WordPress 2.3.3 was released with following announcement: WordPress 2.3.3 is an urgent security release. A flaw was found in our XML-RPC implementation such that a specially crafted request would allow any valid user to edit posts of any other user on that blog. http://wordpress.org/development/2008/02/wordpress-233/ Upstream bug report: http://trac.wordpress.org/ticket/5313 Some PoCs are already available publicly: http://www.village-idiot.org/archives/2008/02/02/wordpress-232-exploit-confirmed/
This is being actively exploited. My F8 server running 2.3.2 was hit by a spammer using this hole today.
Building new packages for F-7, F-8, -devel. Will push as security updates as soon as they complete.
Thanks. I was about to do that myself when I found you'd already started.
Packages rebuilt, awaiting security team approval for final push to stable repos
John: You submitted the update for testing. I will assume that you meant it for stable and push it there.
Oh, pardon me, I lied above :} Approved though.
wordpress-2.3.3-0.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
wordpress-2.3.3-0.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.