Bug#555231: oldstable: mt-daapd update addressing #555231
Adam D. Barratt a...@adam-barratt.org.uk wrote: Hi, CVEs are available, although I wasn't entirely clear as to whether they apply to 1.4.0 or not. My bet is they don't; 1.4.0 is pretty ancient now. the prototype.js CVEs do apply to 1.4.0. For the avoidance of any doubt, I meant whether the /patches/ apply to 1.4.0. That was clear in your mail, however my reply broke that sentence in two pieces. JB. -- Julien BLACHE - Debian GNU/Linux Developer - jbla...@debian.org Public key available on http://www.jblache.org - KeyID: F5D6 5169 GPG Fingerprint : 935A 79F1 C8B3 3521 FD62 7CC7 CD61 4FD7 F5D6 5169 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#555231: oldstable: mt-daapd update addressing #555231
On Wed, 11 Nov 2009 23:02:23 +0100 Julien BLACHE wrote: Adam D. Barratt wrote: Hi, How big is the diff from prototype 1.4.0 (as used in the current package) to 1.6.1? The bug report mentions that patches fixing the two Don't know, I haven't even looked. There were other issues before those two I believe, and they never got fixed. I know that the web interface works just fine with 1.6.1 so upgrading to 1.6.1 is not an issue. CVEs are available, although I wasn't entirely clear as to whether they apply to 1.4.0 or not. My bet is they don't; 1.4.0 is pretty ancient now. the prototype.js CVEs do apply to 1.4.0. The bug log also mentions that you were planning to upload a fixed package to oldstable-security; is that no longer the case? Re-reading the report, it doesn't actually ask for a security upload. I have no preference for security vs. opu, although I don't think this issue is worth a security upload given mt-daapd is not a web app, which reduces the scope of the vulnerabilities considerably IMO. from the security team's perspective, there are way too many packages affected by the prototype.js flaw to issue DSAs for all of them, so they all will/should be handled via stable-proposed-updates. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#555231: oldstable: mt-daapd update addressing #555231
[re-sending with corrected recipient list having realised that #555231 isn't a release.d.o bug] On Wed, 2009-11-11 at 14:35 -0500, Michael Gilbert wrote: On Wed, 11 Nov 2009 23:02:23 +0100 Julien BLACHE wrote: Adam D. Barratt wrote: Hi, How big is the diff from prototype 1.4.0 (as used in the current package) to 1.6.1? The bug report mentions that patches fixing the two Don't know, I haven't even looked. There were other issues before those two I believe, and they never got fixed. I know that the web interface works just fine with 1.6.1 so upgrading to 1.6.1 is not an issue. CVEs are available, although I wasn't entirely clear as to whether they apply to 1.4.0 or not. My bet is they don't; 1.4.0 is pretty ancient now. the prototype.js CVEs do apply to 1.4.0. For the avoidance of any doubt, I meant whether the /patches/ apply to 1.4.0. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#555231: oldstable: mt-daapd update addressing #555231
On Wed, 2009-11-11 at 14:35 -0500, Michael Gilbert wrote: On Wed, 11 Nov 2009 23:02:23 +0100 Julien BLACHE wrote: Adam D. Barratt wrote: Hi, How big is the diff from prototype 1.4.0 (as used in the current package) to 1.6.1? The bug report mentions that patches fixing the two Don't know, I haven't even looked. There were other issues before those two I believe, and they never got fixed. I know that the web interface works just fine with 1.6.1 so upgrading to 1.6.1 is not an issue. CVEs are available, although I wasn't entirely clear as to whether they apply to 1.4.0 or not. My bet is they don't; 1.4.0 is pretty ancient now. the prototype.js CVEs do apply to 1.4.0. For the avoidance of any doubt, I meant whether the /patches/ apply to 1.4.0. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
