-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2012.0010
                  movabletype-opensource security update
                              3 January 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           movabletype-opensource
Publisher:         Debian
Operating System:  Debian GNU/Linux 5
                   Debian GNU/Linux 6
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Unauthorised Access             -- Remote/Unauthenticated
Resolution:        Patch/Upgrade

Original Bulletin: 
   http://www.debian.org/security/2011/dsa-2263

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running movabletype-opensource check for an updated version of the 
         software for their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2263-2                   security@debian.org
http://www.debian.org/security/                           Thijs Kinkhorst
December 30, 2011                      http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : movabletype-opensource
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : not yet available
Debian Bug     : 627936

Advisory DSA 2363-1 did not include a package for the Debian 5.0 'Lenny'
suite at that time. This update adds that package. The original advisory
text follows.

It was discovered that Movable Type, a weblog publishing system,
contains several security vulnerabilities:

A remote attacker could execute arbitrary code in a logged-in users'
web browser.

A remote attacker could read or modify the contents in the system
under certain circumstances.

For the oldstable distribution (lenny), these problems have been fixed in
version 4.2.3-1+lenny3.

For the stable distribution (squeeze), these problems have been fixed in
version 4.3.5+dfsg-2+squeeze2.

For the testing distribution (wheezy) and for the unstable
distribution (sid), these problems have been fixed in version
4.3.6.1+dfsg-1.

We recommend that you upgrade your movabletype-opensource packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJO/W15AAoJEOxfUAG2iX579YAH/iHvmSvkzHQj5mrg48eEw8XI
RCWvrYvCmnvPSJWia0c0p66KuncfABjWO3vN2MQR231TYlFH1UXGhwDQ6pyIxM9S
jjvxmpoJD3DJm9VDlviSJfUulz9f47xyNbOMnB1griTlueOotYZR98B3MnbYzaB/
hemCTK7eC5tHgUj2LK3iVClmmL+OL9ykhFT7gYwJ+k4SX7zh82jrvghzktFoM9RV
nbsVx6uqI341SVIuM/hbDuIHhWnobSPZyEcGEXoU1YcojezwLz/HMyEm929OsWTl
t0SurJvEEGvSQwiIO1cp0/S9txZZtuZQrLFpnFBdnC5YFihdM8TQN2sIZ0y3izA=
=E15M
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTwJ7Re4yVqjM2NGpAQIcyw//akyc4nYhnqhA4OCMu5ebdZoER3g36tQK
4E/0IkfslPN+jeqAlDqZKMr7qQFxlZt3WUQIqjeSY3ZGGPr1idLXHRPPiM+y6Slc
GO0xCJHobFIWnRQiPAW8mOv1cd84W1uVK6A9dzr0PcdrSvQ+BdQ+FAqS7Q1prM3o
OAvWSpaoExAAxr0aBVGPvlOIGJc8eAcQnH+SDoEcBDky5bN9dN/RcJfqx+ifjZnn
QCRbXtKdz8nt3wG+3NCZ+HY0zD4Xm17GRqTz4lOJe7RrA7N05AjWuXgO3lUgyPAf
6BO5KkmFnJZnziXwx8z7i7VpaXHq/CDHBVCZvVCitDer25Lj+g1CrakCExkCL5Dq
xdzs0euflWoW9aVrvmIrOeAo92Zskp7DLdKODw0rTVrM38dNW2rmhGCcTKE8IoZ0
j9Nd3LtlYmYez3NDG8GpsQ5z7+BcW7iCceERcroisRhiwhBM1RPBnvNpYH719FP6
0ElZZ4yeFuqHP9qdPFkWs04z/FnIu78ISW+ckoSKEwCwDGuZ5YXcPqqQprAtv6fN
Jw6cYMj4A/Kd+aleCzxKiMg10k2gESKtGd/8CoKmiMf7FC3zGMCoOLHqswVB3LFs
dsaRLI/1tz7JnikALFMkL6VhcKND4INXW+6Xoo/TSGCMkZRrTXzBQOvzWqdQ+yk8
ZHfQ+qb5sB4=
=y8Sq
-----END PGP SIGNATURE-----