Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 13 Jun 2013 22:50:24 -0500
From: John Lightsey <>
Subject: CVE request: MovableType before 5.2.6

Hi everyone,

The 5.2.6 release of MovableType fixed a vulnerability in the handling
of comments to blog posts. The 'comment_state' parameter is processed by
MovableType's unserialize() function which can be used to send data into

As documented by the perl-security team recently, Storable::thaw is
unsafe to use on untrusted inputs.

The MovableType 5.2.6 release notes document the fix for this
vulnerability as:

"109458 Currently un-used parameters are unintentionally deleted when a
comment is posted"

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.