Debian Security Advisory
DSA-3183-1 movabletype-opensource -- security update
- Date Reported:
- 12 Mar 2015
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 712602, Bug 774192.
In Mitre's CVE dictionary: CVE-2013-2184, CVE-2014-9057, CVE-2015-1592.
- More information:
Multiple vulnerabilities have been discovered in Movable Type, a blogging system. The Common Vulnerabilities and Exposures project identifies the following problems:
Unsafe use of Storable::thaw in the handling of comments to blog posts could allow remote attackers to include and execute arbitrary local Perl files or possibly remotely execute arbitrary code.
Netanel Rubin from Check Point Software Technologies discovered a SQL injection vulnerability in the XML-RPC interface allowing remote attackers to execute arbitrary SQL commands.
The Perl Storable::thaw function is not properly used, allowing remote attackers to include and execute arbitrary local Perl files and possibly remotely execute arbitrary code.
For the stable distribution (wheezy), these problems have been fixed in version 5.1.4+dfsg-4+deb7u2.
We recommend that you upgrade your movabletype-opensource packages.