[DRE-maint] Bug#555223: libjson-ruby: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
Michael Gilbert
michael.s.gilbert at gmail.com
Tue Nov 10 03:58:52 UTC 2009
On Sun, 8 Nov 2009 22:19:13 -0800 Ryan Niebur wrote:
> On Sun, Nov 08, 2009 at 07:22:57PM -0500, Michael Gilbert wrote:
> > package: libjson-ruby
> > version: 1.1.2-1
> > severity: serious
> > tags: security
> >
> > Hi,
> >
> > Your package contains an embedded version of prototype.js that is
> > vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1)
> > [0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both.
> >
> > Your package embeds the following prototype.js versions:
> >
> > sid: 1.6.0
> > lenny: 1.6.0
> > etch: N/A
> >
> > This is a mass-filing, and the only checking done so far is a version
> > comparison, so please determine whether or not your package is itself
> > affected or not. If it is not affected please close the bug with a
> > message indicating this along with what you did to check.
> >
> > The version of your package specified above is the earliest version
> > with the affected embedded code. If this version is in one or both of
> > the stable releases and you are affected, please coordinate with the
> > release team to prepare a proposed-update for your package to
> > stable/oldstable.
> >
> > There are patches available for CVE-2007-2383 [2] and a backport for
> > prototypejs 1.5 for CVE-2008-7720 [3].
> >
> > If you correct the problem in unstable, please make sure to include the
> > CVE number in your changelog.
> >
>
> this should have been fixed for unstable in 1.1.4-1, see #555224. what
> should happen for stable tho?
you should prepare an update for proposed-updates. see debian docs and talk
to the release team for more info.
mike
More information about the Pkg-ruby-extras-maintainers
mailing list