Martin @ Blog

software development and life.

Flower

WordPress source compromised

It seems that the source code package of WordPress 2.1.1 was compromised by a hacker. Some files, mainly related to RSS-feed generation, was injected with code which opens a backdoor. Obviously, this caused a large number of weblogs vulnerable. The cracker got user-level access to the download server of WordPress, and changes the download of version 2.1.1. The subversion repository wasn’t compromised, and also older versions weren’t. So if you’re using version 2.1.1, you should upgrade to version 2.1.2. Not all downloads of 2.1.1 are vulnerable, but the developers are not sure when the crach has happened.

This made me wonder why they don’t provide md5 sums for the download package. That way, it could be detected much earlier that the download was compromised. In the discussion on the mailing list, nobody came up with this idea.

Power supply
As I may have mentioned earlier on my weblog, the power supply of my server died a few weeks ago. The part was only four months old, so it was covered under warranty. I sent it to the shop where I bought the thing (Alternate) and got a replacement power supply in about two weeks. Unfortunately, they required to include all the accessories with the power supply. Because I bought the PSU along with a casing for my server, I wasn’t sure which accessories belong to the PSU, and which were part of the casing. So, I included a 24-pins-to-20-pins converter for connecting the PSU to older mainboards. That turned out to be a mistake, because that part didn’t belong to the PSU and the new PSU I received didn’t include such a converter. That was a bit of a problem, because I needed such a thing. Shops generally account 5 to 10 euro for such a small thing (it is only a few wires with two connectors…). I decided to sent a e-mail explaining the situation, and two days later I got a new converter in the mail, for free. That’s good service if you ask me.

Comments are closed.