[DRE-maint] Bug#555223: libjson-ruby: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
Michael Gilbert
michael.s.gilbert at gmail.com
Tue Nov 10 04:59:02 UTC 2009
On Mon, 9 Nov 2009 20:18:47 -0800 Ryan Niebur wrote:
> On Mon, Nov 09, 2009 at 10:58:52PM -0500, Michael Gilbert wrote:
> > On Sun, 8 Nov 2009 22:19:13 -0800 Ryan Niebur wrote:
> >
> > > On Sun, Nov 08, 2009 at 07:22:57PM -0500, Michael Gilbert wrote:
> > > > package: libjson-ruby
> > > > version: 1.1.2-1
> > > > severity: serious
> > > > tags: security
> > > >
> > > > Hi,
> > > >
> > > > Your package contains an embedded version of prototype.js that is
> > > > vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1)
> > > > [0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both.
> > > >
> > > > Your package embeds the following prototype.js versions:
> > > >
> > > > sid: 1.6.0
> > > > lenny: 1.6.0
> > > > etch: N/A
> > > >
> > > > This is a mass-filing, and the only checking done so far is a version
> > > > comparison, so please determine whether or not your package is itself
> > > > affected or not. If it is not affected please close the bug with a
> > > > message indicating this along with what you did to check.
> > > >
> > > > The version of your package specified above is the earliest version
> > > > with the affected embedded code. If this version is in one or both of
> > > > the stable releases and you are affected, please coordinate with the
> > > > release team to prepare a proposed-update for your package to
> > > > stable/oldstable.
> > > >
> > > > There are patches available for CVE-2007-2383 [2] and a backport for
> > > > prototypejs 1.5 for CVE-2008-7720 [3].
> > > >
> > > > If you correct the problem in unstable, please make sure to include the
> > > > CVE number in your changelog.
> > > >
> > >
> > > this should have been fixed for unstable in 1.1.4-1, see #555224. what
> > > should happen for stable tho?
> >
> > you should prepare an update for proposed-updates. see debian docs and talk
> > to the release team for more info.
> >
>
> I knew that, already did so, http://lists.debian.org/debian-release/2009/11/msg00058.html
> sorry for uhhh, asking questions that I already knew the answer too :/...
oh, fyi, you should submit a bug to release.debian.org, otherwise
mailing list messages tend to fall off their todo list.
mike
More information about the Pkg-ruby-extras-maintainers
mailing list