Debian Bug report logs - #631437
movabletype-opensource: information disclosure vulnerability fixed in 4.37

version graph

Package: movabletype-opensource; Maintainer for movabletype-opensource is Debian Movable Type and OpenMelody team <pkg-mt-om-devel@lists.alioth.debian.org>; Source for movabletype-opensource is src:movabletype-opensource.

Reported by: Dominic Hargreaves <dom@earth.li>

Date: Thu, 23 Jun 2011 21:27:06 UTC

Severity: grave

Tags: security

Found in versions movabletype-opensource/4.2.3-1+lenny2, movabletype-opensource/4.3.6.1+dfsg-1, movabletype-opensource/4.3.5+dfsg-2+squeeze2

Fixed in version movabletype-opensource/4.3.7+dfsg-1

Done: Dominic Hargreaves <dom@earth.li>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org:
Bug#631437; Package movabletype-opensource. (Thu, 23 Jun 2011 21:27:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
New Bug report received and forwarded. (Thu, 23 Jun 2011 21:27:09 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: submit@bugs.debian.org
Subject: movabletype-opensource: information disclosure vulnerability fixed in 4.37
Date: Thu, 23 Jun 2011 22:25:42 +0100
Package: movabletype-opensource
Version: 4.3.6.1+dfsg-1
Severity: grave
Tags: security
Justification: user security hole

As reported in:
<http://www.movabletype.org/documentation/appendices/release-notes/512.html>

"Movable Type 5.12, 5.06, 4.37 were released as mandatory security updates. These updates resolve multiple vulnerabilities discovered in Movable Type 5.x and Movable Type 4.x. All users must upgrade to the latest release immediately."

"Under certain circumstances, a user who has "Create Entries" or "Manage Blog" pemissions may be able to read known files on the local file system."

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)




Reply sent to Dominic Hargreaves <dom@earth.li>:
You have taken responsibility. (Thu, 23 Jun 2011 22:36:10 GMT) Full text and rfc822 format available.

Notification sent to Dominic Hargreaves <dom@earth.li>:
Bug acknowledged by developer. (Thu, 23 Jun 2011 22:36:10 GMT) Full text and rfc822 format available.

Message #10 received at 631437-close@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: 631437-close@bugs.debian.org
Subject: Bug#631437: fixed in movabletype-opensource 4.3.7+dfsg-1
Date: Thu, 23 Jun 2011 22:33:12 +0000
Source: movabletype-opensource
Source-Version: 4.3.7+dfsg-1

We believe that the bug you reported is fixed in the latest version of
movabletype-opensource, which is due to be installed in the Debian FTP archive:

movabletype-opensource_4.3.7+dfsg-1.debian.tar.gz
  to main/m/movabletype-opensource/movabletype-opensource_4.3.7+dfsg-1.debian.tar.gz
movabletype-opensource_4.3.7+dfsg-1.dsc
  to main/m/movabletype-opensource/movabletype-opensource_4.3.7+dfsg-1.dsc
movabletype-opensource_4.3.7+dfsg-1_all.deb
  to main/m/movabletype-opensource/movabletype-opensource_4.3.7+dfsg-1_all.deb
movabletype-opensource_4.3.7+dfsg.orig.tar.gz
  to main/m/movabletype-opensource/movabletype-opensource_4.3.7+dfsg.orig.tar.gz
movabletype-plugin-core_4.3.7+dfsg-1_all.deb
  to main/m/movabletype-opensource/movabletype-plugin-core_4.3.7+dfsg-1_all.deb
movabletype-plugin-zemanta_4.3.7+dfsg-1_all.deb
  to main/m/movabletype-opensource/movabletype-plugin-zemanta_4.3.7+dfsg-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 631437@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated movabletype-opensource package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 23 Jun 2011 22:53:29 +0100
Source: movabletype-opensource
Binary: movabletype-opensource movabletype-plugin-core movabletype-plugin-zemanta
Architecture: source all
Version: 4.3.7+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Dominic Hargreaves <dom@earth.li>
Changed-By: Dominic Hargreaves <dom@earth.li>
Description: 
 movabletype-opensource - A well-known blogging engine
 movabletype-plugin-core - Core Movable Type plugins
 movabletype-plugin-zemanta - Zemanta Movable Type plugin
Closes: 631437
Changes: 
 movabletype-opensource (4.3.7+dfsg-1) unstable; urgency=high
 .
   * New upstream release
     - fixes information disclosure vulnerability (closes: #631437)
Checksums-Sha1: 
 ecfdcd4740dce1cb2c0d4724754e05b1525a756b 1275 movabletype-opensource_4.3.7+dfsg-1.dsc
 315299dd8cc121cbb0f7a3ab943f7b54b9f97f01 4739190 movabletype-opensource_4.3.7+dfsg.orig.tar.gz
 12500753768d1bf0b67e96027d0088ee61893895 29020 movabletype-opensource_4.3.7+dfsg-1.debian.tar.gz
 3b2e61f944dd638e3e256621e00c72204221bf8f 2897122 movabletype-opensource_4.3.7+dfsg-1_all.deb
 111e061fb1b79662943893173c27f6687b2406b7 170588 movabletype-plugin-core_4.3.7+dfsg-1_all.deb
 272beaf12906d0f02d5825301a5a76523bd4582c 14760 movabletype-plugin-zemanta_4.3.7+dfsg-1_all.deb
Checksums-Sha256: 
 d131c10084a83fb0f0706e52dc4773ebb7ac3ff9eb1d943a22a1c00aa373bebd 1275 movabletype-opensource_4.3.7+dfsg-1.dsc
 e22ef99817907c03165137d8b7391d084d2ebc3b449baffce8626237fbb54be9 4739190 movabletype-opensource_4.3.7+dfsg.orig.tar.gz
 5e44dd248d4d4573ec7be8ec764a87c0fe15feed3fdfa8ceb3b05741b85ab071 29020 movabletype-opensource_4.3.7+dfsg-1.debian.tar.gz
 023b0b8c4cfc50a1b2df41a586ee0258bb89417c44da43527f3671cb1c88b9f6 2897122 movabletype-opensource_4.3.7+dfsg-1_all.deb
 0c9a5db7132590dad907eae26ea2af9bcbc405472ef2c67e3d372f3f728ba11a 170588 movabletype-plugin-core_4.3.7+dfsg-1_all.deb
 d866947d0ad691b9e2e747478a387636b89381d8f9a1a51faf45d38a97dc26a9 14760 movabletype-plugin-zemanta_4.3.7+dfsg-1_all.deb
Files: 
 6446933b48a33d4a7ce8cb20950819c2 1275 web optional movabletype-opensource_4.3.7+dfsg-1.dsc
 024194b5fe9276ecd79d759f9bc76312 4739190 web optional movabletype-opensource_4.3.7+dfsg.orig.tar.gz
 cb12a1979c29873889ee51cb27a3af84 29020 web optional movabletype-opensource_4.3.7+dfsg-1.debian.tar.gz
 96d471613c5a7249dff237773ccc26a8 2897122 web optional movabletype-opensource_4.3.7+dfsg-1_all.deb
 ffde69bbf0887d57a79885d978470221 170588 web optional movabletype-plugin-core_4.3.7+dfsg-1_all.deb
 f58250d58384e50434e6f2fb5e314eaf 14760 web optional movabletype-plugin-zemanta_4.3.7+dfsg-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFOA7lYYzuFKFF44qURAg4gAJwPkcWBoHlbbirEF3FKa41nqJOlFACggfMT
XmhatXAkKMjxlhpTYIXgQwU=
=UhRi
-----END PGP SIGNATURE-----





Bug Marked as found in versions movabletype-opensource/4.3.5+dfsg-2+squeeze2. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Fri, 24 Jun 2011 17:57:20 GMT) Full text and rfc822 format available.

Bug Marked as found in versions movabletype-opensource/4.2.3-1+lenny2. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Fri, 24 Jun 2011 17:57:23 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 02 Jun 2013 07:51:20 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 07:16:05 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.