Subscribe
About two weeks ago, Six Apart release Movable Type 4.33, a release that was coordinated with the worldwide release of Movable Type 5.01 and Movable Type 4.27-ja for Movable Type 4 users in Japan.
I urge any customers planning to stay on Movable Type 4 for the near future to take another look at the Movable Type 4.33 Release Notes and to pay close attention to the following improvements:
Security Fixes ¶
There are two significant security fixes that were included in Movable Type 4.33. The first is the closing of a series of vulnerabilities in the Content Management System (the Movable Type administrative user interface) where user privileges weren’t properly checked. Until Movable Type 4.33, unprivileged users could access several functions of the CMS by typing their URLs directly.
We also enhanced the Asset Manager, XML-RPC Server, and Atom Server to make them check the content of image files that are being uploaded. If image files contain JavaScript or HTML unexpectedly, they can be used to attempt to exploit flaws in Microsoft Internet Explorer 6 and 7 that could lead to security issues on the visitor’s PC or on servers to which that visitor has access.
New Configuration Directive ¶
Related to the Asset Manager changes discussed above, Six Apart implemented a new configuration directive: AssetFileExtensions concurrently in Movable Type 4 and 5. This is a feature that has been requested by many Movable Type system administrators, and we want you to start getting the benefits of it immediately.
Oracle Database Fixes ¶
There are fixes for three long-standing bugs affecting Movable Type Enterprise’s Oracle database implementation that users of that database should adopt as soon as possible. Some customers have been offered some or all of these fixes as patches to previous versions of Movable Type 4. But Oracle users should definitely consider adopting the entire set of improvements that’s contained in Movable Type 4.33. (See FogBugz Cases 103405, 103406, and 103418.)
Asset Manager Fixes ¶
In addition to the Asset Manager security fix mentioned previously, Movable Type 4.33 fixes a logic error in the Asset Manager which occurs in some cases when an entry doesn’t have any assets associated with it.
Template Linked to File Fixes ¶
For Movable Type users who have their templates linked to files in the file system, Movable Type 4.33 fixes a long-standing problem that caused the first change to a template to be lost. If you use templates that are saved as files, we strongly recommend that you upgrade your installation.
Movable Type 4.33 Release Notes Are Constantly Being Updated ¶
Six Apart is making changes to the Movable Type 4.33 Release Notes that are intended to allow you to understand the significance of the fixes we’ve implemented in 4.33. This includes publication of a substantial portion of each FogBugz case that resulted in significant changes to Movable Type 4.
Known Issues in Movable Type 4.33 ¶
In addition, we are providing unprecedented access to known issues in Movable Type 4.33. These issues are provided by our Support team and broken down into three categories:
- Resolved: Issues where fixes exist that have not yet been bundled into a formal Movable Type release.
- Resolved but Needs Testing / QA: Issues where a fix has been submitted by a Movable Type user, but Six Apart Support and QA haven’t yet tested.
- Unresolved: Known issues that we need help solving.
We hope that providing this information will allow us to iterate Movable Type Open Source faster, will allow you to participate in the problem solving process, and will make everybody more productive with Movable Type.
Movable Type 5 Beta 3
Movable Type 5 Beta 3