Slashdot Mirror

It relies on a series of modules, (plug-ins), published all over the internet-- no central repository, no security review, no consistency, *truly* spagetti code in the sense hated above.

Drupal does absolutely nothing out of the box without using a module. Absolutely nothing. As for a central repository, maybe you'd care to check: http://wordpress.org/extend/plugins/about/svn/ Which is... a central repository for plugin code.

It has no user permissions system, whereas Drupal follows the *nix perms model-- a model, even a small three-person auto parts shop, may very quickly find they need.

WordPress has, built in, a role based permission system. Which, last time I checked, is EXACTLY what drupal uses. Next complaint?

Oh, by-the-way: SEO sucks in WordPress. The whizbang affects are a lot of flashy, and not much usability. Social network integration? You're kidding, right?

Again, you are severely misinformed. WordPress comes with permalink functionality out of the box. It doesn't require a module like drupal does. Additionally, there are a number of truly excellent SEO plugins for WordPress, used by literally millions of people: http://wordpress.org/extend/plugins/all-in-one-seo-pack/ If you don't like the WordPress whizbang effects, please don't feel obligated to use them. At least wordpress has SOMETHING built in without having to install an admin module. My clients tend to appreciate the intuitiveness and simplicity of the built in wordpress admin. If they want something more complex I use custom content types. If they want something more complex I used a custom admin. How would you handle that in drupal, exactly?

It relies on a series of modules, (plug-ins), published all over the internet-- no central repository, no security review, no consistency, *truly* spagetti code in the sense hated above.

Drupal does absolutely nothing out of the box without using a module. Absolutely nothing. As for a central repository, maybe you'd care to check: http://wordpress.org/extend/plugins/about/svn/ Which is... a central repository for plugin code.

It has no user permissions system, whereas Drupal follows the *nix perms model-- a model, even a small three-person auto parts shop, may very quickly find they need.

WordPress has, built in, a role based permission system. Which, last time I checked, is EXACTLY what drupal uses. Next complaint?

Oh, by-the-way: SEO sucks in WordPress. The whizbang affects are a lot of flashy, and not much usability. Social network integration? You're kidding, right?

Again, you are severely misinformed. WordPress comes with permalink functionality out of the box. It doesn't require a module like drupal does. Additionally, there are a number of truly excellent SEO plugins for WordPress, used by literally millions of people: http://wordpress.org/extend/plugins/all-in-one-seo-pack/ If you don't like the WordPress whizbang effects, please don't feel obligated to use them. At least wordpress has SOMETHING built in without having to install an admin module. My clients tend to appreciate the intuitiveness and simplicity of the built in wordpress admin. If they want something more complex I use custom content types. If they want something more complex I used a custom admin. How would you handle that in drupal, exactly?

Question from non-blogger:

Why do you need special software like WordPress? Why can't you just use standard MS Word or WordPerfect, convert it to HTML, and publish it online?

Maintaining a Wordpress style blog in Word or Wordperfect would be a nightmare. Sure, you could do a single page, but updating it would quickly become a nightmare. A purpose built tool like Wordpress also allows access from mobile phones. Also, do you want to allow people to post comments on your blog? Have fun getting that to work with Word. Take a peek, you'll realize that, like most things, there is more to it then there seems.
http://codex.wordpress.org/WordPress
Disclaimer: I am not a Wordpress user, but I am related to one.

You think the FSF actually "determined" something?

Well, yes. A lot of lawyers contribute to the FSF's position on these things, and they have professional opinions on what they believe the correct reading of the law is. So does the SFLC, which agrees with the FSF here. This position might differ from a court's opinion: that remains to be seen.

It is much more likely that they are grasping at straws trying to come up with anything that supports their position, because their idea of a derivative work has no trace in statutory or case law, at least in the United States.

Are you a lawyer, or can you cite any statements by lawyers to this effect? If not, why should anyone take your word over that of the lawyers employed by the FSF and SFLC?

In fact the case law runs in the _opposite_ direction, holding (for example) that technical interfaces are not protectable by copyright (cf. Baystate v. Bentley Stems (1997)).

Which is a district court case, thus not binding precedent anywhere. The arguments presented to it were likely different from the ones that would be presented in a GPL case, too.

But most important, it doesn't really cover the same issue. At stake there was the similarity of two programs that were meant to read the same data format. The court concluded that there was no copyright infringement, because any similarity (including the use of identical data structures) was a necessary result of the fact that they had to accomplish the same function, so it was permitted under the merger doctrine.

A plugin is something totally different. A plugin's sole purpose is to incorporate into the larger work; it has no function without it. Yes, given that it's a plugin, it has no choice but to use the larger program's APIs. But (the argument goes) the mere fact that it's a plugin, that it's designed to do nothing but be combined with the larger work, makes it derivative. The fact that the programs call functions from one another is not the violation in itself, it's just the evidence that they're tightly coupled and so form a single work when combined.

And if they are not grasping at straws, how is it that the FSF website has no trace of a legal argument on the subject?

I don't know. Why don't you ask them? I've sent an e-mail to licensing@fsf.org, and I'll let you know what the response is. I'm speculating here, but maybe they don't want to present their arguments publicly lest their enemies have time to pick them apart and prepare good counter-arguments. When it comes to court, the FSF et al. will certainly volunteer to help the GPL side, and at that point they can present novel arguments that the other side won't be prepared for. Lawyers tend to be secretive about everything, as far as I've seen.

Whatever the case may be, and however biased or optimistic or secretive the FSF is, I'll still take the opinions of lawyers over those of non-lawyers any day. And it's not just the FSF's lawyers, by the way – as this very article's summary says, the lawyers that Matt Mullenweg contacted agreed. He spoke with the SFLC, and he published their response. Excerpt:

The PHP elements, taken together, are clearly derivative of WordPress code. The template is loaded via the include() function. Its contents are combined with the WordPress code in memory to be processed by PHP along with (and completely indistinguishable from) the rest of WordPress. The PHP code consists largely of calls to WordPress functions and sparse, minimal logic to control which WordPress functions are accessed and how many times they will be called. They are derivative of WordPress because every part of them is determined by the content of the WordPress functions they call. As works of authorship, they are designed only to be combined with WordPress into a larger work.

http://wordpress.org/news/2009/07/themes-are-gpl-too/

The GPL permits anyone to make a modified version and use it without ever distributing it to others. What this company is doing is a special case of that. Therefore, the company does not have to release the modified sources.

It is essential for people to have the freedom to make modifications and use them privately, without ever publishing those modifications. However, putting the program on a server machine for the public to talk to is hardly "private" use, so it would be legitimate to require release of the source code in that special case. We are thinking about doing something like this in GPL version 3, but we don't have precise wording in mind yet.

No it's a weakness of Wordpress, AND weak passwords.. Honestly, why is everyone all up in arms when a bunch of N00b's that dont know anything about site administration and security click on the one click install of wordpress and think it's an appliance because they are too damn cheap to buy wordpress hosting that has a team behind it making sure the stuff is updated and secure?

This is as much go-daddy's fault as a drunk drivers crash is Fords fault.

If you want a blog and not be a site admin then get it from http://wordpress.org/hosting/ and not worry about it. Otherwise dont come whining because you went for the lowest dollar hosting and are surprised that the cheap guy is not going to update your software for you.

thats funny you post that link. maybe you should visit it yourself as it has a link to godaddy as approved wordpress hosting.

No it's a weakness of Wordpress, AND weak passwords.. Honestly, why is everyone all up in arms when a bunch of N00b's that dont know anything about site administration and security click on the one click install of wordpress and think it's an appliance because they are too damn cheap to buy wordpress hosting that has a team behind it making sure the stuff is updated and secure?

This is as much go-daddy's fault as a drunk drivers crash is Fords fault.

If you want a blog and not be a site admin then get it from http://wordpress.org/hosting/ and not worry about it. Otherwise dont come whining because you went for the lowest dollar hosting and are surprised that the cheap guy is not going to update your software for you.

Yes and yes. WP also has a version for the iPad and it looks great.

One word: http://autonomo.us/

Ok, well, two: http://www.opendefinition.org/ossd/

http://wordpress.org/ http://status.net/ and http://drupalgardens.com/ are already leading by example.

http://wordpress.org/extend/plugins/wptouch/ might be what you're looking for. It's a plugin which automatically handles most mobile devices for Wordpress.

A quick search of the wordpress plugins directory shows over 500 twitter related plugins so this is news because?

Why not just use wordpress & download some of their comment plugins like the Spell Checker plugin? We are looking to make the switch to this CMS for a number of sites (Cup of Comfort is one, which offers story review services, a cool ongoing story contest, and writing webinars).

either. No free redistribution, derived works, or anything. Just because the source code is available doesn't make something open source.

And only OSI can define what open source is?

• S: (adj) open-source (of or relating to or being computer software for which the source code is freely available)
• "Open source is simply programming code that can be read, viewed, modified, and distributed, by anyone who desires. WordPress is distributed under an open source GNU General Public License (GPL)."
• Open Source: "Software whose source code is published and made available to the public, enabling anyone to copy, modify and redistribute the source code without paying royalties or fees. Open source code evolves through community cooperation. These communities are composed of individual programmers as well as very large companies. Some examples of open source initiatives are Linux, Eclipse, Apache, Tomcat web server, Mozilla, and various projects hosted on SourceForge and elsewhere."
• "What is open source, and what is the Open Source Initiative?"

While the term "open source" was coined by the Open Source Initiative source code was open, visible to see, study, and modify as early as the 1960s. The hackers of the Tech Model Railroad Club at MIT in the '60s was posting their source code on boards for anyone to improve and optimize.

But then again that was before "hackers" was used as a negative word.

Falcon

Or rather, they won't.

Their software may be shit, but they do have basic features like tag-specific feeds.

http://wordpress.org/download/

When you download Wordpress, you're asked for your email address for release notifications. Shame they don't actually use it:

http://wordpress.org/support/topic/230558

What's the point of offering it if they don't use it? Also, their blog has such a terrible noise-to-quality ratio that it's absolutely useless in this regard. All I care about is whether a new version is available or not - I couldn't care less about what new "awesome" features they've added or are trying to add - I just want to update my blog when new versions are released and leave it at that.

http://wordpress.org/download/

When you download Wordpress, you're asked for your email address for release notifications. Shame they don't actually use it:

http://wordpress.org/support/topic/230558

What's the point of offering it if they don't use it? Also, their blog has such a terrible noise-to-quality ratio that it's absolutely useless in this regard. All I care about is whether a new version is available or not - I couldn't care less about what new "awesome" features they've added or are trying to add - I just want to update my blog when new versions are released and leave it at that.

...newer versions offer fast and simple one-click upgrades

If wordpress.org is hacked, again, their one-click upgrade feature means instant ownage for all Wordpress blogs everywhere.

I wonder why somebody would code that part the way they did it. As far as I understand it, they are trying to validate code by blacklisting instead of whitelisting:

(from http://core.trac.wordpress.org/changeset/11798)
$key = preg_replace('/[^a-z0-9]/i', '', $key);
if ( empty( $key ) )
    die();

If you expect a hash you generated yourself, why don't you test if it preg_matches the spec you used to generate it in the first place? (/^[a-zA-Z0-9]{20}$/ in this case)

Well that and being naive enough to expect $_GET["key"] to always return a string....

The iPhone doesn't readily allow for home grown apps

Define "home grown" here. You can download the SDK for free (it requires a Mac). You then have to pay $99 to join the developer program in order to be able to offer your software on the App Store or "to share your application with up to 100 other iPhone or iPod touch users with Ad Hoc distribution".

and must be broken to allow any free apps to be used.

Define "free". There are free-as-in-beer apps available for download from the App Store. The WordPress people even claim to offer a free-as-in-speech (and as-in-beer) app for the iPhone.

So I was building a website for a local organization and I decided to use Wordpress, which is generally known as a blogging tool. Installation took a few minutes, browsing through the themes to find something really cool took about an hour. Then I found that when I created a page, it would automatically get added to the top menu. When I added subpage, it would automatically create a dropdown menu, with the subpage. So not only do you get the best blogging platform out there with Wordpress, you're also getting an easy to use CMS.

Okay:

MediaWiki
WordPress
Jabber
Zimbra ...

Get it?

This is about using open source software for internal, noncommercial, nonprofit purposes.

Check out how to Post to your wordpress blog using email. or possibly Internet Access Via Email, Get Web Pages to deliver web pages via html formatted email.

That is all.

I forgot to mention these 2 plugins:
SABRE: against spam registrations on your blog ( http://wordpress.org/extend/plugins/sabre)
and
Simple Trackback Validation: a trackback validation tool for wordpress ( http://wordpress.org/extend/plugins/simple-trackback-validation/ ).

I forgot to mention these 2 plugins:
SABRE: against spam registrations on your blog ( http://wordpress.org/extend/plugins/sabre)
and
Simple Trackback Validation: a trackback validation tool for wordpress ( http://wordpress.org/extend/plugins/simple-trackback-validation/ ).

There is a well working semi-dynamic plugin for wordpress. It has served me well. It is called YAWASP and you can find it here: http://wordpress.org/extend/plugins/yawasp/. The author also describes the common problems & shortfalls with traditional captcha-like methods.

I have tried this several times with very discouraging results. I need a particular bit of code -- shouldn't be too difficult, it's a common language and implentation w/ a more or less well known API -- Specifically I am looking for a plugin for mu-wordpress that does authentication via LDAP/Active Directory and is aware of LDAP/AD Groups. There's a plugin that exists but it doesn't care about groups, rather OUs; There's a plugin for the non-multiuser version of WordPress that does exactly this but it fails miserably in the MU version -- the author of this version is not-contactable and his personal site is broken good and hard). But I'm not a programmer, I do networking and servers and end-user support and mostly security/infrastructure. So I hit up the related sites (the product, mu-wordpress, has forums and a dev community as well as a couple of companies and prominent developers that advertise that they do work for hire etc etc). None of them want anything to do with it. One refers me to the another, who says 'we are too busy, but try XXXX' who answers back that they put all their effort into the community project and so cannot. The only thing left to me is to wait and hope that someone does it or learn PHP and how to query AD's LDAP implementation to auth against it.

You're right. The value proposition that newspapers bring is the investigative reporting. That is why the online presence of a newspaper shouldn't be powered by wordpress.

Any newspaper that wants to get their online presence right just needs to study the NY Times. It's really all about the economics of distribution. Column inches in a paper is expensive. Disk space on a web server is cheap. Use the web site as a searchable archive for all content but run ads on the site to encourage users to subscribe to the print edition. Also give away banner ads as an incentive to companies to advertise in the print edition.

The same holds true for broadcast media and some companies such as NPR and CBS are finally boarding that clue train.

It's also impossible to open source an application you write for the iPhone.

AFAIK Atleast one application on iPhone has their source code under GPL: http://iphone.trac.wordpress.org/browser you can open source the app you write or the iPhone

Uh, wordpress seems to be doing pretty good, and it's GPL-licensed.

Sadly, there's still the whole WordPress thing -- the darn program was never intended to work with anything other than MySQL at the back end. At one point there was an effort to "port" WordPress to PostgreSQL, but that fork has long since stagnated. And adding support for other databases is not on the WordPress team's short list.

I wouldn't know the actual numbers any better than the next guy, but it's clear that WordPress is one of the top reasons MySQL retains such a dominant market share in the Web segment. Until WordPress adds support for multiple back-ends, MySQL will always be, at minimum, just as entrenched a product as WordPress is.

I hope that Movable Type's recent open-sourcing will eventually help effect more widespread adoption of PostgreSQL. Unlike WordPress, MT was designed from the ground up with forward-thinking features like database abstraction; it currently supports the Berkeley Database format, SQLite, PostgreSQL, and MySQL, and adding support for additional back-ends is relatively easy. Perhaps if Movable Type can chip away at WordPress's market share a bit, it will in turn help relax MySQL's stranglehold on the Web market.

Furthermore, FastCGI under IIS (haven't tried with anything newer than 2003r2/IIS6) isn't fully compatible with at least one popular application that I can think of.

http://wordpress.org/support/topic/150672

-theGreater's $0.02.

Ahhh, here's the associated ticket with the update.php code. It's a long thread, showing a good deal of discussion going on on the subject of the udpates. Hardly "slipping in" or "secret".

Secrecy? It's an Open Source project. Plugin update checking went into the core inrev 5913 (change committed by Matt, reviewed by at least two other devs with non-commit access to the repo). I'm having a bit of difficulty tracking down the changeset that accounts for the core update code, but I'm assuming it's well in advance of 5913.

Why should someone have to install a plug-in to disable BASE FUNCTIONALITY? Shouldn't that be part of the base code?

...up front and said themselves right off the bat...

Our new update notification lets you know when there is a new release of WordPress or when any of the plugins you use has an update available. It works by sending your blog URL, plugins, and version information to our new api.wordpress.org service which then compares it to the plugin database and tells you what the latest and greatest is you can use.

Not true. There are two plugins that explicitly disable this functionality:
disable WordPress version check and disable plugin version check, both of which were mentioned by Matt in the thread above.

Not true. There are two plugins that explicitly disable this functionality:
disable WordPress version check and disable plugin version check, both of which were mentioned by Matt in the thread above.

Your blog URL and version has been sent by default for 4+ years to every
ping service in the world, including Ping-O-Matic, every time you make a
post. Of course you can turn that off, just like you can turn update
notification off, but statistically no one does.

The only new information being sent by the update checker is PHP version
and a list of plugins. If you don't like that feature, please install a
plugin to disable it:

http://wordpress.org/extend/plugins/disable-wordpress-core-update/
http://wordpress.org/extend/plugins/disable-wordpress-plugin-updates/

Of course don't forget the WP dev blog and planet RSS feeds, and most
importantly the incoming links feed which ALSO transmits your blog URL.

I would also recommend disabling the updates in Mac OS X, Firefox,
Windows, Thunderbird, Adobe Photoshop, and any other third-party
applications you have. As all of those are tied to your personal IP and
not your server IP they have far more implications for privacy.

Moritz 'Morty' Strübe wrote:
> It can.

Your blog URL is completely harmless.

  > We only have your word for that. And sorry, that is not enough
  > for me. Especially if it does not have to be.

If you don't trust wordpress.org, I suggest you do one of the following:

1. Use different software.
2. Fork WordPress.
3. Install one of the aforementioned plugins.

Your blog URL and version has been sent by default for 4+ years to every
ping service in the world, including Ping-O-Matic, every time you make a
post. Of course you can turn that off, just like you can turn update
notification off, but statistically no one does.

The only new information being sent by the update checker is PHP version
and a list of plugins. If you don't like that feature, please install a
plugin to disable it:

http://wordpress.org/extend/plugins/disable-wordpress-core-update/
http://wordpress.org/extend/plugins/disable-wordpress-plugin-updates/

Of course don't forget the WP dev blog and planet RSS feeds, and most
importantly the incoming links feed which ALSO transmits your blog URL.

I would also recommend disabling the updates in Mac OS X, Firefox,
Windows, Thunderbird, Adobe Photoshop, and any other third-party
applications you have. As all of those are tied to your personal IP and
not your server IP they have far more implications for privacy.

Moritz 'Morty' Strübe wrote:
> It can.

Your blog URL is completely harmless.

  > We only have your word for that. And sorry, that is not enough
  > for me. Especially if it does not have to be.

If you don't trust wordpress.org, I suggest you do one of the following:

1. Use different software.
2. Fork WordPress.
3. Install one of the aforementioned plugins.

Are you thinking of WordPad (text editor), not Word Press (blog software) ?

Message-ID:
Date: Sun, 23 Sep 2007 12:35:26 -0700
From: Matt Mullenweg
To: wp-hack...@lists.automattic.com
Subject: Re: [wp-hackers] Plugin update & security / privacy
References:
In-Reply-To:

Moritz 'Morty' Strübe wrote:
> I know this will not change until Monday, but is it really necessary to
> transmit the URL?

Your blog URL and version has been sent by default for 4+ years to every
ping service in the world, including Ping-O-Matic, every time you make a
post. Of course you can turn that off, just like you can turn update
notification off, but statistically no one does.

The only new information being sent by the update checker is PHP version
and a list of plugins. If you don't like that feature, please install a
plugin to disable it:

http://wordpress.org/extend/plugins/disable-wordpress-core-update/
http://wordpress.org/extend/plugins/disable-wordpress-plugin-updates/

Of course don't forget the WP dev blog and planet RSS feeds, and most
importantly the incoming links feed which ALSO transmits your blog URL.

I would also recommend disabling the updates in Mac OS X, Firefox,
Windows, Thunderbird, Adobe Photoshop, and any other third-party
applications you have. As all of those are tied to your personal IP and
not your server IP they have far more implications for privacy.

> If that database
> gets public and you find a security bug in one of the plugins - there
> are enough - you can start a _very_ effective attack!

Such an attack would not be more effective, it would just be more
efficient. Historically, however, scripts that attack against WordPress
don't bother checking the version or if a plugin is there or not, they
just seek out every WP blog and check the specific capability or
vulnerability.

Nevertheless, we're beefing up the infrastructure and security of
WordPress.org, which Barry is working on right this instant. In 2 years
of running WordPress.com and Akismet, two extraordinarily
high-visibility targets, there has never been a problem on a server
Barry set up. The only problems we've had (once on WP.org, once on
PhotoMatt) have been things I set up, and I'm not setting up these new
ones. :)

I think this feature is actually going to dramatically improve the
security of WordPress overall. We all saw the survey that 95% of WP
blogs were vulnerable. That didn't even look a plugins. I think the
survey was flawed, but you still can't deny that for most people knowing
there is an update and actually updating just doesn't happen, and this
is a necessary first step. If the only "trade-off" is sending an ALREADY
PUBLIC blog URL to wordpress.org, then great!

I would like to remind the participants of this thread that WP.org !=
Automattic, so to be fair to the members of both please distinguish
which you're referring to.

Message-ID:
Date: Sun, 23 Sep 2007 12:35:26 -0700
From: Matt Mullenweg
To: wp-hack...@lists.automattic.com
Subject: Re: [wp-hackers] Plugin update & security / privacy
References:
In-Reply-To:

Moritz 'Morty' Strübe wrote:
> I know this will not change until Monday, but is it really necessary to
> transmit the URL?

Your blog URL and version has been sent by default for 4+ years to every
ping service in the world, including Ping-O-Matic, every time you make a
post. Of course you can turn that off, just like you can turn update
notification off, but statistically no one does.

The only new information being sent by the update checker is PHP version
and a list of plugins. If you don't like that feature, please install a
plugin to disable it:

http://wordpress.org/extend/plugins/disable-wordpress-core-update/
http://wordpress.org/extend/plugins/disable-wordpress-plugin-updates/

Of course don't forget the WP dev blog and planet RSS feeds, and most
importantly the incoming links feed which ALSO transmits your blog URL.

I would also recommend disabling the updates in Mac OS X, Firefox,
Windows, Thunderbird, Adobe Photoshop, and any other third-party
applications you have. As all of those are tied to your personal IP and
not your server IP they have far more implications for privacy.

> If that database
> gets public and you find a security bug in one of the plugins - there
> are enough - you can start a _very_ effective attack!

Such an attack would not be more effective, it would just be more
efficient. Historically, however, scripts that attack against WordPress
don't bother checking the version or if a plugin is there or not, they
just seek out every WP blog and check the specific capability or
vulnerability.

Nevertheless, we're beefing up the infrastructure and security of
WordPress.org, which Barry is working on right this instant. In 2 years
of running WordPress.com and Akismet, two extraordinarily
high-visibility targets, there has never been a problem on a server
Barry set up. The only problems we've had (once on WP.org, once on
PhotoMatt) have been things I set up, and I'm not setting up these new
ones. :)

I think this feature is actually going to dramatically improve the
security of WordPress overall. We all saw the survey that 95% of WP
blogs were vulnerable. That didn't even look a plugins. I think the
survey was flawed, but you still can't deny that for most people knowing
there is an update and actually updating just doesn't happen, and this
is a necessary first step. If the only "trade-off" is sending an ALREADY
PUBLIC blog URL to wordpress.org, then great!

I would like to remind the participants of this thread that WP.org !=
Automattic, so to be fair to the members of both please distinguish
which you're referring to.

Instructions on upgrading WordPress.

This assumes you control where your site is hosted. If it's a WP install provided by your hosting provider, ask them if they're up to date, and if not nag them until they are.

(Now to see if posting AC cancels the mod points I'd already used here.. Ooh, a CAPTCHA!)

HTH, NickFitz.

At least the WordPress site offers easy to follow directions.

http://codex.wordpress.org/Upgrading_WordPress

This ticket contains a patch that more or less allows you to use Wordpress blogs with UTF-8 encodings.

How does this affect Wordpress mu (multiuser)? http://mu.wordpress.org/

From the article, and from some comparisons I did on the downloads:

• The attacker only altered the released files on the download server, not the Subversion repository. (TFA)
• Only the 2.1.1 release was altered. Older versions, such as 2.0, don't seem to have been affected. (TFA)
• If you downloaded 2.1.1 when it was first released, it's probably okay. If you grabbed it in the last four days, you're probably compromised. Upgrade NOW. (TFA, verified with diff)
• 2.1.2 also includes a fix for a cross-site scripting vulnerability discovered a few days ago, so it's worth updating anyway. (diff)

I still had the tar archive of 2.1.1 from when I grabbed it the day of the release, so I compared its contents to the 2.1.2 archive. The two files mentioned in the announcement, feed.php and theme.php, aren't any different, confirming that the initial release was unaffected. That's also where I saw the changes for that XSS bug.