Your message dated Sat, 14 Nov 2009 11:03:17 +0100
with message-id <[email protected]>
and subject line Re: Bug#555276: wesnoth: CVE-2007-2383 and CVE-2008-7720 
prototypejs vulnerabilities
has caused the Debian Bug report #555276,
regarding wesnoth: embeds prototype.js
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
555276: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555276
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
package: wesnoth
version: 1:1.6.5-1
severity: important
tags: security

Hi,

Your package embeds prototype.js, which makes security updates very
cumbersome, difficult, and potentially error-prone. Please update your
package to make use of the system prototype.js provided by the
libjs-prototype binary package.

This is a mass-filing, and the only checking done so far is a version
comparison.  If your package for some reason is not affected or already
uses the system prototype.js, please close this bug with a message
indicating that that is the case.

Thank you very much for your attention on this matter.

Mike



--- End Message ---
--- Begin Message ---
        Hi!

* Michael Gilbert <[email protected]> [2009-11-09 21:59:42 CET]:
> >  Actually, the package doesn't really use it. It's used in the stats
> > server which isn't shipped or enabled or used in the Debian packages. If
> > you feel like removing it from the source tarball might gain us anything
> > I can offer to do that, too.
> 
> this isn't necessary.  as long as the problematic file is not included
> in any binary package, then wesnoth can be considered not-affected, and
> this bug can be safely closed.  since there were so many of these
> embeds, i did not have time to individually check to see what each
> package was doing.

 Sure, closing now. It won't even be in the tarball in the future by the
way, upstream stoped packaging it thanks to your notice.

> > [a] well, symlinking. I ship jquery and tablesorter. The former is
> >     available as package but the later not. Given that the two has to go
> >     together I chose explicitly not to symlink jquery neither.
> 
> this is definitely a problem.  since a common version of jquery is
> available, it should be used.

 I am aware of that and that's why I added it myself to the
data/embedded-code-copies file in the security tracker svn.

>  as for tablesorter you have the option of either packaging it
> separately or sticking with the embed (if other packages use
> tablesorter, then a separate package should be preferred).

 Sticking with the embedded might bring up compatibility issues with
jquery, that's why I did go that path. And I haven't found other
packages to use tablesorter, at least not with that filename. Didn't had
the time to dig into packaging of javascript libraries yet neither.

 So long. :)
Rhonda


--- End Message ---

Reply via email to