| |||||||||||
WordPress 2.1.1 contained a trojan horse
If you downloaded WordPress 2.1.1, you likely want to read this advisory and upgrade to 2.1.2 quickly. "This morning we received a note to our security mailing address about unusual and highly exploitable code in WordPress. The issue was investigated, and it appeared that the 2.1.1 download had been modified from its original code. We took the website down immediately to investigate what happened.
It was determined that a cracker had gained user-level access to one of the servers that powers wordpress.org, and had used that access to modify the download file."
(Log in to post comments)
WordPress 2.1.1 contained a trojan horse Posted Mar 3, 2007 21:35 UTC (Sat) by brouhaha (subscriber, #1698) [Link] I downloaded 2.1.1, but hadn't yet upgraded to it. I just upgraded to 2.1.2. But it would be nice to know the md5sums (or sha1sums) of the correct and the tainted 2.1.1 distributions.
WordPress 2.1.1 contained a trojan horse Posted Mar 4, 2007 3:42 UTC (Sun) by miah (guest, #639) [Link] This is why checksums should also be accompanied by a cryptographic signature.
WordPress 2.1.1 contained a trojan horse Posted Mar 4, 2007 11:34 UTC (Sun) by rickmoen (subscriber, #6943) [Link] "miah" wrote:This is why checksums should also be accompanied by a cryptographic signature. Exactly so. Note that the main download page doesn't even offer the md5sum, only a tarball or Zip archive. The separate archive page lets you get the md5sums, but you're given no means of verifying their validity; evidently, the developers aren't bothering to sign their releases. This is the reason why Web apps have been the low-hanging-fruit *ix intrusion vector of choice (aside from phishing and theft of security tokens on compromised hosts) over the last few years -- and why admins should be super-careful about anything they install from upstream tarballs. Rick Moen
WordPress 2.1.1 contained a trojan horse Posted Mar 4, 2007 18:18 UTC (Sun) by jwb (guest, #15467) [Link] I don't see how that helps. Do you have a secure out-of-band means to obtain the public key?
WordPress 2.1.1 contained a trojan horse Posted Mar 4, 2007 18:46 UTC (Sun) by intgr (subscriber, #39733) [Link] No, but changed public keys, or public key fingerprints, on web sites are more likely to be noticed, as a single developer would use the same public key in more than one place.
And if you have already acquired the developer's public key earlier, you can use that to verify subsequent releases, and you don't have to rely on trusting the web site for public key distribution. In addition to that, you can rely on other people who trust the given developer, through the web of trust.
In short, it doesn't solve world hunger, but it would help a lot.
WordPress 2.1.1 contained a trojan horse Posted Mar 4, 2007 21:09 UTC (Sun) by jeroen (subscriber, #12372) [Link] Yes, public PGP servers. Keys can be verified by means of keysigning parties. For example when I download a kernel from kernel.org this is signed with a PGP key. That key is signed by a lot of other people through which I can verify that the key is correct. You can see the trust path from my key to the linux archive key at http://pgp.cs.uu.nl/mk_path.cgi?FROM=AC1E715E&TO=517D...
WordPress 2.1.1 contained a trojan horse Posted Mar 5, 2007 14:07 UTC (Mon) by marduk (subscriber, #3831) [Link] As software, WordPress doesn't seem to be shy of security issues itself. Gentoo has masked it completely
|
|||||||||||