[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] [SECURITY] [DSA 2611-1] movabletype-opensource security update
- To: "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] [SECURITY] [DSA 2611-1] movabletype-opensource security update
- From: Kacper Nowak <KacperN@xxxxxxxxx>
- Date: Tue, 22 Jan 2013 13:33:25 +0000
Hello,
This is a duplicate of CVE-2012-6315 submitted by us in December 2012.
Kind regards,
--
Kacper Nowak
Penetration Tester
Sec-1 Ltd
-----Original Message-----
From: Yves-Alexis Perez [mailto:corsac@xxxxxxxxxx]
Sent: 22 January 2013 06:35
To: debian-security-announce@xxxxxxxxxxxxxxxx
Subject: [Full-disclosure] [SECURITY] [DSA 2611-1] movabletype-opensource
security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2611-1 security@xxxxxxxxxx
http://www.debian.org/security/ Yves-Alexis Perez
January 22, 2013 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : movabletype-opensource
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2013-0209
Debian Bug : 697666
An input sanitation problem has been found in upgrade functions of
movabletype-opensource, a web-based publishing platform. Using carefully
crafted requests to the mt-upgrade.cgi file, it would be possible to inject OS
command and SQL queries.
For the stable distribution (squeeze), this problem has been fixed in version
4.3.8+dfsg-0+squeeze3.
For the testing distribution (wheezy), this problem has been fixed in version
5.1.2+dfsg-1.
For the unstable distribution (sid), this problem has been fixed in version
5.1.2+dfsg-1.
We recommend that you upgrade your movabletype-opensource packages.
Further information about Debian Security Advisories, how to apply these
updates to your system and frequently asked questions can be found at:
http://www.debian.org/security/
Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
iQEcBAEBCgAGBQJQ/jMZAAoJEG3bU/KmdcClxhQH/AjkGtmqNV08gRFPbnKvAV/p
ovjbaBwCuXCwnMaYL23GCjxwJ2Ic7/jba/6f/Dnm1g6nr0T+ybbMzCjy5fQtpoQz
Nu5FMN1mfAGDQbmaruDjWcqOOdUBBv0zWAkDMCiEHJvmVyoCQxBM1/Qtrvph6gmM
SJVjd8ZkOrYZVtxEQTwxUw/um/mqKStEhlPYzMBElqYm7zXD2r3L2IrqJZz//8cm
yvYOHHVC7dwvcTgUs7bxBjkYRGTbzbynLOc13s9snOKlF7qE8BkDRuCTSzNH5BBg
wksakOGqmbjS/stTn8SsZc8tI1NHwzumJUTgOKEC7y9GwQbWzmxhw0Q9ZeNPqRo=
=Cn8s
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Sec-1 disclaimer
This e-mail and any attached files are confidential and may also be legally
privileged. They are intended solely for the intended addressee. If you are not
the addressee please e-mail it back to the sender and then immediately,
permanently delete it. Do not read, print, re-transmit, store or act in
reliance on it. This e-mail may be monitored by Sec-1 Ltd in accordance with
current regulations. This footnote also confirms that this e-mail message has
been swept for the presence of computer viruses currently known to Sec-1 Ltd.
However, the recipient is responsible for virus-checking before opening this
message and any attachment. Unless expressly stated to the contrary, any views
expressed in this message are those of the individual sender and may not
necessarily reflect the views of Sec-1 Ltd.
Registered Name: Sec-1 Ltd, Registration Number: 4138637, Registered in England
& Wales, Registered Office Address: Unit 4, Spring Valley Park, Butler Way,
Stanningley, Leeds, LS28 6EA.
#####################################################################################
Scanned by MailMarshal - M86 Security's comprehensive email content security
solution.
For details on purchasing MailMarshal or alternative Mail Security products
please
contact our Sales Team on 0113 257 8955 Option 1
#####################################################################################
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/