Bug#547414: pu: package movabletype-opensource/4.2.3-1+lenny1
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Severity: normal
#537935 describes an XSS bug which has been worked around in this new
package. Because I have found it difficult to ascertain the details of
the bug I have chosen to disable the relevant component in the default
configuration (something that should have been done anyway).
I've attached my proposed changes.
Please could you let me know whether this is okay to upload to stable.
Cheers,
Dominic.
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
Index: debian/postinst
===================================================================
--- debian/postinst (revision 1477)
+++ debian/postinst (working copy)
@@ -80,17 +80,19 @@
fi
fi
- if [ -x /usr/sbin/apache2ctl -a -z "$2" ]; then
- db_get movabletype-opensource/reload_apache || true
- RELOAD="$RET"
- if [ "$RELOAD" = "true" ]; then
- if /usr/sbin/apache2ctl configtest 2>/dev/null; then
- invoke-rc.d apache2 reload || true
+ if [ -x /usr/sbin/apache2ctl ]; then
+ if [ -z "$2" ] || dpkg --compare-versions "$2" lt 4.2.3-1+lenny1~test.2; then
+ db_get movabletype-opensource/reload_apache || true
+ RELOAD="$RET"
+ if [ "$RELOAD" = "true" ]; then
+ if apache2ctl configtest 2>/dev/null; then
+ invoke-rc.d apache2 reload || true
+ else
+ echo "apache2 configuration broken, not reloading!"
+ fi
else
- echo "apache2 configuration broken, not reloading!"
+ echo "Please manually reload Apache to apply the configuration update"
fi
- else
- echo "Please manually reload Apache to apply the configuration update"
fi
fi
Index: debian/changelog
===================================================================
--- debian/changelog (revision 1477)
+++ debian/changelog (working copy)
@@ -1,3 +1,11 @@
+movabletype-opensource (4.2.3-1+lenny1) UNRELEASED; urgency=low
+
+ * Don't allow any access to mt-wizard.cgi by default as it shouldn't
+ normally be needed and presents an unnecessary security exposure
+ (closes: #537935)
+
+ -- Dominic Hargreaves <dom@earth.li> Sat, 19 Sep 2009 15:34:58 +0100
+
movabletype-opensource (4.2.3-1) unstable; urgency=medium
* Urgency medium due to security fixes
Index: debian/movabletype-opensource.apache2
===================================================================
--- debian/movabletype-opensource.apache2 (revision 1477)
+++ debian/movabletype-opensource.apache2 (working copy)
@@ -1 +1,6 @@
Alias /mt-static /usr/share/movabletype/static
+<Directory /usr/lib/cgi-bin/movabletype>
+ <Files mt-wizard.cgi>
+ Deny from all
+ </Files>
+</Directory>
Index: debian/README.Debian
===================================================================
--- debian/README.Debian (revision 1477)
+++ debian/README.Debian (working copy)
@@ -39,3 +39,18 @@
mkdir support
and make sure that this directory is writable by the web server, or
ln -s /my/writable/support-dir support
+
+MT Wizard
+---------
+
+Please note that mt-wizard.cgi has been disabled in the default
+Apache configuration as it is not normally needed -- configuration is handled
+automatically at package installation time.
+
+If you do need to use it you are strongly advised to restrict access to
+trusted hosts, since there is an unspecified security problem in the
+current version (see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=537935
+for further details).
+
+If you use Movable Type with other web servers you should take steps
+to protect this script in the same way.
Reply to: