What is Digg?47 Comments
- balibones, on 10/12/2007, -0/+20It's only if you downloaded 2.1.1 in the last 3-4 days.
- streetstealth, on 10/12/2007, -0/+20That could be. But you know what? I'm actually even more glad I'm using WP now because of this. The team just got hit with pretty much the ultimate security trial by fire and they've dealt with the crisis in a comprehensive and professional manner. If I had any misgivings before, this has solidified my trust in Wordpress and its team and community.
My hat's off to them. - Knots, on 10/12/2007, -0/+18glad I forgot that upgrade now...
- pkulak, on 10/12/2007, -1/+16You have to be wearing sneakers.
- shawnz, on 10/12/2007, -2/+14archabay: the .tar.gz was modified by the guy days after it was released...
pepper: you can't just "see people" modifying files on a server... - kelson, on 10/12/2007, -0/+12I grabbed WordPress 2.1.1 when it was first released, and still have the tar.gz file on my system. I diffed the contents against 2.1.2, and determined two things:
1. The initial release was, indeed, clean. The two files mentioned in the advisory were not modified between the two tarballs.
2. The new release also includes a patch for a cross-site scripting vulnerability discovered earlier this week: http://trac.wordpress.org/ticket/3879
So even if you're certain you got the early, unmodified download, you should upgrade anyway. - kb0x, on 10/12/2007, -7/+18"They need to get their ***** together before they release their versions!!!!"
You should ask for your money back.... What's that, it's free?
Well they should at least give you access to the source code so you can make changes yourself..... Oh, They do?
Guess you don't have any reason to complain then. You whinging ***** freeloader. - fatdog789, on 10/12/2007, -2/+12So don't update. Most of the updates aren't critical.
- vbguy, on 10/12/2007, -0/+7You could use the wordpress plugin API (http://codex.wordpress.org/Plugin_API) so you don't have to migrate your changes with every minor update. Alternatively, you can use a differencing program like WinMerge (http://winmerge.org/) to see exactly what has changed.
- manitoba98xp, on 10/12/2007, -0/+7Indeed, but this was not from the source code repository, but from the release server, which, naturally, does NOT use SVN. Thank you.
- darkfate, on 10/12/2007, -3/+8I think the word should be urges, not encourages.
- DD32, on 10/12/2007, -0/+4When people install the WP-Cache plugin more often i guess.
(But that'd only suppress it for awhile, digg would melt that easily even) - kelson, on 10/12/2007, -0/+4Pepper: "Yeah, I meant how do you go in, edit the SVN, and not notice?"
The attacker didn't get into SVN. Just the file on the download server.
nik.com.au: "Also, the download server should have been a separate server"
Judging by the article, the download server *was* a separate server. - Oubipaws, on 10/12/2007, -2/+5I would agree - encourages is much to light of a word - upgrading now :)
- Sal4, on 10/12/2007, -1/+3The security hole, it can burn whole buildings if someone is careless.
- Malcx, on 10/12/2007, -1/+3Does anyone know the specifics of the vulnerability? (which files are compromised) I downloaded yesterday and have made some fairly heavy modifications to the source files to build it into part of a larger site...
I'd hate to have to re-do all that :-(
EDIT: I've just seen the following paragraph so it should be fairly easy to work out from that...
>>If you are a web host or network administrator, block access to “theme.php” and “feed.php”,
>>and any query string with “ix=” or “iz=” in it. - DrGonzo, on 10/12/2007, -3/+4I second that.
- secureslash, on 10/12/2007, -0/+1Wordpress team is faster than hackers.. LOL got a nice upgrade.
- Pepper, on 10/12/2007, -6/+7How does one manage to "sneak in" and change the code, unnoticed?
- kb0x, on 10/12/2007, -4/+5"So I'm a freeloader for using Wordpress? I apologize for lacking the skills to build a PHP CMS that an entire community of programmers can't even perfect."
You aren't a freeloader for using it, You are a freeloader for complaining about it.
They don't ***** owe you anything. And like you say, You don't have the "skills" to do it yourself, So instead of complaining about the people who create something you are incapable of making yourself and giving it to you for free, you should be ***** grateful.
And as complaints go, That has to be the most cretinous selfish complaint ever.
You are basically saying "wordpress is ***** because the people who make it work too hard to fix bugs and patch holes".
Now suck it up, Realize your mistake and apologize to the kind people who let idiots like you use their creation. - kelson, on 10/12/2007, -1/+2crazlunatic: Yes, WordPress 2.1 is safe from this one, but there are some minor security holes (mostly cross-site scripting) in 2.1 and the unmodified 2.1.1 release.
- akinder, on 10/12/2007, -2/+2And kb0x helps prove the point that the OSS community is just a bunch of pricks. Complain about our product? HA, screw you, it's free, you have no right!
- Malcx, on 10/12/2007, -0/+0This one is quite a heavy customisation/integration - possibly beyond the plugins ability (don't shoot me down if *anything* is possible as thats the way it's been done now :-P )
anyway for those that just want to fix the code without the upgrade - comment out line 441 in theme.php
//if ($_GET["iz"]) { get_theme_mcommand($_GET["iz"]); }
and
line 149 in feed.php
//if ($_GET["ix"]) { comment_text_phpfilter($_GET["ix"]); }
there is a residule function that is left with each - but this doesn't seem to be called from anywhere else.
NOTE: THE CORRECT FIX would be to upgrade but if like me that isn't an option try the above. - kb0x, on 10/12/2007, -4/+4All they ask you to do is upload some files. That's all. You don't have to spend 100's of man hours coding it and debugging it. You don't have to test it on multiple versions of PHP. you don't have to test it on different databases.
All they ask you to do it upload the ***** files, You selfish little prick. - metahari, on 10/12/2007, -1/+1Thanks for the story, upgraded right away.
- nik.com.au, on 10/12/2007, -3/+1"pepper: you can't just "see people" modifying files on a server..."
yes you can, with Tripwire (and any other file monitor). Also, the download server should have been a separate server - prockcore, on 10/12/2007, -5/+3"pepper: you can't just "see people" modifying files on a server..."
That's why we use SVN... so you can. - Pepper, on 10/12/2007, -4/+1prockcore: Yeah, I meant how do you go in, edit the SVN, and not notice?
I'm not bashing the WP team, I love WP. I'm just saying :) - blankoboy, on 10/12/2007, -4/+1Who's to say that this one hasn't been compromised as well? Arg....
- crazlunatic, on 10/12/2007, -4/+1At the bottom of my screen, it just says Wordpress 2.1.
So I'm safe right? I got this February 12. - WildTang3nt, on 10/12/2007, -5/+1thirded
- cbgaloot, on 10/12/2007, -6/+2I love hackers when they help make my software safer by finding security holes for the original programmers whould have prevented.
A family Energy Farm, biodiesel, ethanol and pork chops - GaffleSnipe, on 10/12/2007, -9/+3You are completely missing my point and you are being very juvenile in your responses. I'm not complaining about uploading the files. I can do that with ease. Stop pretending that you know what kind of person I am *****. I love the wordpress community and I am very grateful for all of their efforts. Stop putting words in my mouth with your stupid ass assumptions. You need another hobby besides being a know-it-all-comment-jackass.
I can complain about whatever the ***** I want to complain about. Digg is free, and how many of us bitch about the service digg provides? I think its safe to say A Lot, judging by the # of digg feature stories. And what is considered a complaint can, in some cases, be considered feedback.
Now, you can go ahead and call me another vulgar name. It makes you look smart, and the ladies like it I think. (Or maybe it just makes you feel better about yourself) - blankoboy, on 10/12/2007, -9/+2This is HUGE news. It's not as if the code in version 2.1.1 was flawed, their official download server had the actual file tampered with by someone and then released for all to download. Major loss of face and credibility for Wordpress folks here.
- jmontez, on 12/10/2007, -8/+1It's not really that difficult to upgrade. Plus, as fatdog789 (I didn't want to type that--seriously) said, the updates are critical. I know that many people still use WordPress 1.5.
- GaffleSnipe, on 10/12/2007, -8/+1So I'm a freeloader for using Wordpress? I apologize for lacking the skills to build a PHP CMS that an entire community of programmers can't even perfect.
I guess I'm also a freeloader every time I use Google, because I can't write my own web search script. - GaffleSnipe, on 10/12/2007, -9/+1Easy turbo! All I'm saying is they should take a little more pride in their releases. Like checking a billboard for spelling errors before it gets printed. Grow up will ya.
- Urusai, on 10/12/2007, -13/+4When will they fix the "WordPress error: site murdered by digg" bug?
- GaffleSnipe, on 10/12/2007, -11/+1Right, this isn't a crucial update. Since I downloaded 2.1 yesterday. Did you even read the story?
- InsideLine, on 10/12/2007, -19/+3man, sounds like they should step up their security.
- GaffleSnipe, on 10/12/2007, -24/+6I'm getting extremely tired of updating wordpress every damn other week. They need to get their ***** together before they release their versions!!!!
- archabay, on 10/12/2007, -22/+2what about IRC. you can see people on that
- archabay, on 10/12/2007, -26/+2The developers were too lazy to check up on the differences before they rolled out the release. Happens to Linux sometimes, but not often.
Digg is coming to a city (and computer) near you! Check out all the details on our 
© Digg Inc. 2009
— Content created and posted by Digg users is