A new problem appeared with the 1.2.1 upgrade. I run behind a reverse proxy server, with siteurl set to the public address of the site. With the new 1.2.1 upgrade, code has been added to wp-login with the comment "If someone has moved WordPress let's try to detect it." This code finds that
HTTP_HOST . REQUEST_URI (which are set to the internal names) doesn't match siteurl, and it promptly edits the options database, changing siteurl to the internal name.
This creates the very puzzling behavior that everything looks fine until some user tries to log in, and then not only does the login fail but the site breaks for everyone else until you go into the mysql database and fix things by hand.
Simple solution was to comment this line out of wp-login.php. Getting reverse proxies running properly is hard enough without a too-smart program changing things behind your back! Am I correct this change is meant to be a convenience, and not some obscure security fix?