Scott Arciszewski

https://github.com/paragonie/random_compat/releases/tag/1.1.4

Andrey Andreev pointed out a few problems with the previous patch. Give 1.1.4 a whirl instead.

https://raw.githubusercontent.com/paragonie/random_compat/1.1.4/lib/random.php

You’ll want this version:

https://raw.githubusercontent.com/paragonie/random_compat/1.1.4/lib/random.php

It resolves a case sensitivity edge case pointed out by Dion Hulse (@dd32).

https://github.com/paragonie/random_compat/releases/tag/1.1.3

https://github.com/paragonie/random_compat/releases/tag/1.1.2

Warning: com() has been disabled for security reasons in D:…\wordpress\wp-includes\random_compat\random.php on line 94

That’s troubling. I’ll look into getting a new random_compat patch out ASAP.

Can someone explain me (slowly ?? ) what’s happened when I updated to 4.4 and why this generated an error to my blogs?

Yes: https://paragonie.com/blog/2015/10/coming-wordpress-4-4-csprng

Emphasis: Immediate. I’m still going to disclose publicly.

Also, can we please 86 the meme that coordinated disclosure is responsible? Full disclosure can be responsible too, as can non-disclosure. Context matters a lot here.

When you publicly disclose a security vulnerability, you aren’t the hero saving the day, you’re the villain who has just put everyone’s site (and sometimes their livelihoods) in the line of fire.

Every security expert disagrees.

https://www.schneier.com/essays/archives/2007/01/schneier_full_disclo.html

Okay. I’ll email you 24 hours before public disclosure. My previous coordinated disclosure time table of 30 days was counter-productive, but maybe immediate full disclosure isn’t the right answer.