Update: The announcement is out. The important part is:
[…] a cracker had gained user-level access to one of the servers that powers wordpress.org, and had used that access to modify the download file […]
Nothing in the Subversion repository was touched, so if you upgrade and maintain your blog via SVN there is no chance you downloaded the corrupted release file.
This is the kind of thing you don’t want to happen to anyone.
Kudos to the WordPress guys for their quick reaction.
Original entry below.
The following mail was just posted to the WordPress mailing lists, as a reaction to this security advisory. There are multiple XSS vulnerabilities in WordPress <= 2.1.1 — inserted by a cracker — and an upgrade is urgently recommended.
Subject: Upgrade to 2.1.2
From: Matt Mullenweg m at mullenweg.com
Date: Fri Mar 2 19:41:35 GMT 2007Hello everyone.
If anyone is running 2.1.1, or knows someone who is, I would recommend
upgrading to 2.1.2 as soon as possible. It is now available at
http://wordpress.org/download/The md5 of the tar.gz is b1ae0c152e60300cba8c40c030baafd4.
No announcement quite yet, but coming soon. Thanks for your help.