Your message dated Mon, 05 Oct 2009 19:58:20 +0000
with message-id <[email protected]>
and subject line Bug#537935: fixed in movabletype-opensource 4.2.3-1+lenny1
has caused the Debian Bug report #537935,
regarding CVE-2009-2492: Cross-site scripting (XSS) vulnerability in
mt-wizard.cgi
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
537935: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=537935
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: movabletype-opensource
Version: 4.2.3-1
Severity: serious lenny
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for movabletype-opensource.
CVE-2009-2492[0]:
| Cross-site scripting (XSS) vulnerability in mt-wizard.cgi in Six Apart
| Movable Type before 4.261 allows remote attackers to inject arbitrary
| web script or HTML via unspecified vectors, a different vulnerability
| than CVE-2009-2480.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
This bug is already fixed in testing and unstable.
Please coordinate with the security team ([email protected]) to
prepare packages for the stable releases.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2492
http://security-tracker.debian.net/tracker/CVE-2009-2492
Cheers,
Giuseppe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkpmHwwACgkQNxpp46476arVvwCbB0AzXDaq1y+XpL0dTZ8lrqZd
Vv0AoJJwt7NHLYdW7XmtMxoU2LkaTO7s
=HxiA
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: movabletype-opensource
Source-Version: 4.2.3-1+lenny1
We believe that the bug you reported is fixed in the latest version of
movabletype-opensource, which is due to be installed in the Debian FTP archive:
movabletype-opensource_4.2.3-1+lenny1.diff.gz
to
pool/main/m/movabletype-opensource/movabletype-opensource_4.2.3-1+lenny1.diff.gz
movabletype-opensource_4.2.3-1+lenny1.dsc
to
pool/main/m/movabletype-opensource/movabletype-opensource_4.2.3-1+lenny1.dsc
movabletype-opensource_4.2.3-1+lenny1_all.deb
to
pool/main/m/movabletype-opensource/movabletype-opensource_4.2.3-1+lenny1_all.deb
movabletype-plugin-core_4.2.3-1+lenny1_all.deb
to
pool/main/m/movabletype-opensource/movabletype-plugin-core_4.2.3-1+lenny1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dominic Hargreaves <[email protected]> (supplier of updated movabletype-opensource
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 03 Oct 2009 14:22:47 +0100
Source: movabletype-opensource
Binary: movabletype-opensource movabletype-plugin-core
Architecture: source all
Version: 4.2.3-1+lenny1
Distribution: stable
Urgency: low
Maintainer: Dominic Hargreaves <[email protected]>
Changed-By: Dominic Hargreaves <[email protected]>
Description:
movabletype-opensource - A well-known blogging engine
movabletype-plugin-core - Core Movable Type plugins
Closes: 537935
Changes:
movabletype-opensource (4.2.3-1+lenny1) stable; urgency=low
.
* Don't allow any access to mt-wizard.cgi by default as it shouldn't
normally be needed and presents an unnecessary security exposure
(closes: #537935)
Checksums-Sha1:
448e78ae21696d1f90ab1d1ebb2f1b971b70dd30 1217
movabletype-opensource_4.2.3-1+lenny1.dsc
e3e00b2a2003900a0798befb55b18d166f71397d 20406
movabletype-opensource_4.2.3-1+lenny1.diff.gz
923dab2013ce3bf7ccbc3557902d079a258b0329 2945186
movabletype-opensource_4.2.3-1+lenny1_all.deb
459ddb58f40016a579715e8c265cbadf79d62f9e 165848
movabletype-plugin-core_4.2.3-1+lenny1_all.deb
Checksums-Sha256:
5613b2528256835a1b8c7a8f62e7690a9fbcbfdf168d87f1c8509787b9e97e55 1217
movabletype-opensource_4.2.3-1+lenny1.dsc
338b7e5f48137178062828460a06f1c4fa7cc7d5e3518cbf7fe9055dfed12624 20406
movabletype-opensource_4.2.3-1+lenny1.diff.gz
535a34bbf4188845b47c873279ad622dfbffd3b543347f64418d4abcd38c2333 2945186
movabletype-opensource_4.2.3-1+lenny1_all.deb
1861bd10c10f43f8e7a64e2eb6041054935db0a587d3b0869c862db04081a8d4 165848
movabletype-plugin-core_4.2.3-1+lenny1_all.deb
Files:
c008838afb7d87f9a097a93ddeefa46c 1217 web optional
movabletype-opensource_4.2.3-1+lenny1.dsc
6a3be000d942d4006e013e5ed30ad9b1 20406 web optional
movabletype-opensource_4.2.3-1+lenny1.diff.gz
409c50114638b4bbe0cb8d159455ace2 2945186 web optional
movabletype-opensource_4.2.3-1+lenny1_all.deb
282da3d01cd9f543ff7d60d59447adb2 165848 web optional
movabletype-plugin-core_4.2.3-1+lenny1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFKx1CWYzuFKFF44qURApfRAKC8LJnf2mQUs95e2PtnAR2ONtIIZACeKgTX
64Y2Ix2CS9a492S6+2zCu1M=
=nLpq
-----END PGP SIGNATURE-----
--- End Message ---
