Your message dated Thu, 19 Nov 2009 21:45:15 +0000
with message-id <e1nbeov-0005zz...@ries.debian.org>
and subject line Bug#555225: fixed in lucene2 2.9.1+ds1-2
has caused the Debian Bug report #555225,
regarding lucene2: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
555225: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555225
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
package: lucene2
version: 2.3.1+ds1-1
severity: serious
tags: security
Hi,
Your package contains an embedded version of prototype.js that is
vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1)
[0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both.
Your package embeds the following prototype.js versions:
sid: 1.4.0_pre4
lenny: 1.4.0_pre4
etch: N/A
This is a mass-filing, and the only checking done so far is a version
comparison, so please determine whether or not your package is itself
affected or not. If it is not affected please close the bug with a
message indicating this along with what you did to check.
The version of your package specified above is the earliest version
with the affected embedded code. If this version is in one or both of
the stable releases and you are affected, please coordinate with the
release team to prepare a proposed-update for your package to
stable/oldstable.
There are patches available for CVE-2007-2383 [2] and a backport for
prototypejs 1.5 for CVE-2008-7720 [3].
If you correct the problem in unstable, please make sure to include the
CVE number in your changelog.
Thank you for your attention to this problem.
Mike
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220
[2] http://dev.rubyonrails.org/ticket/7910
[3]
http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security
--- End Message ---
--- Begin Message ---
Source: lucene2
Source-Version: 2.9.1+ds1-2
We believe that the bug you reported is fixed in the latest version of
lucene2, which is due to be installed in the Debian FTP archive:
liblucene2-java-doc_2.9.1+ds1-2_all.deb
to main/l/lucene2/liblucene2-java-doc_2.9.1+ds1-2_all.deb
liblucene2-java_2.9.1+ds1-2_all.deb
to main/l/lucene2/liblucene2-java_2.9.1+ds1-2_all.deb
lucene2_2.9.1+ds1-2.diff.gz
to main/l/lucene2/lucene2_2.9.1+ds1-2.diff.gz
lucene2_2.9.1+ds1-2.dsc
to main/l/lucene2/lucene2_2.9.1+ds1-2.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 555...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jan-Pascal van Best <janpas...@vanbest.org> (supplier of updated lucene2
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 19 Nov 2009 20:45:04 +0100
Source: lucene2
Binary: liblucene2-java liblucene2-java-doc
Architecture: source all
Version: 2.9.1+ds1-2
Distribution: unstable
Urgency: low
Maintainer: Debian Java Maintainers
<pkg-java-maintain...@lists.alioth.debian.org>
Changed-By: Jan-Pascal van Best <janpas...@vanbest.org>
Description:
liblucene2-java - Full-text search engine library for Java(TM)
liblucene2-java-doc - Documentation for Lucene
Closes: 555225 555226
Changes:
lucene2 (2.9.1+ds1-2) unstable; urgency=low
.
* Removed (unused) embedded Prototype javascript library
(Closes: #555225, #555226)
* Added README.source containing information about how to create the Debian
source from the upstream source tarball
Checksums-Sha1:
07befceec8e377f66ac7bffd402903a211d4031c 1852 lucene2_2.9.1+ds1-2.dsc
568c1528f0fe7ddbfb444c709df833f1c74e52bc 15374 lucene2_2.9.1+ds1-2.diff.gz
87cbf88371fbc9d90d5e23b58e1d2982e537d235 5847546
liblucene2-java_2.9.1+ds1-2_all.deb
d82452c045b043ac681efc10eae51b11f9d49647 7298974
liblucene2-java-doc_2.9.1+ds1-2_all.deb
Checksums-Sha256:
1e5af5679848d23c8e0166c5a77db79a936f3d5bf5a042f82f8e5badee0d226c 1852
lucene2_2.9.1+ds1-2.dsc
019379f250500a184e9dbc503f94b6207f9500d9ff5e3af704092192d5bd29a8 15374
lucene2_2.9.1+ds1-2.diff.gz
3e73f40ae0bbb159dfe20533c55dca91ef8c8b8f71349ae4354a502ea67775d5 5847546
liblucene2-java_2.9.1+ds1-2_all.deb
7caaeb7d9b911725a0ca32712b7c22e09218eb473223c2eceed0474b6cca7ac5 7298974
liblucene2-java-doc_2.9.1+ds1-2_all.deb
Files:
626fe49142b6cd8a9913004500c89d74 1852 java optional lucene2_2.9.1+ds1-2.dsc
0e84aef76d2a9ac1a7ef07d169f0eaa1 15374 java optional
lucene2_2.9.1+ds1-2.diff.gz
eac572790a38c45b69c80f8c811f3a96 5847546 java optional
liblucene2-java_2.9.1+ds1-2_all.deb
05c7135cebbfcfd2414153441bdaa638 7298974 doc optional
liblucene2-java-doc_2.9.1+ds1-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAksFqNcACgkQOkyycBqJzCPowACgnxv9/Ni+NKCozE3inL0EjhM3
3fMAn3/E58g6tHaFtqFjvGEnTcpK0ZbL
=GIhb
-----END PGP SIGNATURE-----
--- End Message ---