Movable Type 7 r.5301 (v7.9.5), v6.8.7 released.
This release is included a security fix. For those of you who use Movable Type 4.0 and later, Six Apart strongly recommends that you upgrade to the latest version or execute one of workarounds immediately.
Through the XMLRPC API of MT (mt-xmlrpc.cgi), Perl / OS command injection (RCE) could be performed limitedly. This issue may occur when mt-xmlrpc.cgi can be executed on the Internet.
The one of following steps can be taken to avoid or reduce of the affect of the vulnerability.
RestrictedPSGIApp xmlrpc in mt-config.cgi (6.2 and later) or ‘XMLRPCScript long random characters enough not to guess` (6.1 and earlier)Since Six Apart has already terminated the support of Movable Type 4.x, 5.x, and 6.0.x-6.3.x, we strongly recommend upgrading to the latest version of Movable Type 7 r.5301 or 6.8.7.
Please review the Movable Type release notes to see everything that was added and improved since the version you are currently using.
If you have an existing Movable Type 7 or 6.8 license, you can download the latest Movable Type from our download portal using your Six Apart ID.
To purchase a new license or an upgrade, please visit MovableType.com for more information, or feel free to contact us if you have any questions.
Movable Type 6.8 version is subject to LTS (long-term-support) and will have problem fixes and security fixes until 2022. However, In order to use Movable Type 6.5.x/6.6.x/6.7.x/6.8.x, “Pro Unlimited annual license” needs to be renewed every year.