[Pkg-javascript-devel] Bug#653962: marked as done (libv8 predictable hash collisions)

[Debian Bug Tracking System]

Your message dated Sat, 07 Jan 2012 23:03:21 +0000
with message-id <e1rjfih-0000kn...@franck.debian.org>
and subject line Bug#653962: fixed in libv8 3.6.6.14-2
has caused the Debian Bug report #653962,
regarding libv8 predictable hash collisions
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
653962: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=653962
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libv8
Severity: serious
Tags: security

Hi,

It was reported that V8 is affected by the predictable hash collisions attack 
that made its rounds around the net this week. This is tracked at
http://security-tracker.debian.org/tracker/CVE-2011-5037

Can you ensure that fixed packages are uploaded to sid as soon as possible, 
and assert whether a fix for squeeze would be necessary?

Also please note that the security tracker has a number of other open issues 
for libv8. Do you have any more information on the status of those?
http://security-tracker.debian.org/tracker/source-package/libv8


Cheers,
Thijs

signature.asc
Description: This is a digitally signed message part.

--- End Message ---

--- Begin Message ---

Source: libv8
Source-Version: 3.6.6.14-2

We believe that the bug you reported is fixed in the latest version of
libv8, which is due to be installed in the Debian FTP archive:

libv8-3.6.6.14_3.6.6.14-2_amd64.deb
  to main/libv/libv8/libv8-3.6.6.14_3.6.6.14-2_amd64.deb
libv8-dbg_3.6.6.14-2_amd64.deb
  to main/libv/libv8/libv8-dbg_3.6.6.14-2_amd64.deb
libv8-dev_3.6.6.14-2_amd64.deb
  to main/libv/libv8/libv8-dev_3.6.6.14-2_amd64.deb
libv8_3.6.6.14-2.debian.tar.gz
  to main/libv/libv8/libv8_3.6.6.14-2.debian.tar.gz
libv8_3.6.6.14-2.dsc
  to main/libv/libv8/libv8_3.6.6.14-2.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 653...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jérémy Lal <kapo...@melix.org> (supplier of updated libv8 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 07 Jan 2012 22:29:06 +0100
Source: libv8
Binary: libv8-dev libv8-3.6.6.14 libv8-dbg
Architecture: source amd64
Version: 3.6.6.14-2
Distribution: unstable
Urgency: low
Maintainer: Debian Javascript Maintainers 
<pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Jérémy Lal <kapo...@melix.org>
Description: 
 libv8-3.6.6.14 - v8 JavaScript engine - runtime library
 libv8-dbg  - v8 JavaScript engine - debugging symbols
 libv8-dev  - v8 JavaScript engine - development files
Closes: 653962
Changes: 
 libv8 (3.6.6.14-2) unstable; urgency=low
 .
   * Land hash collision fix for V8 3.6. Closes: bug#653962.
     This fixes CVE-2011-5037.
   * snapshot=off, because hash is randomized by a secret key that is
     otherwise readable in the snapshot.
Checksums-Sha1: 
 c5c654ff4115c625b8c73d579977674c7783ace8 1495 libv8_3.6.6.14-2.dsc
 e0edf72fc2a1ea458a686d60640c4b1cfa731921 37335 libv8_3.6.6.14-2.debian.tar.gz
 f966762ca40d55d2e7129cade4fe5f27861605b1 96966 libv8-dev_3.6.6.14-2_amd64.deb
 2a7712d536c3b8927f4d575b22e4ebe6c7b6a828 1321006 
libv8-3.6.6.14_3.6.6.14-2_amd64.deb
 a1756c52116ecffe2e88bf48db45fbb39eda8fe8 24053204 
libv8-dbg_3.6.6.14-2_amd64.deb
Checksums-Sha256: 
 184b9afa79582121e8279dbc6138dd2ee4147adfc231713159647e1ac2a6e4f2 1495 
libv8_3.6.6.14-2.dsc
 ff8708aa0ffd93bf223c8130809098e691dc5adcf4976fed169fed80bdca4793 37335 
libv8_3.6.6.14-2.debian.tar.gz
 261ea3db425c9a0cddd5eac24ad31287403d3de8977622a34c5751b10a907032 96966 
libv8-dev_3.6.6.14-2_amd64.deb
 6183d283b9be46ee893aec5917e19596b4216ccedd80d05656250cc8929967a2 1321006 
libv8-3.6.6.14_3.6.6.14-2_amd64.deb
 3ee3653a3a45a24fca7662d8af14d376cbd202dac000075e910e7629d3ee2e1d 24053204 
libv8-dbg_3.6.6.14-2_amd64.deb
Files: 
 42cefd63d0f4980785895b3a217cb63a 1495 libs optional libv8_3.6.6.14-2.dsc
 60f2a7b749770d68ca2627aebf330f0a 37335 libs optional 
libv8_3.6.6.14-2.debian.tar.gz
 befb8f1cb26d397b7c1d384233adbaf2 96966 libdevel optional 
libv8-dev_3.6.6.14-2_amd64.deb
 d5e384a37159319645e11c2b7557b1cd 1321006 libs optional 
libv8-3.6.6.14_3.6.6.14-2_amd64.deb
 2ddb24e947f91ba7aa065781d1896b7e 24053204 debug extra 
libv8-dbg_3.6.6.14-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk8IxcgACgkQDMRIEQdBQdzASQCfX21Y+UvUuIZQ8f50AnOQ8vZK
OFUAoL9UdPZs8Em5M/ay7eTLGes4jDaZ
=r9RP
-----END PGP SIGNATURE-----

--- End Message ---

_______________________________________________
Pkg-javascript-devel mailing list
Pkg-javascript-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel