Recently in Security Update Category

upgrading-movabletype-to-v7.3.0.jpg

It's a pleasure to share with you the fact that Six Apart just released Movable Type v7.3.0, a huge step forward both in terms of new, improved, updated functions and security fixes.

Among its many improvements, this release introduces support for PHP v7.4.

Go ahead and secure your movable type installation now!

New and Improved functions

  • Add Table in RichText Editor.
  • Enable selecting tasks via run-periodic-tasks
  • Improve not to insert unnecessary line-feed or space in "Convert to Linefeed".
  • Log to STDERR when MT::Util::Log is not set.
  • Add PurePerl Digest::SHA、Digest::MD5 modules for fallback.
  • Log removing a file at rebuilding.
  • Improve the UI of editing category fields in Content Data.
  • Support PHP 7.4
  • Enable DBHost with Oracle.
  • Enable "requiresslreuse=YES" in Content Sync.
  • Add ids of HTML elements in the admin menu.
  • Support Emoji, with utf8mb4 of MySQL / MariaDB.

Updated Functions

  • The default email encoding is changed to UTF-8.
  • Remove DjDT modules used in debug mode.
  • The file list of Content Sync is not included when exporting a site.
  • The first frame of Animation GIF is used as a thumbnail.
  • Remove ezsql.
  • Update ADOdb to 5.20.16
  • Update Smarty to 3.1.31.
  • Update Image::ExifTool to 11.85.
  • Remove some ping update services that were closed.
  • Remove unnecessary method definition in Group feature.
  • Remove unnecessary CSS and Javascript files.
  • Remove unnecessary codes from a list of templates.

Resolved Issues

Security Fixes and Improvements

  • Fix XSS in __mode=rebuild. (CVE-2020-5575)
  • Fix CSRF in _mode=startrebuild. (CVE-2020-5576)
  • Fix XSS in template list. (CVE-2020-5575)
  • Fix CSRF via Sign-In page. (CVE-2020-5576)
  • Fix not to upload a double extension PHP file. (CVE-2020-5577)
  • Fix an open redirect issue in __mode=recover. (CVE-2020-5574)
  • Fix XSS in _mode=startrebuild. (CVE-2020-5575)

Miscellaneous

  • Unlist some OpenID providers that were obsolete.
  • Fix a class name of validation in form parts.
  • Fix to rebuild category archives correctly when there are two and more category content fields.
  • Fix not to show an alert at creating a site.
  • Fix to remove unnecessary data in MT::ContentType and MT::ContentData even when a site is removed.
  • Fix dialog of rebuilding to be handled in rebuild-pages.
  • Fix an error of MTCanonicalURL with multiple archive mapping.
  • Fix to register object type with long_datasource.
  • Fix to store the status of the checkbox field in Content Data.
  • Fix to update the file information correctly in Content Sync.
  • Fix an error at sorting child sites in the site list of the System.
  • Fix to show "Back" button correctly on internal errors.
  • Fix to apply filters when a Content Type refers to another Content Type which includes multiple text.
  • Fix enabling to replace in text fields created with block editor.
  • Fix style in activity log.
  • Fix to allow single quotation in labels of Content Field.
  • Fix not to show jQuery alerts.
  • Fix the number of tags in Content Type.
  • Fix to add a category when editing Content Data.
  • Fix to store entry preferences when editing Entries.
  • Fix to trigger rebuild at publishing a comment.
  • Fix to insert an image in a template.
  • Adjust the style of error message of thumbnail width in the modal dialog of inserting images.
  • Fix some MT tags in preview mode.
  • Fix sort order of the list of users in system view.
  • Fix to store iframe in embed object of Custom Field.
  • Remove unnecessary spaces in the error message of Database Setting.
  • Fix a validation rule of filter name.
  • Fix to check uniqueness of Role name.
  • Fix to allow the role of "managing web pages" to create a new folder.

Features to be deprecated in the next or future release.

  • Remove OpenID Plugin
  • Remove Crypt code from MT Core.
  • Deprecate MT::Util::perlsha1digest(_hex)
  • Deprecate Update Ping


Please play with it at:
https://www.movabletypedemo.org/v7x/cgi-bin/mt/mt.cgi

Using:
- username: demo
- password: testthis


Enjoy!

Six Apart announced today Movable Type v6.6, a huge step forward both in terms of new and improved functions, updated functions and security fixes.

This release introduces support for PHP v7.4.

New and Improved functions

  • Add Table in RichText Editor.
  • Enable selecting tasks via run-periodic-tasks
  • Improve not to insert unnecessary line-feed or space in "Convert to Linefeed".
  • Log to STDERR when MT::Util::Log is not set.
  • Add PurePerl Digest::SHA、Digest::MD5 modules for fallback.
  • Log removing a file at rebuilding.
  • Support PHP 7.4
  • Enable DBHost with Oracle.
  • Enable "requiresslreuse=YES" in Content Sync.
  • Support Emoji, with utf8mb4 of MySQL / MariaDB.

Updated Functions

  • Remove composer.json and composer.lock from the MT package.
  • The default email encoding is changed to UTF-8.
  • Remove DjDT modules used in debug mode.
  • Update several Perl modules in extlib
  • The file list of Content Sync is not included when exporting a site.
  • The first frame of Animation GIF is used as a thumbnail.
  • Remove ezsql.
  • Update ADOdb to 5.20.16
  • Update Smarty to 3.1.31.
  • Update Image::ExifTool to 11.85.
  • Remove some ping update services that were closed.
  • Remove unnecessary method definition in Group feature.
  • Remove unnecessary codes from a list of templates.

Resolved Issues

Security Fixes and Improvements

  • Fix XSS in __mode=rebuild. (CVE-2020-5575)
  • Fix CSRF in _mode=startrebuild. (CVE-2020-5576)
  • Fix XSS in template list. (CVE-2020-5575)
  • Fix CSRF via Sign-In page. (CVE-2020-5576)
  • Fix not to upload a double extension PHP file. (CVE-2020-5577)
  • Fix an open redirect issue in __mode=recover. (CVE-2020-5574)
  • Fix XSS in _mode=startrebuild. (CVE-2020-5575)

Miscellaneous

  • Unlist some OpenID providers that were obsolete.
  • Fix not to show an alert at creating a site.
  • Fix to update the file information correctly in Content Sync.
  • Fix an error at sorting child sites in the site list of the System.
  • Fix links of DBMS module in mt-wizard.cgi.
  • Fix not to show jQuery alerts.
  • Fix some MT tags in preview mode.
  • Fix sort order of the list of users in system view.
  • Fix to store iframe in embed object of Custom Field.
  • Remove unnecessary spaces in the error message of Database Setting.
  • Fix an item name of pull down menu of cell attribution of Table Feature For TinyMCE.
  • Fix to check uniqueness of Role name.
  • Fix to allow the role of "managing web pages" to create a new folder.

Features to be deprecated in the next or future release

  • Remove TypeKey related modules and functions.
  • Remove Motion Plugin
  • Remove OpenID Plugin
  • Remove Crypt code from MT Core.
  • Deprecate MT::Util::perlsha1digest(_hex)
  • Deprecate Update Ping


Please check it at:
https://www.movabletypedemo.org/v6.5x/cgi-bin/mt/mt.cgi

Using:
- username: demo
- password: testthis


Enjoy!

Six Apart announced today Movable Type v6.3.12, a mandatory security release.

Security Fixes and Improvements

  • Fix XSS in __mode=rebuild. (CVE-2020-5575)
  • Fix CSRF in _mode=startrebuild. (CVE-2020-5576)
  • Fix XSS in template list. (CVE-2020-5575)
  • Fix CSRF via Sign-In page. (CVE-2020-5576)
  • Fix not to upload a double extension PHP file. (CVE-2020-5577)
  • Fix an open redirect issue in __mode=recover. (CVE-2020-5574)
  • Fix XSS in _mode=startrebuild. (CVE-2020-5575)


Go ahead and evaluate it from:

https://www.movabletypedemo.org/v6x/cgi-bin/mt/mt.cgi


Using:

- username: demo

- password: testthis


Enjoy!

On February the 6th, Six Apart launched Movable Type v7.2.0 known also as r.4605.

This release includes two security fixes, as well as many other new, improved and updated functions and resolved issues.

Upgrading to Movable Type v7.2 (r.4605)

NEW AND IMPROVED FUNCTIONS

  • Log the enabling / disabling of a plugin.
  • Add some L10N phases for European languages.
  • Add heights to multiple-line text custom fields.
  • Log failure of sign-in.
  • Add SVG to ThemeStaticFileExtensions as a default value.
  • Improve performance of mt-feed.cgi
  • Enable inserting div elements into an A element in WYSIWYG.

UPDATED FUNCTIONS

  • Data API is disabled at new installation and creating a new website and blog. No change for the current settings.

MISCELLANEOUS

  • No size set for the Assets which is not supported by MT when importing from WordPress.
  • Remove the template of Technorati Search.
  • The initial value is set to 85 for JPEG image quality.
  • doctype of some themes is changed from XHTML4 to HTML5.
  • Change the titles of image blocks.
  • Change the label of the "text decoration" button in Japanese.

RESOLVED ISSUES

SECURITY FIX AND IMPROVEMENT

  • [XSS] Fix not to execute scripts in block editor.
  • [XSS] Fix not to execute scripts in WYSIWYG editor.

MISCELLANEOUS

  • Fix not to set the format of multiple-line text in ContentType to "None".
  • Fix integration with Category/Folder in CustomFields.
  • Fix to suppress warn 'redefined' in WXRImporter with XML::SAX modules other than XML::SAX::PurePerl.
  • Fix ParserDetails.ini.
  • Fix not to slow Data API with a huge version value.
  • Fix to show options at import WXR.
  • Fix not to remove some category archive files when there are some ContentTypes including a category field.
  • Fix CSS for category name of ContentField.
  • Fix not to show an error at sign-out in Rainier theme.
  • Fix title of SVG of category in a entry.
  • Fix L10N Error in the Mont-Blanc theme.
  • Fix our company name in some themes
  • Fix error in mt-check.cgi occurring without HTML::Entities.
  • Fix to parse Markdown correctly.
  • Fix the HTML of the Primary Menu in Mobile.
  • Fix not to react to pressing "Enter" in IE11.
  • Fix not to show warning in rebuild-pages
  • Fix to update entrymodifiedon at editing statuses in list view.
  • Fix to show the status correctly at Import Sites.
  • Fix the log text of updatecontentdata_status.
  • Fix to use SSL configuration parameters when "SSLVerifyNone 1".
  • Fix to use SSL configuration parameters in SMTP when "SSLVerifyNone 1" or "SMTPSSLVerifyNone 1".
  • Fix not to send an empty email when EmailAddressMain is not set
  • Fix "\U" and "\L" to work in regex_replace attribute.
  • Fix to control whether Page is published or not via page endpoint of Data API.
  • Fix to suppress warn 'used only once: possible typo.'
  • Fix the format of blockquote in editor.
  • Fix the message when XML::Parser is not installed.


Please play with it at:
https://www.movabletypedemo.org/v7x/cgi-bin/mt/mt.cgi

Using:
- username: demo
- password: testthis

Enjoy!

Six Apart did an excellent job with v6.5.x and just launched v6.5.3, a product that introduces many improvements as well as a security fix.

Upgrading to Movable Type v6.5.3

NEW AND IMPROVED FUNCTIONS

  • Log the enabling / disabling of a plugin.
  • Add some L10N phases for European languages.
  • Add heights to multiple-line text custom fields.
  • Log failure of sign-in.
  • Add SVG to ThemeStaticFileExtensions as a default value.
  • Improve performance of mt-feed.cgi

UPDATED FUNCTIONS

  • Data API is disabled at new installation and creating a new website and blog. No change for the current settings.

MISCELLANEOUS

  • No size set for the Assets which is not supported by MT when importing from WordPress.
  • Remove the template of Technorati Search.
  • The initial value is set to 85 for JPEG image quality.
  • Fix links to search.cpan.org.

RESOLVED ISSUES

SECURITY FIX AND IMPROVEMENT

  • [XSS] Fix not to execute scripts in WYSIWYG editor.

MISCELLANEOUS

  • Fix not to set the format of multiple-line text in ContentType to "None".
  • Fix to suppress warn 'redefined' in WXRImporter with XML::SAX modules other than XML::SAX::PurePerl.
  • Fix not to slow Data API with a huge version value.
  • Fix not to show an error at sign-out in Rainier theme.
  • Fix our company name in some themes
  • Fix to parse Markdown correctly.
  • Fix not to react to pressing "Enter" in IE11.
  • Fix to update entrymodifiedon at editing statuses in list view.
  • Fix to use SSL configuration parameters when "SSLVerifyNone 1".
  • Fix to use SSL configuration parameters in SMTP when "SSLVerifyNone 1" or "SMTPSSLVerifyNone 1".
  • Fix not to send an empty email when EmailAddressMain is not set
  • Fix to control whether Page is published or not via page endpoint of Data API.
  • Fix to suppress warn 'used only once: possible typo.'
  • Fix the format of blockquote in editor.
  • Fix the message when XML::Parser is not installed.
  • Fix not to register comments with invalid external authenticators.
  • Fix error at loading non-existed modifiers.
  • Fix to suppress warn at DebugMode 1
  • Fix to update MTReleaseNumber correctly.


Please give it a try at:
https://www.movabletypedemo.org/v6.5x/cgi-bin/mt/mt.cgi

Using:
- username: demo
- password: testthis

Enjoy!

Six Apart launched Movable Type v7.1.4 as a security release that brings in a series of security fixes and improvements.

NEW AND IMPROVED FUNCTIONS

  • Buttons are available in multiple-line field type of Contents Fields, the same as Entries.
  • Center-Align and Right-Align buttons are available in Rich Text Editor of Content Fields.
  • ContentSync Log is available.
  • Improve the rebuild speed of ContentType and ContentData.
  • Improve to treat plugins which have no schema version setting (Cloud only).
  • Enable to clear history of ContentSync.
  • "Sync all files" option is available at scheduled ContentSync.
  • Send notification emails additionally to the user executing the sync process.
  • Add Destination setting label.
  • Enable to set SchwartzClientDeadline.
  • Microsoft Edge is now supported in mt.cgi

UPDATED FUNCTIONS

MISCELLANEOUS

  • TheSchwartz log mode is verbose in run-periodic-tasks by default.
  • Improve the notification email of ContentSync.

RESOLVED ISSUES

CONTENT SYNC

  • Fix to sync correctly at multiple destinations in a sync setting.

SECURITY FIX AND IMPROVEMENT

  • Check validation of the limit and offset value at the end point of list in Data API
  • Update jQuery and a-table.js to latest
  • Fix not to set any destination of redirection in password reset email

MISCELLANEOUS

  • Dashboard now works if Blogs exist where parent_id is NULL irregularly.
  • smart_quotes modifier now works in DynamicPublishing mode.
  • encode_json modifier now works correctly in DynamicPublishing mode.
  • Update Data::ObjectDriver to 0.18
  • Fix to rebuild Yearly ContentType archives correctly when un-publishing a published ContentData.
  • Fix not to remove Yearly ContentType archives when removing a ContentData.
  • Fix width and height filter of Asset in Batch Edit.
  • Fix member of Entries and Pages editable in Batch Edit.
  • Fix not to disable some plugins after upgrade.
  • Fix error at no query to mt-search.cgi
  • Fix not to ignore some irregular files in ContentSync.
  • Fix to sync files published after scheduled sync correctly.
  • Fix not to publish date-based archives without Entry.
  • Fix to import member and role of group correctly when importing a website.
  • Fix to remove ContentType and CategorySet in some cases.
  • Fix dashboard error when existing ContentData related ContentType is removed.
  • Fix MTContentField Tag correctly.
  • Update DataAPI SDK to v4.1


Give it a try from:
https://www.movabletypedemo.org/v7x/cgi-bin/mt/mt.cgi

Using:
- username: demo
- password: testthis

Enjoy!

Support

If this initiative is useful for you, please consider making a paypal donation or getting your movable type project done with PRO IT Service.

We're the right people for movable type consultancy services including: installations, upgrades, themes, templates, consulting, troubleshooting as well as hosting.

The complete range of movable type services you might be looking for!

Services

We would love to work on any movable type jobs you might have! To find out more about the movable type services we're offering click here.

You may like to know that we're offering a broad range of web development services as well as professional website hosting service in partnership with Pair Networks, Inc. from Pittsburgh, PA, USA.

Check out everything we're proudly doing by visiting https://www.pro-it-service.com/

Newsletter

Would you like to be updated every time there is a movable type release? If you do, then subscribe for email updates filling out the form below.

Subscribe

Delivered by FeedBurner

Disclaimer

This is a personal website and doesn't have anything to do with Six Apart nevertheless Chris Alden, the former Six Apart CEO, appreciated my idea when he saw it available online.