[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] [SECURITY] [DSA 2611-1] movabletype-opensource security update



Hello,

This is a duplicate of CVE-2012-6315 submitted by us in December 2012.

Kind regards,

--
Kacper Nowak
Penetration Tester

Sec-1 Ltd


-----Original Message-----
From: Yves-Alexis Perez [mailto:corsac@xxxxxxxxxx] 
Sent: 22 January 2013 06:35
To: debian-security-announce@xxxxxxxxxxxxxxxx
Subject: [Full-disclosure] [SECURITY] [DSA 2611-1] movabletype-opensource 
security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2611-1                   security@xxxxxxxxxx
http://www.debian.org/security/                         Yves-Alexis Perez
January 22, 2013                       http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : movabletype-opensource
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2013-0209
Debian Bug     : 697666

An input sanitation problem has been found in upgrade functions of 
movabletype-opensource, a web-based publishing platform. Using carefully 
crafted requests to the mt-upgrade.cgi file, it would be possible to inject OS 
command and SQL queries.

For the stable distribution (squeeze), this problem has been fixed in version 
4.3.8+dfsg-0+squeeze3.

For the testing distribution (wheezy), this problem has been fixed in version 
5.1.2+dfsg-1.

For the unstable distribution (sid), this problem has been fixed in version 
5.1.2+dfsg-1.

We recommend that you upgrade your movabletype-opensource packages.

Further information about Debian Security Advisories, how to apply these 
updates to your system and frequently asked questions can be found at: 
http://www.debian.org/security/

Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iQEcBAEBCgAGBQJQ/jMZAAoJEG3bU/KmdcClxhQH/AjkGtmqNV08gRFPbnKvAV/p
ovjbaBwCuXCwnMaYL23GCjxwJ2Ic7/jba/6f/Dnm1g6nr0T+ybbMzCjy5fQtpoQz
Nu5FMN1mfAGDQbmaruDjWcqOOdUBBv0zWAkDMCiEHJvmVyoCQxBM1/Qtrvph6gmM
SJVjd8ZkOrYZVtxEQTwxUw/um/mqKStEhlPYzMBElqYm7zXD2r3L2IrqJZz//8cm
yvYOHHVC7dwvcTgUs7bxBjkYRGTbzbynLOc13s9snOKlF7qE8BkDRuCTSzNH5BBg
wksakOGqmbjS/stTn8SsZc8tI1NHwzumJUTgOKEC7y9GwQbWzmxhw0Q9ZeNPqRo=
=Cn8s
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Sec-1 disclaimer
This e-mail and any attached files are confidential and may also be legally 
privileged. They are intended solely for the intended addressee. If you are not 
the addressee please e-mail it back to the sender and then immediately, 
permanently delete it. Do not read, print, re-transmit, store or act in 
reliance on it. This e-mail may be monitored by Sec-1 Ltd in accordance with 
current regulations. This footnote also confirms that this e-mail message has 
been swept for the presence of computer viruses currently known to Sec-1 Ltd. 
However, the recipient is responsible for virus-checking before opening this 
message and any attachment. Unless expressly stated to the contrary, any views 
expressed in this message are those of the individual sender and may not 
necessarily reflect the views of Sec-1 Ltd.

Registered Name: Sec-1 Ltd, Registration Number: 4138637, Registered in England 
& Wales, Registered Office Address: Unit 4, Spring Valley Park, Butler Way, 
Stanningley, Leeds, LS28 6EA.

#####################################################################################
Scanned by MailMarshal - M86 Security's comprehensive email content security 
solution. 
For details on purchasing MailMarshal or alternative Mail Security products 
please 
contact our Sales Team on 0113 257 8955 Option 1
#####################################################################################

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/