare/7.6.1…develop

    Please note that the email you received was not malicious but rather a notification of the automatic update. We appreciate your vigilance and understanding on this matter.

    I hope this clarifies your concern. If you have any other questions, feel free to ask.

    Thread Starter chargeup

    (@chargeup)

    I have 3 sites on 7.5.0. They were all updated to 7.5.1 not to version 7.6.1.

    Thread Starter chargeup

    (@chargeup)

    Can you double check with your team to see if this is a possibility?

    I have seen a few other times (for example with a Paypal security issue on another plugin) they just added the patch only to that section of code in the old version and renamed the version by 1 number. They didn’t force an entire plugin update.

    Just making sure it’s not a further security issue that I need to roll back a backup on then update your plugin fully to 7.6.1.

    Plugin Support abwaita a11n

    (@abwaita)

    Hi @chargeup,

    I have 3 sites on 7.5.0. They were all updated to 7.5.1 not to version 7.6.1.
    Can you double check with your team to see if this is a possibility?

    Yes, that’s a possibility. When the security upates were being done, an email was sent out showing the patched versions – https://d.pr/i/eEKtIL.

    Version 7.5.1 is the patched version of 7.5.0, so it would make sense why you’ve been updated to that version. Therefore, kindly don’t roll back to 7.5.1, but if you can, update to 7.6.1.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Automatic Update on All Sites’ is closed to new replies.