[DRE-maint] Bug#555223: libjson-ruby: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities

Ryan Niebur ryan at debian.org
Tue Nov 10 04:18:47 UTC 2009 

On Mon, Nov 09, 2009 at 10:58:52PM -0500, Michael Gilbert wrote:
> On Sun, 8 Nov 2009 22:19:13 -0800 Ryan Niebur wrote:
> 
> > On Sun, Nov 08, 2009 at 07:22:57PM -0500, Michael Gilbert wrote:
> > > package: libjson-ruby
> > > version: 1.1.2-1
> > > severity: serious
> > > tags: security
> > > 
> > > Hi,
> > > 
> > > Your package contains an embedded version of prototype.js that is
> > > vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1)
> > > [0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both.
> > > 
> > > Your package embeds the following prototype.js versions:
> > > 
> > >   sid: 1.6.0
> > >   lenny: 1.6.0
> > >   etch: N/A
> > > 
> > > This is a mass-filing, and the only checking done so far is a version
> > > comparison, so please determine whether or not your package is itself
> > > affected or not.  If it is not affected please close the bug with a
> > > message indicating this along with what you did to check.
> > > 
> > > The version of your package specified above is the earliest version
> > > with the affected embedded code.  If this version is in one or both of
> > > the stable releases and you are affected, please coordinate with the
> > > release team to prepare a proposed-update for your package to
> > > stable/oldstable.
> > > 
> > > There are patches available for CVE-2007-2383 [2] and a backport for
> > > prototypejs 1.5 for CVE-2008-7720 [3].
> > > 
> > > If you correct the problem in unstable, please make sure to include the
> > > CVE number in your changelog.
> > > 
> > 
> > this should have been fixed for unstable in 1.1.4-1, see #555224. what
> > should happen for stable tho?
> 
> you should prepare an update for proposed-updates.  see debian docs and talk
> to the release team for more info.
> 

I knew that, already did so, http://lists.debian.org/debian-release/2009/11/msg00058.html
sorry for uhhh, asking questions that I already knew the answer too :/...

-- 
_________________________
Ryan Niebur
ryanryan52 at gmail.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-ruby-extras-maintainers/attachments/20091109/f52224d3/attachment.pgp>

More information about the Pkg-ruby-extras-maintainers mailing list