WordPress contributors have worked quickly over the past 24 hours to prepare a 6.4.1 maintenance release after a critical bug emerged from a change in the Requests library, causing problems with updates on servers running older versions of cURL.
Hosting companies began reporting widespread impact of the bug. Tom Sommer, from one of Denmark’s largest hosting companies, filed a GitHub issue outlining how the cURL timeouts were affecting sites:
The issue became a top priority as it wasn’t clear how it would be possible for users to receive an update.
“Even if you fix this now the issue prevents any future auto-upgrade to a 6.4.1, since it breaks Curl requests, so the only way for people to update would be manually,” Sommer said. “The longer you wait, the bigger the problem will become.”
Nexcess reported tens of thousands of sites being affected by the bug. The issue was beyond what most users would be able to manually patch on their own, relegating hosts to figure out how to update their customers.
“All my websites locked after updating to WordPress 6.4,” Javier Martín González reported. “The ones without updates are working normally.”
The bug was also reported to be causing causing potential Stripe API, WP-Admin, and performance issues.
Liquid Web/Nexcess product manager Tiffany Bridge summarized how this problem emerged:
It looks like:
WordPress core contributors will have to get to the bottom of how this bug was allowed through, via a postmortem or other discussion to prevent this from happening on such a large scale in the future.
WordPress 6.4.1 updates the Requests library from version
2.0.9. as a hotfix release to mitigate the issue. It reverts the problematic change. Version 6.4.1 also includes fixes for three other separate issues. Automatic updates shipped out this evening for anyone with sites that support automatic background updates.
This content was originally published here.