Lengthy tale brief: If you downloaded and install WordPress 2.1.1 within the previous 3-4 days, your data might consist of a protection manipulate that was included by a biscuit, and also you ought to update every one of your data to 2.1.2 instantly.
Longer description: Today we got a note to our protection mailing address concerning uncommon and also very exploitable code in WordPress. The problem was examined, and also it showed up that the 2.1.1 download had actually been changed from its initial code. We took the internet site down instantly to examine what took place.
It was established that a biscuit had actually gotten user-level accessibility to among the web servers that powers wordpress.org, and also had actually made use of that accessibility to change the download documents. We have actually secured down that web server for more forensics, yet currently it shows up that the 2.1.1 download was the only point touched by the assault. They changed 2 data in WP to consist of code that would certainly permit remote PHP implementation.
This is the example you hope never ever takes place, yet it did and also currently we’re taking care of it as finest we can. Although not all downloads of 2.1.1 were impacted, we’re proclaiming the whole variation hazardous and also have actually launched a new version 2.1.2 that consists of small updates and also completely confirmed data. We are likewise taking great deals of steps to guarantee something such as this can not take place once more, not the least of which is specifically exterior confirmation of the download plan so we’ll understand instantly if something fails for any kind of factor.
Ultimately, we reset passwords for a variety of customers with SVN and also various other accessibility, so you might require to reset your password on the forums prior to you can login once more.
What You Can Do to Aid
If your blog site is running 2.1.1, please upgrade instantly and also do a complete overwrite of your old data, specifically those in wp-includes. Take a look at your pals blog sites and also if any one of them are running 2.1.1 decline them a note and also, if you can, join in and also assist them with the upgrade.
If you are a host or network manager, block accessibility to “theme.php” and also “feed.php”, and also any kind of question string with “ix=” or “iz=” in it. If you’re a client at a host, you might intend to send them a note to allow them find out about this launch and also the above details.
Many Thanks to Ryan, Barry, Donncha, Mark, Michael, and also Dougal for overcoming the evening to find out and also resolve this issue, and also many thanks to Ivan Fratric for reporting it to begin with.
Inquiries and also Responses
Due to the very uncommon nature of this occasion and also launch, we have actually established an e-mail address email@example.com that you can email inquiries to, and also we’ll be upgrading this entrance with even more details throughout the day.
Is variation 2.0 impacted?
No downloads were changed other than 2.1.1, so if you have actually downloaded and install any kind of variation of 2.0 you ought to be great.
Suppose we upgrade from SVN?
Absolutely Nothing in the Subversion database was touched, so if you update and also preserve your blog site using SVN there is no possibility you downloaded and install the damaged launch documents.