-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3183-1 security@xxxxxxxxxx http://www.debian.org/security/ Salvatore Bonaccorso March 12, 2015 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : movabletype-opensource CVE ID : CVE-2013-2184 CVE-2014-9057 CVE-2015-1592 Debian Bug : 712602 774192 Multiple vulnerabilities have been discovered in Movable Type, a blogging system. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2013-2184 Unsafe use of Storable::thaw in the handling of comments to blog posts could allow remote attackers to include and execute arbitrary local Perl files or possibly remotely execute arbitrary code. CVE-2014-9057 Netanel Rubin from Check Point Software Technologies discovered a SQL injection vulnerability in the XML-RPC interface allowing remote attackers to execute arbitrary SQL commands. CVE-2015-1592 The Perl Storable::thaw function is not properly used, allowing remote attackers to include and execute arbitrary local Perl files and possibly remotely execute arbitrary code. For the stable distribution (wheezy), these problems have been fixed in version 5.1.4+dfsg-4+deb7u2. We recommend that you upgrade your movabletype-opensource packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVAa8VAAoJEAVMuPMTQ89E6aIP/ix6u/0PcbNUQ5hx6onnWhad I8tZAxLHIfh01+JZbry9MnadnXC11RshnpaztBB82s+ZYVUPq0+wqBsRPm31iRa1 LdjOz/xttoqqqP+wwHbQ/MyGEaDV8KDP/4wWr5TITnQGJjvVW2ZN/ijEHi2G6omg ow2s2flvvW5UWB/0Jwvr4aD1JU3DH4U29p9KwRRge8ytIJ1d7VMcHBWVaRjSiVfd 2yxwSdp30RMCOy8m7WsiEHssfHY6PNK0tXphE9UOV/bR+ESSmC3DR+n6XxLZHAvY yGMCkAs/rnomo/skdn1KFEshj+9znT1AzhjyJzrfspujm9nL6WhXgYwEcBtySNnv JDHd41WXbvRvkg9zXFOwJ/1WTnQsM4e7R0vH94WMNnJbgxJTgUaG7Ym6jv1aiAD5 qFVCBWixdyPWyrXUMRi9tZdYKUIpoyzCakbe6LoLtWlmdk2BzVFBKbp3uHerMbB2 rw1J7rTKq7iILU2b/qVOuDoZGkenndC/EAmyqOuTvjrvKy+wuiY7j0TEbLIvqnDT mfUJpA7HQMCBcRd5cai06OEh2fM33uHICbyCkxBgUoEFZ/SGx7OXvpDRlLzaSM0Y RK7zILxn4+igsSigE8g9K4ogn9M8l25wVcefPYSAon/voFdyKMe/NLqI81218nb6 qvErBYcK2WeTFrDeN7Qy =eA9w -----END PGP SIGNATURE-----
