> The currently recommended certificate chain as presented to Let’s Encrypt ACME clients when new certificates are issued contains an intermediate certificate (ISRG Root X1) that is signed by an old DST Root CA X3 certificate that expires on 2021-09-30. In some cases the OpenSSL 1.0.2 version will regard the certificates issued by the Let’s Encrypt CA as having an expired trust chain.
>
> Most up-to-date CA cert trusted bundles, as provided by operating systems, contain this soon-to-be-expired certificate. The current CA cert bundles also contain an ISRG Root X1 self-signed certificate. This means that clients verifying certificate chains can find the alternative non-expired path to the ISRG Root X1 self-signed certificate in their trust store.
>
> Unfortunately this does not apply to OpenSSL 1.0.2 which always prefers the untrusted chain and if that chain contains a path that leads to an expired trusted root certificate (DST Root CA X3), it will be selected for the certificate verification and the expiration will be reported.
References:
* [https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ Old Let’s Encrypt Root Certificate Expiration and OpenSSL 1.0.2]
* [https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ DST Root CA X3 Expiration (September 2021)]
Follow-up to [25224], [25426], [25569], [27307], [30491], [30765], [34283], [35919], [36570], [46094].
Props bradleyt, fierevere, SergeyBiryukov, peterwilsoncc.
Merges [51883] to the 5.7 branch.
Fixes#54207. See #50828.
Built from https://develop.svn.wordpress.org/branches/5.7@52097
git-svn-id: http://core.svn.wordpress.org/branches/5.7@51689 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When the XML-RPC endpoint is enabled, always return a HTTP `200 OK` status code in accordance with the XML-RPC specification. Continue to return an HTTP `405 Method Not Allowed` status code when the endpoint is disabled.
Props ariskataoka, johnbillion.
Merges [50954] in to the 5.7 branch.
Fixes#52958.
Built from https://develop.svn.wordpress.org/branches/5.7@50989
git-svn-id: http://core.svn.wordpress.org/branches/5.7@50598 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This ensures that contrast between text color and background meets the WCAG 2.0 AA recommended value. The following locations were changed:
- Network List Tables: Use lighter background colors for site status indicator.
- Nav Menus: Use a lighter background color for invalid menu items.
- Pointers: Use a darker background for pointer header.
- Themes: Use darker background on filter button hover.
- Customizer: Use darker background for selected widget.
Follow-up to [50025], [50571].
Props kebbet, melchoyce, peterwilsoncc.
Merges [50687] to the 5.7 branch.
Fixes#52760.
Built from https://develop.svn.wordpress.org/branches/5.7@50688
git-svn-id: http://core.svn.wordpress.org/branches/5.7@50297 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Improve the check for sourceless or dimensionless media when determining if the lazy loading attribute should be added to iframes and images. Never include the lazy loading attribute on embeds of WordPress posts as the iframe is initially hidden.
Including `loading="lazy"` on initially hidden iframes and images can prevent the media from loading in some browsers.
Props adamsilverstein, fabianpimminger, flixos90, johnbillion, jonkastonka, joyously, peterwilsoncc, SergeyBiryukov, SirStuey, swissspidy.
Merges [50682], [50683] to the 5.7 branch.
Fixes#52768.
Built from https://develop.svn.wordpress.org/branches/5.7@50684
git-svn-id: http://core.svn.wordpress.org/branches/5.7@50293 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The reorganization of the PHPUnit workflow in [50441] unintentionally caused the tests to be run for every `push` event, even for forks and private mirrors.
Previously, the second job required the first one to pass, and the conditional check on the first prevented both from running. Because the first job is no longer required for the second, both jobs must have the appropriate conditional check.
Merges [50670] to the 5.7 branch.
Fixes#52983.
Built from https://develop.svn.wordpress.org/branches/5.7@50671
git-svn-id: http://core.svn.wordpress.org/branches/5.7@50283 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In the wrapper function `wp_getimagesize()` check if the second parameter was passed before sending it to the PHP function `getimagesize()`.
The PHP function has a different execution path depending on the number of parameters passed, this ensures the wrapper function follows the appropriate path.
Follow up to [50552].
Props azaozz, hellofromtonya, Mista-Flo, peterwilsoncc, rinatkhaziev, RogerTheriault, SergeyBiryukov, terriann, whyisjake.
Merges [50586] to the 5.7 branch.
Fixes#52826.
Built from https://develop.svn.wordpress.org/branches/5.7@50662
git-svn-id: http://core.svn.wordpress.org/branches/5.7@50274 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Reduce severity of failing HTTPS tests from critical to warning. Stop reporting failures if the site is being accessed over HTTPS but `wp_is_https_supported()` indicates a lack of support.
Props annalamprou, AnotherDave, ayeshrajans, bobbingwide, Clorith, dragongate, eatsleepcode, gab81, geoffrey1963, Ipstenu, k3nsai, mmuyskens, nicegamer7, peterwilsoncc, pwallner, SergeyBiryukov, TimothyBlynJacobs, Toru.
Merges [50659] to the 5.7 branch.
Fixes#52783.
Built from https://develop.svn.wordpress.org/branches/5.7@50660
git-svn-id: http://core.svn.wordpress.org/branches/5.7@50272 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When validating `enum` values as `integer` or `number`, consider a number with a zero fractional part to be equivalent to an integer of the same value.
In `rest_are_values_equal()`, when comparing two values of type `int` or `float` (in any combination), first cast both of them to `float` and then compare.
This matches some test cases from the official JSON Schema test suite.
Follow-up to [50010].
Props yakimun, stefanjoebstl, TimothyBlynJacobs, rachelbaker.
Merges [50653] to the 5.7 branch.
Fixes#52932.
Built from https://develop.svn.wordpress.org/branches/5.7@50656
git-svn-id: http://core.svn.wordpress.org/branches/5.7@50268 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This change switches out sprintf for printf on the "Copy suggested policy text from..." button screen reader text. Also, wrap the actual button text in a <span aria-hidden="true"> to prevent both the button text and the screen reader text from being spoken.
Props mukesh27, SergeyBiryukov, sabernhardt, desrosj.
Merges [50585] to the 5.7 branch.
Fixes#52891.
Built from https://develop.svn.wordpress.org/branches/5.7@50609
git-svn-id: http://core.svn.wordpress.org/branches/5.7@50222 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Because the changes in Twenty Twelve did not impact site look or functionality, version 3.4 of Twenty Twelve was not released in coordination with WordPress 5.7.
This reverts the portion of [50508] relevant to Twenty Twelve, changing the version back to 3.3 so that version 3.4 is not skipped accidentally when there are changes that should be released.
Merges [50596] to the 5.7 branch.
See #52704.
Built from https://develop.svn.wordpress.org/branches/5.7@50597
git-svn-id: http://core.svn.wordpress.org/branches/5.7@50210 1a063a9b-81f0-0310-95a4-ce76da25c4cd
On TravisCI, old branches still receiving security updates were tested on a regular basis. This ensured tests continued to pass as time passed even if updates were not made to these branches.
On GitHub Actions, there is no interface to configure this (TravisCI had a UI), but there is a `schedule` event that can trigger workflow runs on cron that can be used to accomplish the same thing.
This introduces a workflow file that runs twice a month (on the 1st and 15th) to verify the tests within older branches.
Because the `schedule` event only runs within the primary branch, the appropriate workflows in each old branch will be triggered manually through the `workflow_dispatch` trigger using the GitHub REST API. `workflow_dispatch` will need to be added to all workflows in all old branches in order for the event to dispatch successfully.
Merges [50590] to the 5.7 branch.
See #52653.
Built from https://develop.svn.wordpress.org/branches/5.7@50591
git-svn-id: http://core.svn.wordpress.org/branches/5.7@50204 1a063a9b-81f0-0310-95a4-ce76da25c4cd
desrosj
Sergey Biryukov
Peter Wilson
ryelle
davidbaumwald