> The currently recommended certificate chain as presented to Let’s Encrypt ACME clients when new certificates are issued contains an intermediate certificate (ISRG Root X1) that is signed by an old DST Root CA X3 certificate that expires on 2021-09-30. In some cases the OpenSSL 1.0.2 version will regard the certificates issued by the Let’s Encrypt CA as having an expired trust chain.
>
> Most up-to-date CA cert trusted bundles, as provided by operating systems, contain this soon-to-be-expired certificate. The current CA cert bundles also contain an ISRG Root X1 self-signed certificate. This means that clients verifying certificate chains can find the alternative non-expired path to the ISRG Root X1 self-signed certificate in their trust store.
>
> Unfortunately this does not apply to OpenSSL 1.0.2 which always prefers the untrusted chain and if that chain contains a path that leads to an expired trusted root certificate (DST Root CA X3), it will be selected for the certificate verification and the expiration will be reported.
References:
* [https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ Old Let’s Encrypt Root Certificate Expiration and OpenSSL 1.0.2]
* [https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ DST Root CA X3 Expiration (September 2021)]
Follow-up to [25224], [25426], [25569], [27307], [30491], [30765], [34283], [35919], [36570], [46094].
Props bradleyt, fierevere, SergeyBiryukov, peterwilsoncc.
Merges [51883] to the 5.7 branch.
Fixes#54207. See #50828.
Built from https://develop.svn.wordpress.org/branches/5.7@52097
git-svn-id: http://core.svn.wordpress.org/branches/5.7@51689 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When the XML-RPC endpoint is enabled, always return a HTTP `200 OK` status code in accordance with the XML-RPC specification. Continue to return an HTTP `405 Method Not Allowed` status code when the endpoint is disabled.
Props ariskataoka, johnbillion.
Merges [50954] in to the 5.7 branch.
Fixes#52958.
Built from https://develop.svn.wordpress.org/branches/5.7@50989
git-svn-id: http://core.svn.wordpress.org/branches/5.7@50598 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This ensures that contrast between text color and background meets the WCAG 2.0 AA recommended value. The following locations were changed:
- Network List Tables: Use lighter background colors for site status indicator.
- Nav Menus: Use a lighter background color for invalid menu items.
- Pointers: Use a darker background for pointer header.
- Themes: Use darker background on filter button hover.
- Customizer: Use darker background for selected widget.
Follow-up to [50025], [50571].
Props kebbet, melchoyce, peterwilsoncc.
Merges [50687] to the 5.7 branch.
Fixes#52760.
Built from https://develop.svn.wordpress.org/branches/5.7@50688
git-svn-id: http://core.svn.wordpress.org/branches/5.7@50297 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Improve the check for sourceless or dimensionless media when determining if the lazy loading attribute should be added to iframes and images. Never include the lazy loading attribute on embeds of WordPress posts as the iframe is initially hidden.
Including `loading="lazy"` on initially hidden iframes and images can prevent the media from loading in some browsers.
Props adamsilverstein, fabianpimminger, flixos90, johnbillion, jonkastonka, joyously, peterwilsoncc, SergeyBiryukov, SirStuey, swissspidy.
Merges [50682], [50683] to the 5.7 branch.
Fixes#52768.
Built from https://develop.svn.wordpress.org/branches/5.7@50684
git-svn-id: http://core.svn.wordpress.org/branches/5.7@50293 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The reorganization of the PHPUnit workflow in [50441] unintentionally caused the tests to be run for every `push` event, even for forks and private mirrors.
Previously, the second job required the first one to pass, and the conditional check on the first prevented both from running. Because the first job is no longer required for the second, both jobs must have the appropriate conditional check.
Merges [50670] to the 5.7 branch.
Fixes#52983.
Built from https://develop.svn.wordpress.org/branches/5.7@50671
git-svn-id: http://core.svn.wordpress.org/branches/5.7@50283 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In the wrapper function `wp_getimagesize()` check if the second parameter was passed before sending it to the PHP function `getimagesize()`.
The PHP function has a different execution path depending on the number of parameters passed, this ensures the wrapper function follows the appropriate path.
Follow up to [50552].
Props azaozz, hellofromtonya, Mista-Flo, peterwilsoncc, rinatkhaziev, RogerTheriault, SergeyBiryukov, terriann, whyisjake.
Merges [50586] to the 5.7 branch.
Fixes#52826.
Built from https://develop.svn.wordpress.org/branches/5.7@50662
git-svn-id: http://core.svn.wordpress.org/branches/5.7@50274 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Reduce severity of failing HTTPS tests from critical to warning. Stop reporting failures if the site is being accessed over HTTPS but `wp_is_https_supported()` indicates a lack of support.
Props annalamprou, AnotherDave, ayeshrajans, bobbingwide, Clorith, dragongate, eatsleepcode, gab81, geoffrey1963, Ipstenu, k3nsai, mmuyskens, nicegamer7, peterwilsoncc, pwallner, SergeyBiryukov, TimothyBlynJacobs, Toru.
Merges [50659] to the 5.7 branch.
Fixes#52783.
Built from https://develop.svn.wordpress.org/branches/5.7@50660
git-svn-id: http://core.svn.wordpress.org/branches/5.7@50272 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When validating `enum` values as `integer` or `number`, consider a number with a zero fractional part to be equivalent to an integer of the same value.
In `rest_are_values_equal()`, when comparing two values of type `int` or `float` (in any combination), first cast both of them to `float` and then compare.
This matches some test cases from the official JSON Schema test suite.
Follow-up to [50010].
Props yakimun, stefanjoebstl, TimothyBlynJacobs, rachelbaker.
Merges [50653] to the 5.7 branch.
Fixes#52932.
Built from https://develop.svn.wordpress.org/branches/5.7@50656
git-svn-id: http://core.svn.wordpress.org/branches/5.7@50268 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This change switches out sprintf for printf on the "Copy suggested policy text from..." button screen reader text. Also, wrap the actual button text in a <span aria-hidden="true"> to prevent both the button text and the screen reader text from being spoken.
Props mukesh27, SergeyBiryukov, sabernhardt, desrosj.
Merges [50585] to the 5.7 branch.
Fixes#52891.
Built from https://develop.svn.wordpress.org/branches/5.7@50609
git-svn-id: http://core.svn.wordpress.org/branches/5.7@50222 1a063a9b-81f0-0310-95a4-ce76da25c4cd
