WordPress 2.1.1 compromesso - Aggiornare al più presto la propria installazione di WP alla 2.1.2 WordPress 2.1.1 compromise - Update as soon as your installation of the WP 2.1.2

WordPress.Org è stato preso di mira 3-4 giorni fa da un cracker che ha incluso un “security exploit” nei files per il download. WordPress.Org was targeted 3-4 days ago by a cracker which has included a "security exploits" in the files for download. Chiunque abbia scaricato la versione 2.1.1 da WordPress.Org è meglio che aggiorni il prima possibile la propria installazione alla 2.1.2. Anyone who has downloaded version 2.1.1 from WordPress.Org is better than update as soon as possible its installation to 2.1.2. Segue il comunicato di WordPress.Org Following the Communiqué WordPress.Org

Long story short: If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately. Long story short: If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately.

Longer explanation: This morning we received a note to our security mailing address about unusual and highly exploitable code in WordPress. Longer explanation: This morning we received a note to our security mailing address about unusual and highly exploitable code in WordPress. The issue was investigated, and it appeared that the 2.1.1 download had been modified from its original code. The issue was investigated, and it appeared that the 2.1.1 download had been modified from its original code. We took the website down immediately to investigate what happened. We took the website down immediately to investigate what happened.

It was determined that a cracker had gained user-level access to one of the servers that powers wordpress.org, and had used that access to modify the download file. It was determined that a cracker had gained user-level access to one of the servers that powers wordpress.org, and had used that access to modify the download file. We have locked down that server for further forensics, but at this time it appears that the 2.1.1 download was the only thing touched by the attack. We have locked down that server for further forensics, but at this time it appears that the 2.1.1 download was the only thing touched by the attack. They modified two files in WP to include code that would allow for remote PHP execution. They modified two files in WP to include code that would allow for remote PHP execution.

This is the kind of thing you pray never happens, but it did and now we’re dealing with it as best we can. This is the kind of thing you pray never happens, but it did and now we're dealing with it as best we can. Although not all downloads of 2.1.1 were affected, we’re declaring the entire version dangerous and have released a Although not all downloads of 2.1.1 were affected, we're declaring the entire version dangerous and have released a new version 2.1.2 New version 2.1.2 that includes minor updates and entirely verified files. that includes minor updates and entirely verified files. We are also taking lots of measures to ensure something like this can’t happen again, not the least of which is minutely external verification of the download package so we’ll know immediately if something goes wrong for any reason. We are also taking lots of measures to ensure something like this can not happen again, not the least of which is minutely external verification of the download package so we'll know immediately if something goes wrong for any reason.

Finally, we reset passwords for a number of users with SVN and other access, so you may need to Finally, we reset passwords for a number of users with SVN and other access, so you may need to reset your password on the forums reset your password on the forums before you can login again. before you can login again.

What You Can Do to Help What You Can Do to Help

If your blog is running 2.1.1, please upgrade immediately and do a full overwrite of your old files, especially those in wp-includes. If your blog is running 2.1.1, please upgrade immediately and do a full overwrite of your old files, especially those in wp-includes. Check out your friends blogs and if any of them are running 2.1.1 drop them a note and, if you can, pitch in and help them with the upgrade. Check out your friends blogs and if any of them are running 2.1.1 drop them a note and, if you can, pitch in and help them with the upgrade.

If you are a web host or network administrator, block access to “theme.php” and “feed.php”, and any query string with “ix=” or “iz=” in it. If you are a web host or network administrator, block access to "theme.php" and "feed.php", and any query string with "ix =" or "iz =" in it. If you’re a customer at a web host, you may want to send them a note to let them know about this release and the above information. If you're a customer at a web host, you may want to send them a note to let them know about this release and the above information.

Thanks to Ryan, Barry, Donncha, Mark, Michael, and Dougal for working through the night to figure out and address this problem, and thanks to Ivan Fratric for reporting it in the first place. Thanks to Ryan, Barry, Donncha, Mark, Michael, and Dougal for working through the night to figure out and address this problem, and thanks to Ivan Fratric for reporting it in the first place.

Questions and Answers Questions and Answers

Because of the highly unusual nature of this event and release, we’ve set up an email address Because of the highly unusual nature of this event and release, we've set up an email address 21securityfaq@wordpress.org that you can email questions to, and we’ll be updating this entry with more information throughout the day. that you can email questions to, and we'll be updating this entry with more information throughout the day.

Is version 2.0 affected? Is version 2.0 affected?

No downloads were altered except 2.1.1, so if you’ve downloaded any version of 2.0 you should be fine. No downloads were altered except 2.1.1, so if you've downloaded any version of 2.0 you should be fine.

What if we update from SVN? What if we update from SVN?

Nothing in the Subversion repository was touched, so if you upgrade and maintain your blog via SVN there is no chance you downloaded the corrupted release file. Nothing in the Subversion repository was touched, so if you upgrade and maintain your blog via SVN there is no chance you downloaded the release corrupted files.

Attenzione : Ho provato a controllare sul sito http://www.wordpress-it.it/ (si occupa della localizzazione in Italiano di WordPress) la data in cui riportano la disponibilità del download di WordPress in Italiano: non coincide con il “periodo di attività del cracker”. Warning: I have tried to carry out on-site http://www.wordpress-it.it/ (deals with the localization Italian WordPress) the date on which mention the availability of download WordPress in Italian: not coincide with the "period of the cracker. " Per togliere ogni possibilità di dubbio ho inviato una email di avviso ai responsabili di Wordpress Italy. To remove any possibility of doubt I sent an email warning to the leaders Wordpress Italy. Sono sicuro che oggi o nella giornata di domani rilasceranno un’articolo spiegando l’accaduto. I am sure that today or tomorrow will issue an article explaining what happened.
Qualora stiate utilizzando la versione compromessa vi invitato ad If you are using the compromised version you invited to aggiornare Wordpress alla release 2.1.2 Wordpress update to release 2.1.2 seguendo following questo link this link .

Fonte: Source: Wordpress Development Blog Wordpress Development Blog