Important: Upgrade to WordPress 2.1.2

In the interest of getting the word out as quickly and as widely as possible, a brief word about a new WordPress release: If you recently installed version 2.1.1, you should upgrade to WordPress 2.1.2 immediately. There was a security breach on the server which housed the download archives, and some files in the 2.1.1 download were modified to include a serious security hole. There are more details in the official WordPress Dev Blog announcement.

While technically this only affects those who downloaded the 2.1.1 .zip or .tar.gz archives from the wordpress.org site in about the last week, it certainly wouldn’t hurt to go ahead and upgrade, even if you downloaded earlier, or installed from SVN. Just because (there are a couple of unrelated bugfixes in there, after all).

Other Posts of Interest

This entry was written by Dougal, posted on 3/3/2007 at 10:01 am, filed under Security, Software, WordPress and tagged , , . Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.

6 Comments

  1. David Precious
    Posted 3/3/2007 at 12:29 pm | Permalink

    This is obviously bad news, I seriously hope that it won’t dent anyone’s confidence in WordPress.

    I think it’s worth highlighting that the WordPress team have dealt with this in exemplary fashion so far, being completely open about the problem, as opposed to some software companies who would prefer to pretend there isn’t a problem and “sweep it under the rug”. Well done guys, you’ve taken a professional and responsible approach.

    I’ve already upgraded to 2.1.2 and it went smoothly - I’ve published the steps I followed in my blog entry at:
    http://blog.preshweb.co.uk/index.php?p=15

    I had a look at wp-includes/theme.php and feed.php from my 2.1.1 installation and didn’t see anything nefarious, but I may take a closer look. I’d be interested to see what exactly was put in there.

  2. OneEyed
    Posted 3/3/2007 at 1:28 pm | Permalink

    Thanks for the update. I am still in 2.0. Need to upgrade to the latest one.

  3. Cynth
    Posted 3/3/2007 at 3:58 pm | Permalink

    Dougal, you rock!

    Kudos for sacrificing sleep and family time to get this patched, even while your old home town was being destroyed by a twister.

  4. Jonathan
    Posted 3/3/2007 at 10:24 pm | Permalink

    Yes, I’m with Cynth. You and the gang did a stand-up job pushing this fix.

  5. Vigingsson
    Posted 3/4/2007 at 10:13 am | Permalink

    Upgrade was painless. Is there something in the logs I could look out for to see if anyone *tries* to hack into the site (besides the usual crap)? I’d like to know when people try. If their attempt dumps a standard Apache error that is easy to spot but I’m wondering if there is something specific to this issue to keep a lookout for.

  6. Adrian
    Posted 3/4/2007 at 5:47 pm | Permalink

    I really wish Wordpress would sort out their email notification system. Surely someone has the ability to copy the emails in the wordpres.org site into a mailing list. Then we can hear on the day these issues arise. I do not mean the dev lists or the user lists. But a version release list that we do not need to look in our dashboards to find out. email is a more effective way of making sure users of wordpress are notified of new releases. And I am aware that the inbuilt mailout on the wordpress forum does not function or is not used.

    Thanks

10 Trackbacks

  1. By Upgrading to Wordpress 2.1.2 | Simon Wakeman - Marketing, public relations and digital communications on 3/3/2007 at 2:38 pm

    [...] and malicious code being introduced into the downloaded versions of the previous release, as Dougal explains: If you recently installed version 2.1.1, you should upgrade to WordPress 2.1.2 [...]

  2. By no wow on 3/3/2007 at 4:15 pm

    wordpress.org Cracked, Exploit in 2.1.1 Release…

    As pointed out on the WordPress development blog, a cracker gained access to the wordpress.org servers and replaced the 2.1.1 download with a modified exploitable version. The exploitable download may have been on the site for three or four days!
    It ma…

  3. By Александр Мэкаль on 3/3/2007 at 4:39 pm

    Important: Upgrade to WordPress 2.1.2…

    Оф.сайт ВордПресса очень советует обновится до версии 2.1.2
    Для тех кто юзает линейку версий 2.0.Ñ… обновление не обьязательно, обьязательно л…

  4. By 精神奕奕 on 3/3/2007 at 7:13 pm

    升級 WordPress 2.1…

    今天終於把部落格升級了,順便也把一干軟體統統升級個夠…

    mysql 4.1.21 升級 5.0.27
    php 4.4.4 升級 5.2.0
    apache 2.0.59 升級 2.2.4
    activeperl 5.8.7 升級 5.8.8 (這不是WordPress必要的)

    WordPress ç”± 1.5.2 升級…

  5. By :- BlogWize -: » ** Wordpress - Important on 3/3/2007 at 9:40 pm

    [...] Those of you who use WordPress and updated it just last week, then its time to update again. Apparently the server was breeched. And the files modified In any case, read more here. [...]

  6. By Kentoo’s Fields » Upgrade Immediato. on 3/4/2007 at 8:00 am

    [...] maggiori dettagli, visitate il blog del buon Douglas [...]

  7. By La Bitácora del Tigre · Urgente: actualización de WordPress a la versión 2.1.2 on 3/4/2007 at 9:45 am

    [...] ponerse en duda. En las últimas horas, muchos blogs de referencia en el universo WordPress, como Geek Ramblings, Holy Shmoly!, Lorelle on WordPress y Techtites, han hecho hincapié en su necesidad. Entre [...]

  8. By La Bitácora del Tigre · 300 on 3/4/2007 at 9:51 am

    [...] duda, tal como demuestran las entradas de varios blogs de referencia en el universo WordPress, como Geek Ramblings, Holy Shmoly!, Lorelle on WordPress y Techtites. Entre nosotros, Blogpocket, La brújula verde, [...]

  9. By Codebox.dk on 3/4/2007 at 2:10 pm

    Wordpress security update from 2.1.1 to 2.1.2…

    Seems that last weeks minor update unfortunately ended in a major update. Somehow someone was able to breach the security on wordpress.orgs download server housing the 2.1.1 files, and put in some malicious code. Two files, wp-includes/theme.php and/or…

  10. By WordPress 2.1.2 Emergency Upgrade Released at Andrew Wee | Blogging | Affiliate Marketing | Social Traffic Generation | Internet Marketing on 3/5/2007 at 12:05 am

    [...] Dougal Campbell’s Important: Upgrade to WordPress 2.1.2 [...]

Post a Comment

Your email is never published nor shared. Comments or website URLs deemed to be off-topic or inappropriate may be deleted at the site owner's discretion.