Your message dated Wed, 11 Nov 2009 12:27:14 +0000
with message-id <20091111122714.gf4...@urchin.earth.li>
and subject line Re: [request-tracker-maintainers] Bug#555258:
rt-extension-emailcompletion: CVE-2007-2383 and CVE-2008-7720 prototypejs
vulnerabilities
has caused the Debian Bug report #555258,
regarding rt-extension-emailcompletion: CVE-2007-2383 and CVE-2008-7720
prototypejs vulnerabilities
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
555258: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555258
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
package: rt-extension-emailcompletion
version: 0.06-3
severity: serious
tags: security
Hi,
Your package contains an embedded version of prototype.js that is
vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1)
[0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both.
Your package embeds the following prototype.js versions:
sid: 1.6.0
lenny: N/A
etch: N/A
This is a mass-filing, and the only checking done so far is a version
comparison, so please determine whether or not your package is itself
affected or not. If it is not affected please close the bug with a
message indicating this along with what you did to check.
The version of your package specified above is the earliest version
with the affected embedded code. If this version is in one or both of
the stable releases and you are affected, please coordinate with the
release team to prepare a proposed-update for your package to
stable/oldstable.
There are patches available for CVE-2007-2383 [2] and a backport for
prototypejs 1.5 for CVE-2008-7720 [3].
If you correct the problem in unstable, please make sure to include the
CVE number in your changelog.
Thank you for your attention to this problem.
Mike
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220
[2] http://dev.rubyonrails.org/ticket/7910
[3]
http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security
--- End Message ---
--- Begin Message ---
On Sun, Nov 08, 2009 at 07:53:30PM -0500, Michael Gilbert wrote:
> Your package contains an embedded version of prototype.js that is
> vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1)
> [0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both.
>
> Your package embeds the following prototype.js versions:
>
> sid: 1.6.0
> lenny: N/A
> etch: N/A
>
> This is a mass-filing, and the only checking done so far is a version
> comparison, so please determine whether or not your package is itself
> affected or not. If it is not affected please close the bug with a
> message indicating this along with what you did to check.
It's shipped in the upstream tarball but does not appear in any
binary package built by this, so I'm closing this bug in Debian.
I will let upstream know so they can update their bundled version.
Thanks,
Dominic.
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
--- End Message ---
