The impact of the vulnerabilities

Under certain circumstances, a user who has "Create Entries" or "Manage Blog" pemissions may be able to read known files on the local file system.

Versions Affected

• Movable Type Open Source 4.x
• Movable Type Open Source 5.x
• Movable Type 4.x ( with Professional Pack, Community Pack )
• Movable Type 5.x ( with Professional Pack, Community Pack )
• Movable Type Enterprise 4.x

Solution

Please upgrade to the latest versions of Movable Type 4 or Movable Type 5.

• Movable Type Open Source 4.37
• Movable Type Open Source 5.06
• Movable Type Open Source 5.12
• Movable Type 4.37( with Professional Pack, Community Pack)
• Movable Type 5.06( with Professional Pack, Community Pack)
• Movable Type 5.12( with Professional Pack, Community Pack)
• Movable Type Enterprise 4.37
• Movable Type Advanced 5.12

Download

• Download Movable Type Open Source
• Download Movable Type Pro
• Download other packages (including MT5.06)

(What is the difference?)

Installation/upgrade instructions

• Installation guide
• Upgrade guide
• Movable Type 5.12 / 5.06 / 4.37 release notes

Fixed issues

The following issues were fixed in MT5.12.

• 106303 Published URL was changed after upgrading to 5.1x

The following issues were fixed in Movable Type 5.12, 5.06, and 4.37.

• 106307 Permission error when saving custom fields settings without a system administration privilege

The impact of the vulnerabilities

A remote attacker could create, read or modify the contents in the system under certain circumstances.

Versions Affected

• Movable Type Open Source 4.x
• Movable Type Open Source 5.x
• Movable Type 4.x ( with Professional Pack, Community Pack )
• Movable Type 5.x ( with Professional Pack, Community Pack )
• Movable Type Enterprise 4.x

Solution

Please upgrade to the latest versions of Movable Type 4 or Movable Type 5.

• Movable Type Open Source 4.361
• Movable Type Open Source 5.051
• Movable Type Open Source 5.11
• Movable Type 4.361( with Professional Pack, Community Pack)
• Movable Type 5.051( with Professional Pack, Community Pack)
• Movable Type 5.11( with Professional Pack, Community Pack)
• Movable Type Enterprise 4.361
• Movable Type Advanced 5.11

Download

• Download Movable Type Open Source
• Download Movable Type Pro
• Download other packages (including MT5.051)

(What is the difference?)

Installation/upgrade instructions

• Installation guide
• Upgrade guide

New features and fixed issues

Please see the release notes for new features and fixed issues in Movable Type 5.11, 5.051, and 4.361.

• Movable Type 5.11 / 5.051 / 4.361 release notes
• A new configuration directive DeniedAssetFileExtensions was implemented in Movable Type 5.11, 5.051, and 4.361.
• A configuration directive AssetFileExtensions was implemented in Movable Type 4.361 ( Movable Type 5.01 and later versions already have this feature ).
• Other changes

About Movable Type 5.1

Please see the following links for details.

• What's new in Movable Type 5.1
• Movable Type 5.1 release notes

Movable Type 5.1 includes a lot of feedback, patches and contributions from our community. Thank you very much for all of your help !

Movable Type 4.36 and 5.05 Security Updates

The impact of the vulnerabilities

A remote attacker could execute arbitrary code in a logged-in users' web browser. A remote attacker could read or modify the contents in the system under certain circumstances.

Versions Affected

• Movable Type Open Source 4.x
• Movable Type Open Source 5.x
• Movable Type 4.x ( with Professional Pack, Community Pack )
• Movable Type 5.x ( with Professional Pack, Community Pack )
• Movable Type Enterprise 4.x

Solution

Please upgrade to the latest versions of Movable Type 4 or Movable Type 5.

• Movable Type Open Source 4.36
• Movable Type Open Source 5.05
• Movable Type Open Source 5.1
• Movable Type 4.36( with Professional Pack, Community Pack)
• Movable Type 5.05( with Professional Pack, Community Pack)
• Movable Type 5.1( with Professional Pack, Community Pack)
• Movable Type Enterprise 4.36
• Movable Type Advanced 5.1

Special thanks to Alfasado, Eldar Marcussen and other reporters for reporting these security issues.

Download

• Download Movable Type Open Source
• Download Movable Type Pro
• Download other packages (including MT5.05)

(What is the difference?)

Installation/upgrade instructions

• Installation guide
• Upgrade guide

To try RC1:

• Downloading beta builds
• Downloading MTOS nightly builds
• Getting the source code from GitHub

Reporting Bugs

Your feedback is important to get Movable Type 5.1 ready for the final release. Without your feedback, it is almost impossible for developers to test the software in all of the various conditions that might occur. So please don't hesitate to create a new case.

• FogBugz: How to report your issue and feedback

We would like to express our deepest sympathy to those who have suffered loss on account of the terrible earthquake in Japan. It is our sincere hope that the afflicted areas may recover at the earliest time. Movable Type team in Japan have been collaborating with several local communities for the past years. Tohoku area is where MTDDC Meetup, this local support project first took place. We will continue our efforts toward the realization of recovery, constantly thinking of the people of Tohoku and neighboring areas.

Here is the release notes for Movable Type 5.1 Beta. The list now includes implemented, fixed and active cases. Please note that minor cases are not listed here, please see FogBugz for all cases.

• Movable Type 5.1 Release Notes ( Beta 3 )

To join the beta test:

• Downloading beta builds
• Downloading MTOS nightly builds
• Getting the source code from GitHub

For more details:

• Introducing Movable Type 5.1
• Movable Type 5.1 Beta manual
• Movable type 5.1 Schedule

Reporting Bugs

Your feedback is important to get Movable Type 5.1 ready for the final release. Please don't hesitate to create a new case.

• FogBugz: How to report your issue and feedback