Month: March 2007

Posted on

Ultimate Tag Warrior and Atom 1.0

If you’re using the latest bleeding-edge SVN version of WordPress with Ultimate Tag Warrior, check your feed’s validity. WordPress is finally getting around to implementing Atom 1.0 instead of sticking with the comparatively ancient Atom 0.3 (even the validator’s support is deprecated).

Unfortunately, due to the way WordPress and UTW work, UTW doesn’t have a way to really know what kind of feed is requested — the hook it registers is called the_category_rss, and it’s called with a parameter that’s either ‘rdf’, ‘rss’, and sometimes blank.

Even more unfortunate is that the_category_rss is called when an Atom feed is requested. UTW happily inserts the hardcoded <dc:subject> tags into the feed, and since that’s been superseded by <category> in Atom 1.0, and WordPress doesn’t declare the Dublin Core namespace anymore, your feed has just become invalid. Fix after the jump. Continue reading “Ultimate Tag Warrior and Atom 1.0”

Posted on

Upgrade to WordPress 2.1.2 now

Update: The announcement is out. The important part is:

[…] a cracker had gained user-level access to one of the servers that powers wordpress.org, and had used that access to modify the download file […]

Nothing in the Subversion repository was touched, so if you upgrade and maintain your blog via SVN there is no chance you downloaded the corrupted release file.

This is the kind of thing you don’t want to happen to anyone.
Kudos to the WordPress guys for their quick reaction.

Original entry below.

The following mail was just posted to the WordPress mailing lists, as a reaction to this security advisory. There are multiple XSS vulnerabilities in WordPress <= 2.1.1 — inserted by a cracker — and an upgrade is urgently recommended.

Subject: Upgrade to 2.1.2
From: Matt Mullenweg m at mullenweg.com
Date: Fri Mar 2 19:41:35 GMT 2007

Hello everyone.

If anyone is running 2.1.1, or knows someone who is, I would recommend
upgrading to 2.1.2 as soon as possible. It is now available at
http://wordpress.org/download/

The md5 of the tar.gz is b1ae0c152e60300cba8c40c030baafd4.

No announcement quite yet, but coming soon. Thanks for your help.

Read the full announcement on wordpress.org.