Not a developer? Go to MovableType.com

News

Considering an MT 4 Upgrade? Review the Movable Type 4.33 Changelog

By Dave Aiello
Posted January 19, 2010.

About two weeks ago, Six Apart release Movable Type 4.33, a release that was coordinated with the worldwide release of Movable Type 5.01 and Movable Type 4.27-ja for Movable Type 4 users in Japan.

I urge any customers planning to stay on Movable Type 4 for the near future to take another look at the Movable Type 4.33 Release Notes and to pay close attention to the following improvements:

Security Fixes

There are two significant security fixes that were included in Movable Type 4.33. The first is the closing of a series of vulnerabilities in the Content Management System (the Movable Type administrative user interface) where user privileges weren’t properly checked. Until Movable Type 4.33, unprivileged users could access several functions of the CMS by typing their URLs directly.

We also enhanced the Asset Manager, XML-RPC Server, and Atom Server to make them check the content of image files that are being uploaded. If image files contain JavaScript or HTML unexpectedly, they can be used to attempt to exploit flaws in Microsoft Internet Explorer 6 and 7 that could lead to security issues on the visitor’s PC or on servers to which that visitor has access.

New Configuration Directive

Related to the Asset Manager changes discussed above, Six Apart implemented a new configuration directive: AssetFileExtensions concurrently in Movable Type 4 and 5. This is a feature that has been requested by many Movable Type system administrators, and we want you to start getting the benefits of it immediately.

Oracle Database Fixes

There are fixes for three long-standing bugs affecting Movable Type Enterprise’s Oracle database implementation that users of that database should adopt as soon as possible. Some customers have been offered some or all of these fixes as patches to previous versions of Movable Type 4. But Oracle users should definitely consider adopting the entire set of improvements that’s contained in Movable Type 4.33. (See FogBugz Cases 103405, 103406, and 103418.)

Asset Manager Fixes

In addition to the Asset Manager security fix mentioned previously, Movable Type 4.33 fixes a logic error in the Asset Manager which occurs in some cases when an entry doesn’t have any assets associated with it.

Template Linked to File Fixes

For Movable Type users who have their templates linked to files in the file system, Movable Type 4.33 fixes a long-standing problem that caused the first change to a template to be lost. If you use templates that are saved as files, we strongly recommend that you upgrade your installation.

Movable Type 4.33 Release Notes Are Constantly Being Updated

Six Apart is making changes to the Movable Type 4.33 Release Notes that are intended to allow you to understand the significance of the fixes we’ve implemented in 4.33. This includes publication of a substantial portion of each FogBugz case that resulted in significant changes to Movable Type 4.

Known Issues in Movable Type 4.33

In addition, we are providing unprecedented access to known issues in Movable Type 4.33. These issues are provided by our Support team and broken down into three categories:

We hope that providing this information will allow us to iterate Movable Type Open Source faster, will allow you to participate in the problem solving process, and will make everybody more productive with Movable Type.

Back

12 Comments

jackie

jackie on January 20, 2010, 2:20 a.m. Reply

I encountered a problem when I upgraded to MT 4.33. Monthly archives shows nothing, how to fix this problem?

Matt Carey

Matt Carey on January 20, 2010, 7:57 a.m. Reply

I wish SA would fix some of the many bugs still on fogbuz concerning core MT features. There are things on that list which show broken functionality. On a released product that has now been superseded by version 5. Come on SA.

Dave Aiello

Dave Aiello on January 20, 2010, 8:33 a.m. Reply

Thank you for your candid feedback, Matt. I have a hard time understanding how you can look at the Movable Type 4.33 Release Notes and not come to the conclusion that we are fixing long-standing bugs in Movable Type 4. Many of these fixes also made it into MT 5 for the 5.01 release.

I understand that you may not be happy with our triage decisions. But you should recognize that in this release we took several cases where fixes had been recommended to us, committed those changes, ran them through our QA process, and released them.

Recommending a fix in FogBugz or committing code to MTOS is an excellent way to focus attention on the cases that you consider important.

Dave Aiello

Dave Aiello on January 28, 2010, 11:58 a.m. Reply

Jackie:

Reviewing the comments on this post, I saw your question again and wanted to let you know the following: The problem you experienced with Movable Type 4.33 has been found and fixed. The fix is discussed in the FogBugz case titled “Searching for entries by date range broken”. Although the title refers to a different problem, the patch will also resolve your problem.

Dave Aiello

Dave Aiello on January 28, 2010, 12:05 p.m. Reply

Matt: Since your comment, we asked third party developers on the MTOS-dev Mailing List to submit their “favorite bugs” from our public FogBugz Defect Tracking System for Movable Type for inclusion in triage for the upcoming release of Movable Type 4.34.

I know that you already submitted a bug for consideration, but I wanted anyone reading this post to know that we are looking at the cases that users submit and actively considering them for inclusion in future releases of MT4 and MT5.

seaweed

seaweed on November 28, 2010, 1:10 a.m. Reply

This Upgrade certainly shows that it will cater away the faults and bugs that occured in the previous version, specially the issue dealing with Security. Nice Work Out!

Ava Perry

Ava Perry on September 25, 2012, 3:13 a.m. Reply

The bug with the crafted images was really annoying. I don’t know why the people still uses older browsers but the sites look awful in such browsers. I was really happy when a friend of mine had checked and told me later that the site looks as it should.

Lin Roberts

Lin Roberts on September 26, 2012, 10:59 a.m. Reply

I upgrade every time I see you have released one. Mainly from security reasons. Also I like the new functions you add every time.

Beckah

Beckah on October 18, 2012, 1:58 a.m. Reply

I see FogBugs have done what it was supposed to do. It is a great tool for finding bugs and I have use it in some of mine other projects too. Great to have combined FogBugs and Moveable Type.

George Wilkinson

George Wilkinson on October 27, 2012, 2:55 a.m. Reply

I have a rule in my life and it is when you do have a leader always follow him. This is why when I receive a message which says - you should upgrade, I always do it.

Katrin

Katrin on November 15, 2012, 5:02 a.m. Reply

Why the explanation pages lead to other site? I’ve tried to read more about the security issues, but I have always been redirected to other site.

Ben Morrison

Ben Morrison on December 12, 2012, 2:44 a.m. Reply

The problem with typing administrative URLs directly and accessing important data is a serious hole in almost every CMS. Glad to hear that you have fixed that problem. I am a bit curious how did you do that. Is it possible to write more about the solution?

Dave Aiello

Dave is the CEO of After6 Services LLC, the largest provider of Movable Type Pro support. After6 is headquartered in Newtown, PA.

Before he started After6 Services, Dave was the co-manager of Movable Type Pro and Enterprise Support for Six Apart and worked on large-scale Movable Type deployments for Six Apart Services in New York City.

Website: http://after6services.com/
Twitter: @daveaiello