According to WordPress blog:
It was determined that a cracker had gained user-level access to one of the servers that powers WordPress.org, and had used that access to modify the download file. We have locked down that server for further forensics, but at this time it appears that the 2.1.1 download was the only thing touched by the attack. They modified two files in WP (theme.php and feed.php) to include code that would allow for remote PHP execution.
If you have any questions on this security hole, you can email [email protected].
Download and install the latest version of WordPress (version 2.1.2) from WordPress download page to patch the security hole. Or download from direct download link for ZIP file.
Update: WordPress 2.2 released for download.