| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 22 Jan 2013 13:33:25 +0000 From: Kacper Nowak <KacperN@...-1.com> To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk> Subject: Re: [SECURITY] [DSA 2611-1] movabletype-opensource security update Hello, This is a duplicate of CVE-2012-6315 submitted by us in December 2012. Kind regards, -- Kacper Nowak Penetration Tester Sec-1 Ltd -----Original Message----- From: Yves-Alexis Perez [mailto:corsac@...ian.org] Sent: 22 January 2013 06:35 To: debian-security-announce@...ts.debian.org Subject: [Full-disclosure] [SECURITY] [DSA 2611-1] movabletype-opensource security update -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2611-1 security@...ian.org http://www.debian.org/security/ Yves-Alexis Perez January 22, 2013 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : movabletype-opensource Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-0209 Debian Bug : 697666 An input sanitation problem has been found in upgrade functions of movabletype-opensource, a web-based publishing platform. Using carefully crafted requests to the mt-upgrade.cgi file, it would be possible to inject OS command and SQL queries. For the stable distribution (squeeze), this problem has been fixed in version 4.3.8+dfsg-0+squeeze3. For the testing distribution (wheezy), this problem has been fixed in version 5.1.2+dfsg-1. For the unstable distribution (sid), this problem has been fixed in version 5.1.2+dfsg-1. We recommend that you upgrade your movabletype-opensource packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@...ts.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iQEcBAEBCgAGBQJQ/jMZAAoJEG3bU/KmdcClxhQH/AjkGtmqNV08gRFPbnKvAV/p ovjbaBwCuXCwnMaYL23GCjxwJ2Ic7/jba/6f/Dnm1g6nr0T+ybbMzCjy5fQtpoQz Nu5FMN1mfAGDQbmaruDjWcqOOdUBBv0zWAkDMCiEHJvmVyoCQxBM1/Qtrvph6gmM SJVjd8ZkOrYZVtxEQTwxUw/um/mqKStEhlPYzMBElqYm7zXD2r3L2IrqJZz//8cm yvYOHHVC7dwvcTgUs7bxBjkYRGTbzbynLOc13s9snOKlF7qE8BkDRuCTSzNH5BBg wksakOGqmbjS/stTn8SsZc8tI1NHwzumJUTgOKEC7y9GwQbWzmxhw0Q9ZeNPqRo= =Cn8s -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Sec-1 disclaimer This e-mail and any attached files are confidential and may also be legally privileged. They are intended solely for the intended addressee. If you are not the addressee please e-mail it back to the sender and then immediately, permanently delete it. Do not read, print, re-transmit, store or act in reliance on it. This e-mail may be monitored by Sec-1 Ltd in accordance with current regulations. This footnote also confirms that this e-mail message has been swept for the presence of computer viruses currently known to Sec-1 Ltd. However, the recipient is responsible for virus-checking before opening this message and any attachment. Unless expressly stated to the contrary, any views expressed in this message are those of the individual sender and may not necessarily reflect the views of Sec-1 Ltd. Registered Name: Sec-1 Ltd, Registration Number: 4138637, Registered in England & Wales, Registered Office Address: Unit 4, Spring Valley Park, Butler Way, Stanningley, Leeds, LS28 6EA. ##################################################################################### Scanned by MailMarshal - M86 Security's comprehensive email content security solution. For details on purchasing MailMarshal or alternative Mail Security products please contact our Sales Team on 0113 257 8955 Option 1 ##################################################################################### _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists