Version in base suite: 4.2.3-1
Version in overlay suite: (not present)

Base version: movabletype-opensource_4.2.3-1
Target version: movabletype-opensource_4.2.3-1+lenny1
Base file: /org/ftp.debian.org/ftp/pool/main/m/movabletype-opensource/movabletype-opensource_4.2.3-1.dsc
Target file: /org/ftp.debian.org/queue/p-u-new/movabletype-opensource_4.2.3-1+lenny1.dsc

 README.Debian                  |   15 +++++++++++++++
 changelog                      |    8 ++++++++
 movabletype-opensource.apache2 |    5 +++++
 postinst                       |   20 +++++++++++---------
 4 files changed, 39 insertions(+), 9 deletions(-)

diff -u movabletype-opensource-4.2.3/debian/postinst movabletype-opensource-4.2.3/debian/postinst
--- movabletype-opensource-4.2.3/debian/postinst
+++ movabletype-opensource-4.2.3/debian/postinst
@@ -80,17 +80,19 @@
         fi
     fi
 
-    if [ -x /usr/sbin/apache2ctl -a -z "$2" ]; then
-        db_get movabletype-opensource/reload_apache || true
-        RELOAD="$RET"
-        if [ "$RELOAD" = "true" ]; then
-            if /usr/sbin/apache2ctl configtest 2>/dev/null; then
-                invoke-rc.d apache2 reload || true
+    if [ -x /usr/sbin/apache2ctl ]; then
+        if [ -z "$2" ] || dpkg --compare-versions "$2" lt 4.2.3-1+lenny1~test.2; then
+            db_get movabletype-opensource/reload_apache || true
+            RELOAD="$RET"
+            if [ "$RELOAD" = "true" ]; then
+                if apache2ctl configtest 2>/dev/null; then
+                    invoke-rc.d apache2 reload || true
+                else
+                    echo "apache2 configuration broken, not reloading!"
+                fi
             else
-                echo "apache2 configuration broken, not reloading!"
+                echo "Please manually reload Apache to apply the configuration update"
             fi
-        else
-            echo "Please manually reload Apache to apply the configuration update"
         fi
     fi
 
diff -u movabletype-opensource-4.2.3/debian/movabletype-opensource.apache2 movabletype-opensource-4.2.3/debian/movabletype-opensource.apache2
--- movabletype-opensource-4.2.3/debian/movabletype-opensource.apache2
+++ movabletype-opensource-4.2.3/debian/movabletype-opensource.apache2
@@ -1,0 +2,5 @@
+<Directory /usr/lib/cgi-bin/movabletype>
+  <Files mt-wizard.cgi>
+    Deny from all
+  </Files>
+</Directory>
diff -u movabletype-opensource-4.2.3/debian/changelog movabletype-opensource-4.2.3/debian/changelog
--- movabletype-opensource-4.2.3/debian/changelog
+++ movabletype-opensource-4.2.3/debian/changelog
@@ -1,3 +1,11 @@
+movabletype-opensource (4.2.3-1+lenny1) stable; urgency=low
+
+  * Don't allow any access to mt-wizard.cgi by default as it shouldn't
+    normally be needed and presents an unnecessary security exposure
+    (closes: #537935)
+
+ -- Dominic Hargreaves <dom@earth.li>  Sat, 03 Oct 2009 14:22:47 +0100
+
 movabletype-opensource (4.2.3-1) unstable; urgency=medium
 
   * Urgency medium due to security fixes
diff -u movabletype-opensource-4.2.3/debian/README.Debian movabletype-opensource-4.2.3/debian/README.Debian
--- movabletype-opensource-4.2.3/debian/README.Debian
+++ movabletype-opensource-4.2.3/debian/README.Debian
@@ -41,0 +42,15 @@
+
+MT Wizard
+---------
+
+Please note that mt-wizard.cgi has been disabled in the default
+Apache configuration as it is not normally needed -- configuration is handled
+automatically at package installation time.
+
+If you do need to use it you are strongly advised to restrict access to
+trusted hosts, since there is an unspecified security problem in the
+current version (see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=537935
+for further details).
+
+If you use Movable Type with other web servers you should take steps
+to protect this script in the same way.