Wordpress 2.1.1 Security Issue

Kees Cook kees at ubuntu.com
Sat Mar 3 15:16:03 GMT 2007


[redirected from security-review ml, which is going away...]

On Sat, Mar 03, 2007 at 01:38:10AM -0600, Rich Johnson wrote:
> Just wondering if this involved the version we currently have in the Feisty 
> repos?
> 
> http://wordpress.org/development/2007/03/upgrade-212/
> 
> It seems somebody gained access and modified the 2.1.1 download allowing 
> installed 2.1.1 version to be exploited allowing remote PHP execution.
> 
> According to Wordpress SVN downloads were not effected.

I examined this yesterday; it's clean.  The 2.1.1 orig.tar.gz from 
Debian was taken prior to wordpress.org getting broken into.  Based on 
the report, the described backdoor wasn't present.

To avoid (this kind of) confusion, wordpress.org simply declared all of 
2.1.1 as "bad", just to make sure no one had a bad version.

-- 
Kees Cook
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/ubuntu-motu/attachments/20070303/a33c938a/attachment.pgp 


More information about the Ubuntu-motu mailing list