On Tue, Jan 08, 2013 at 07:52:25AM +0000, Dominic Hargreaves wrote: > Package: movabletype-opensource > Version: 4.3.8+dfsg-0+squeeze2 > Severity: grave > Justification: remote command execution > Tags: security patch > > ----- Forwarded message from Takeshi Nick Osanai <tosa...@sixapart.com> ----- > > Date: Tue, 8 Jan 2013 11:26:38 +0900 > From: Takeshi Nick Osanai <tosa...@sixapart.com> > To: mtos-dev <mtos-...@ml.sixapart.com> > Subject: [Mtos-dev] Movable Type 4.38 patch to fix a known upgrading > security issue > X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham > version=3.3.1 > X-Urchin-Spam-Score-Int: -18 > X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.2 > > Dear MT community members, > > Six Apart has found a security issue and fixed it in Movable Type 4.2 > and MT 4.3. > For those of you who use Movable Type 4.2 and 4.3, Six Apart strongly > recommends that you upgrade to the latest released version of Movable > Type or execute the steps written in below entry. > This vulnerability does not exist in Movable Type versions 5.0 or > later, including the latest Movable Type, version 5.2.2. > > For more detail information, please see the entry. > > http://www.movabletype.org/2013/01/movable_type_438_patch.html
Hi, I've pushed a fix for this to git: http://anonscm.debian.org/gitweb/?p=pkg-mt-om/movabletype-opensource.git;a=commit;h=6641bd2f42f5e48ac0a6cd2c0b0ccebea22967cb Note that much of the patch is whitespace changes, but I though it would be better to stick with the upstream file rather than trim it back to the meaningful changes in case of subsequent updates from upstream. I've tested this code path by installing the lenny version of MT and upgrading it to this package. Security team, shall I upload to security-master? It might be useful in a DSA to recommend restricting the mt-upgrade.cgi script to trusted IP addresses, but I don't think it's something we can do by default, as browser accesss to mt-upgrade.cgi is needed to complete upgrades. Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
