In the interest of getting the word out as quickly and as widely as possible, a brief word about a new WordPress release: If you recently installed version 2.1.1, you should upgrade to WordPress 2.1.2 immediately. There was a security breach on the server which housed the download archives, and some files in the 2.1.1 download were modified to include a serious security hole. There are more details in the official WordPress Dev Blog announcement.
While technically this only affects those who downloaded the 2.1.1 .zip or .tar.gz archives from the wordpress.org site in about the last week, it certainly wouldn’t hurt to go ahead and upgrade, even if you downloaded earlier, or installed from SVN. Just because (there are a couple of unrelated bugfixes in there, after all).
Related posts:
- WordPress 1.5.2 Security FUD
" There is some misleading FUD going around about a vulnerability in WordPress 1.5.2. Let’s get this out of the way plainly: There is not..." - Upgrade or else!
"UPDATE 2008-04-16: Well crud. I was just re-reading the WP 2.5 announcement post for something else, and spotted a bit about security updates between 2.3.3..." - WordPress 2.2.2 Released
" There is a new security & bugfix release: WordPress 2.2.2. There are no new features in this version. Since it is a security release,..." - WordPress 1.5.2
" Announcing WordPress 1.5.2, now available for download. Owen Winkler has a good plain-English description of the changes. There is a security-related bugfix in this..." - WordPress 2.0.7 Released
" WordPress 2.0.7 has been released (yes, I know I missed announcing 2.0.6, but I was on vacation). The major focus of this release was..."
6 Comments
This is obviously bad news, I seriously hope that it won’t dent anyone’s confidence in WordPress.
I think it’s worth highlighting that the WordPress team have dealt with this in exemplary fashion so far, being completely open about the problem, as opposed to some software companies who would prefer to pretend there isn’t a problem and “sweep it under the rug”. Well done guys, you’ve taken a professional and responsible approach.
I’ve already upgraded to 2.1.2 and it went smoothly – I’ve published the steps I followed in my blog entry at:
http://blog.preshweb.co.uk/index.php?p=15
I had a look at wp-includes/theme.php and feed.php from my 2.1.1 installation and didn’t see anything nefarious, but I may take a closer look. I’d be interested to see what exactly was put in there.
Thanks for the update. I am still in 2.0. Need to upgrade to the latest one.
Dougal, you rock!
Kudos for sacrificing sleep and family time to get this patched, even while your old home town was being destroyed by a twister.
Yes, I’m with Cynth. You and the gang did a stand-up job pushing this fix.
Upgrade was painless. Is there something in the logs I could look out for to see if anyone *tries* to hack into the site (besides the usual crap)? I’d like to know when people try. If their attempt dumps a standard Apache error that is easy to spot but I’m wondering if there is something specific to this issue to keep a lookout for.
I really wish Wordpress would sort out their email notification system. Surely someone has the ability to copy the emails in the wordpres.org site into a mailing list. Then we can hear on the day these issues arise. I do not mean the dev lists or the user lists. But a version release list that we do not need to look in our dashboards to find out. email is a more effective way of making sure users of wordpress are notified of new releases. And I am aware that the inbuilt mailout on the wordpress forum does not function or is not used.
Thanks
10 Trackbacks
[...] and malicious code being introduced into the downloaded versions of the previous release, as Dougal explains: If you recently installed version 2.1.1, you should upgrade to WordPress 2.1.2 [...]
wordpress.org Cracked, Exploit in 2.1.1 Release…
As pointed out on the WordPress development blog, a cracker gained access to the wordpress.org servers and replaced the 2.1.1 download with a modified exploitable version. The exploitable download may have been on the site for three or four days!
It ma…
Important: Upgrade to WordPress 2.1.2…
Оф.Ñайт ВордПреÑÑа очень Ñоветует обновитÑÑ Ð´Ð¾ верÑии 2.1.2
Ð”Ð»Ñ Ñ‚ÐµÑ… кто юзает линейку верÑий 2.0.Ñ… обновление не обьÑзательно, обьÑзательно л…
å‡ç´š WordPress 2.1…
今天終於把部è½æ ¼å‡ç´šäº†ï¼Œé †ä¾¿ä¹ŸæŠŠä¸€å¹²è»Ÿé«”統統å‡ç´šå€‹å¤ …
mysql 4.1.21 å‡ç´š 5.0.27
php 4.4.4 å‡ç´š 5.2.0
apache 2.0.59 å‡ç´š 2.2.4
activeperl 5.8.7 å‡ç´š 5.8.8 (這ä¸æ˜¯WordPresså¿…è¦çš„)
WordPress ç”± 1.5.2 å‡ç´š…
[...] Those of you who use WordPress and updated it just last week, then its time to update again. Apparently the server was breeched. And the files modified In any case, read more here. [...]
[...] maggiori dettagli, visitate il blog del buon Douglas [...]
[...] ponerse en duda. En las últimas horas, muchos blogs de referencia en el universo WordPress, como Geek Ramblings, Holy Shmoly!, Lorelle on WordPress y Techtites, han hecho hincapié en su necesidad. Entre [...]
[...] duda, tal como demuestran las entradas de varios blogs de referencia en el universo WordPress, como Geek Ramblings, Holy Shmoly!, Lorelle on WordPress y Techtites. Entre nosotros, Blogpocket, La brújula verde, [...]
Wordpress security update from 2.1.1 to 2.1.2…
Seems that last weeks minor update unfortunately ended in a major update. Somehow someone was able to breach the security on wordpress.orgs download server housing the 2.1.1 files, and put in some malicious code. Two files, wp-includes/theme.php and/or…
[...] Dougal Campbell’s Important: Upgrade to WordPress 2.1.2 [...]