Bug#661064: marked as done (movabletype-opensource: Multiple security issues)

[Debian Bug Tracking System]

Your message dated Fri, 24 Feb 2012 11:17:58 +0000
with message-id <e1s0t9y-0000zk...@franck.debian.org>
and subject line Bug#661064: fixed in movabletype-opensource 5.1.3+dfsg-1
has caused the Debian Bug report #661064,
regarding movabletype-opensource: Multiple security issues
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
661064: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=661064
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: movabletype-opensource
Version: 5.1.2+dfsg-3
Severity: grave
Justification: security

http://www.movabletype.org/2012/02/movable_type_513_507_and_438_security_updates.html

"5.13, 5.07, and 4.38 address the multiple vulnerabilities including:

- OS Command Injection exists in the file management system, the most
  serious of which may lead to arbitrary OS command execution by a user
  who has a permission to sign-in to the admin script and also has a
  permission to upload files.
- Session Hijack and CSRF exist in the commenting and the community
  script. A remote attacker could hijack the user session or could
  execute arbitrary script code on victim's browser under the certain
  circumstances.
- XSS exists in templates where the variables are not escaped properly.
  A remote attacker could inject client-side script into web pages
  viewed by other users.
- XSS exists in mt-wizard.cgi. This vulnerability was reported by
  Trustwave (TWSL2012-003)
"

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

--- End Message ---

--- Begin Message ---

Source: movabletype-opensource
Source-Version: 5.1.3+dfsg-1

We believe that the bug you reported is fixed in the latest version of
movabletype-opensource, which is due to be installed in the Debian FTP archive:

movabletype-opensource_5.1.3+dfsg-1.debian.tar.gz
  to 
main/m/movabletype-opensource/movabletype-opensource_5.1.3+dfsg-1.debian.tar.gz
movabletype-opensource_5.1.3+dfsg-1.dsc
  to main/m/movabletype-opensource/movabletype-opensource_5.1.3+dfsg-1.dsc
movabletype-opensource_5.1.3+dfsg-1_all.deb
  to main/m/movabletype-opensource/movabletype-opensource_5.1.3+dfsg-1_all.deb
movabletype-opensource_5.1.3+dfsg.orig.tar.gz
  to main/m/movabletype-opensource/movabletype-opensource_5.1.3+dfsg.orig.tar.gz
movabletype-plugin-core_5.1.3+dfsg-1_all.deb
  to main/m/movabletype-opensource/movabletype-plugin-core_5.1.3+dfsg-1_all.deb
movabletype-plugin-zemanta_5.1.3+dfsg-1_all.deb
  to 
main/m/movabletype-opensource/movabletype-plugin-zemanta_5.1.3+dfsg-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 661...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <d...@earth.li> (supplier of updated movabletype-opensource 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 24 Feb 2012 11:07:02 +0000
Source: movabletype-opensource
Binary: movabletype-opensource movabletype-plugin-core 
movabletype-plugin-zemanta
Architecture: source all
Version: 5.1.3+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Dominic Hargreaves <d...@earth.li>
Changed-By: Dominic Hargreaves <d...@earth.li>
Description: 
 movabletype-opensource - Well-known blogging engine
 movabletype-plugin-core - Core Movable Type plugins
 movabletype-plugin-zemanta - Zemanta Movable Type plugin
Closes: 661064
Changes: 
 movabletype-opensource (5.1.3+dfsg-1) unstable; urgency=high
 .
   * New upstream release
     - fixes multiple security vulnerabilities (closes: #661064)
Checksums-Sha1: 
 5c6585d8f17bcbced5c3595a31ebf3b7f34871ce 1575 
movabletype-opensource_5.1.3+dfsg-1.dsc
 f9d0751da9cd4b089994a55f1f7c22cbf595680e 6153596 
movabletype-opensource_5.1.3+dfsg.orig.tar.gz
 fa1a8debbf1042414948afd401b4141b4dd0f3f2 30184 
movabletype-opensource_5.1.3+dfsg-1.debian.tar.gz
 d308d27fbe544834c79ea8fc347307b29a6cc550 4031490 
movabletype-opensource_5.1.3+dfsg-1_all.deb
 42cd24c0a40bca5d6943be97c267431f53636556 170366 
movabletype-plugin-core_5.1.3+dfsg-1_all.deb
 9df456968c7d98bf952cc8a9855f37041c1398df 16318 
movabletype-plugin-zemanta_5.1.3+dfsg-1_all.deb
Checksums-Sha256: 
 16094ab4abc21737851f3b914f21152b3f5ea2d8e29a0bb13e81156e0cb6bee8 1575 
movabletype-opensource_5.1.3+dfsg-1.dsc
 73e8a03eb19d3e0bc9fbe8776501b93e7c1f943d39e346611dddc9f5eeec7a99 6153596 
movabletype-opensource_5.1.3+dfsg.orig.tar.gz
 804f3cbd11ef34ccac82a32f0e335609de8c2500fe0fdd2ec5088093a63e6ca4 30184 
movabletype-opensource_5.1.3+dfsg-1.debian.tar.gz
 c7a318a8b104dbacfb565575214e888c7f934f8c7f75659b3b54ec6f104c23ce 4031490 
movabletype-opensource_5.1.3+dfsg-1_all.deb
 b40f68dcf34404d6f005eb7cfd356e85d6ea28b605dbd078c9a74211fdfa5427 170366 
movabletype-plugin-core_5.1.3+dfsg-1_all.deb
 043a473b42b19e81f5d1dba09194d384722061148ee822b5f855f515bf1db3c6 16318 
movabletype-plugin-zemanta_5.1.3+dfsg-1_all.deb
Files: 
 ee5941eed06af1d16e42702d4090a994 1575 web optional 
movabletype-opensource_5.1.3+dfsg-1.dsc
 9f80ab7405683105693bdd328c96d599 6153596 web optional 
movabletype-opensource_5.1.3+dfsg.orig.tar.gz
 57b69e2c86fafd4943aa8539f48927c3 30184 web optional 
movabletype-opensource_5.1.3+dfsg-1.debian.tar.gz
 ebe9854e35729ba116a7a0117faea7c7 4031490 web optional 
movabletype-opensource_5.1.3+dfsg-1_all.deb
 af9f6c72c363171b364b73f0ea5979b4 170366 web optional 
movabletype-plugin-core_5.1.3+dfsg-1_all.deb
 2014eef927ddd340cfb86c3a7de5af65 16318 web optional 
movabletype-plugin-zemanta_5.1.3+dfsg-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFPR2+iYzuFKFF44qURAvvIAKC9/5VJ6oVuj12RSUbyb5lpdV+/xwCdFOnv
NIsCSpN/SnpuUY620u3pPUM=
=33ka
-----END PGP SIGNATURE-----

--- End Message ---