WordPress contributors have been working hard over the last 24 hours to prepare the Maintenance release 6.4.1 after a critical bug emerged due to a change in the Requests library, causing problems with updates on servers running older versions of cURL.
Hosting companies including ours, have started reporting widespread impact of the bug.
#657 stops downloads from https://api.wordpress.org/ and many other sites when using Curl 7.29.0 (and maybe other versions) Error: RuntimeException: Could not get URL 'https://api.wordpress.org/core/version-check/1.7/?locale=en_US': cURL error 28: Operation aborted after 10000 milliseconds with 807 on -1 bytes received. It also causes problems with the REST API in Site Health with the error: REST API response: (http_request_failed) cURL Error 28: Operation aborted after 10005 milliseconds with XXX out of XXX bytes received” It also prevents plugin and WordPress core updates, basically anything that relies on the internal Curl manager in WordPress. The issue became a top priority as it was unclear how it would be possible for users to receive an update.
Even if you fix this now, it prevents any future automatic upgrade to 6.4.1, as it breaks Curl requests, so the only way for people to upgrade would be manually, the longer you wait, the bigger the problem will become.
We found thousands of sites affected by the bug. The problem was beyond the capabilities of most users to fix manually, prompting hosts to figure out how to update their customers.
The bug was also reported to be causing potential issues with the Stripe API, WP-Admin, and performance.
Tiffany Bridge, product manager at Liquid Web/Nexcess, summarized how this issue emerged:
It seems that:
- Someone reported a bug related to an interaction between their Intrusion Protection System and WordPress.
- Next, they pushed their own patch to WordPress.
- The project manager for that area asked the submitter to write tests, which he didn't do.
- Then they merged the PR anyway, despite the lack of testing.
- In the meantime, hosts will all need to roll back that change in our fleets so that our customers can still have little things like core and plugin updates if we're running an affected version of cURL. (7.29 confirmed, there may be more) WordPress core contributors will need to get to the bottom of how this bug was allowed, either through a post-mortem analysis or other discussion to prevent this from happening on a large scale in the future.
The WordPress 6.4.1 update updates the Requests library from version 2.0.8 to 2.0.9 as a fix release to mitigate the issue. Revert the problematic change. Version 6.4.1 also includes fixes for three other separate issues. Automatic updates were rolled out this evening to anyone with sites that support automatic background updates.