Six Apart says there are "a number of cross-site scripting vulnerabilities" in Movable Type, and users thereof should all upgrade immediately.
I hadn’t really wanted to deal with another Movable Type upgrade. But I figured I should, for security. (Wouldn’t want my 3,000+ entries of blather to get vandalized, would we?)
Alas, I am still running 3.2. The Movable Type documentation just gets worse with every release, and half an hour of searching the Six Apart web site & studying the Movable Type user’s manual turned up nothing on how to upgrade from 3.2 to 3.3.
Memo to Six Apart: if I have a working MT 3.2 setup, and you want me to upgrade to MT 3.3, it’s in your interest to make that process as simple, obvious & painless as possible. Since you didn’t, I won’t be upgrading. And now you have that much more upgrade resistance to overcome when you release 3.4, or 4.0.
(I know, I’m using the free version of Movable Type, so Six Apart doesn’t care what I think. I don’t care that they don’t care, I just felt like complaining.)
In the end, I downloaded the 3.21 patches and installed those. It was easy: extract everything from the tar file, copy it into the Movable Type directory and – presto – I’m running 3.21. So my blather is safe, for now.