The current defense the developers are presenting is that the package was revised before any announcement of its availability was made. That’s a straight lie. I have nothing against WP and I’ve been part of this wonderful community for a long time now, but let’s keep the facts straight. I saw the announcement on the WP dev blog very late at night here in Manila, and I downloaded my copy the following morning, around 10AM. The gzipped file that I have does not contain the current fixes to wp-settings.php, and I compared it with another copy I just downloaded. I patched all my sites with the first, incorrect package.
I appreciate the efforts of the developers to keep WP secure, but we need not hide minor issues like this. Issue — I meant the mistake in the package initially provided, not the severity of the vulnerability. The current release should’ve been 18.104.22.168. I was given a false impression that my weblogs are secure, for a few days until I read about this. Next time, let’s be responsible about package and release management, and versioning. And move on. Now back to blogging. ;)