2
Read here, I must admit it’s a real shame these hackers don’t contact the developers a few days before making the announcement.
Thankfully we’ve never had that problem with Serendipity.
Update: It appears the wordpress developers WAS contacted before the announcement, check out http://www.securityfocus.com/archive/1/376766
“There is not any solution yet. I contacted Matthew Mullenweg, one of the lead developers of wordpress, on Wednesday but I did not receive any answer until yet.”
Thanks, Tom, for the advisory. I just upgraded my blog to Wordpress 1.3-alpha4 (from CVS). I hope that it contains the update included in the Wordpress 1.2.1 release that the developers at WP seem to have quickly put out to repair the vulnerabilities.
As I said in the dev blog post about it, I never received an email regarding any security issues when he claimed. I did get an email for a separate issue a little later but from a different person. Too bad, but it happens.