[DRE-maint] Bug#555223: libjson-ruby: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
Ryan Niebur
ryan at debian.org
Mon Nov 9 06:19:13 UTC 2009
On Sun, Nov 08, 2009 at 07:22:57PM -0500, Michael Gilbert wrote:
> package: libjson-ruby
> version: 1.1.2-1
> severity: serious
> tags: security
>
> Hi,
>
> Your package contains an embedded version of prototype.js that is
> vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1)
> [0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both.
>
> Your package embeds the following prototype.js versions:
>
> sid: 1.6.0
> lenny: 1.6.0
> etch: N/A
>
> This is a mass-filing, and the only checking done so far is a version
> comparison, so please determine whether or not your package is itself
> affected or not. If it is not affected please close the bug with a
> message indicating this along with what you did to check.
>
> The version of your package specified above is the earliest version
> with the affected embedded code. If this version is in one or both of
> the stable releases and you are affected, please coordinate with the
> release team to prepare a proposed-update for your package to
> stable/oldstable.
>
> There are patches available for CVE-2007-2383 [2] and a backport for
> prototypejs 1.5 for CVE-2008-7720 [3].
>
> If you correct the problem in unstable, please make sure to include the
> CVE number in your changelog.
>
this should have been fixed for unstable in 1.1.4-1, see #555224. what
should happen for stable tho?
--
_________________________
Ryan Niebur
ryanryan52 at gmail.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-ruby-extras-maintainers/attachments/20091108/ab92f59c/attachment-0001.pgp>
More information about the Pkg-ruby-extras-maintainers
mailing list