WordPress contributors have worked quickly over the past 24 hours to prepare a 6.4.1 maintenance release after a critical bug emerged from a change in the Requests library, causing problems with updates on servers running older versions of cURL.
Hosting companies began reporting widespread impact of the bug. Tom Sommer, from one of Denmark’s largest hosting companies, filed a GitHub issue outlining how the cURL timeouts were affecting sites:
- #657 breaks downloads towards https://api.wordpress.org/ and many other sites when using Curl 7.29.0 (and perhaps other versions)
Error: RuntimeException: Failed to get url 'https://api.wordpress.org/core/version-check/1.7/?locale=en_US': cURL error 28: Operation timed out after 10000 milliseconds with 807 out of -1 bytes received.- It also causes issues with the REST API in Site Health with the error:
REST API response: (http_request_failed) cURL error 28: Operation timed out after 10005 milliseconds with XXX out of XXX bytes received” - It also prevents WordPress plugin and core updates, basically anything that relies on the internal Curl handler in WordPress.
The issue became a top priority as it wasn’t clear how it would be possible for users to receive an update.
“Even if you fix this now the issue prevents any future auto-upgrade to a 6.4.1, since it breaks Curl requests, so the only way for people to update would be manually,” Sommer said. “The longer you wait, the bigger the problem will become.”
Nexcess reported tens of thousands of sites being affected by the bug. The issue was beyond what most users would be able to manually patch on their own, relegating hosts to figure out how to update their customers.
“All my websites locked after updating to WordPress 6.4,” Javier Martín González reported. “The ones without updates are working normally.”
The bug was also reported to be causing causing potential Stripe API, WP-Admin, and performance issues.
Liquid Web/Nexcess product manager Tiffany Bridge summarized how this problem emerged:
It looks like:
- Someone reported a bug having to do with an interaction between his Intrusion Protection System and WordPress
- They then submitted their own patch to WordPress
- The project lead for that area asked the submitter to write tests, which he did not do
- Then they merged the PR anyway, despite the lack of tests
- Meanwhile hosts are all going to have to revert that change ourselves on our own fleets so that our customers can still have little things like core and plugin updates if we are running an affected cURL version. (7.29 confirmed, there may be others)
WordPress core contributors will have to get to the bottom of how this bug was allowed through, via a postmortem or other discussion to prevent this from happening on such a large scale in the future.
WordPress 6.4.1 updates the Requests library from version 2.0.8 to 2.0.9. as a hotfix release to mitigate the issue. It reverts the problematic change. Version 6.4.1 also includes fixes for three other separate issues. Automatic updates shipped out this evening for anyone with sites that support automatic background updates.
