Bug#555232: marked as done (mediatomb: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities)

Thu, 04 Feb 2010 07:37:56 -0800 

Your message dated Thu, 04 Feb 2010 15:33:42 +0000
with message-id <e1nd3ia-0000in...@ries.debian.org>
and subject line Bug#555232: fixed in mediatomb 0.12.0~svn2018-5
has caused the Debian Bug report #555232,
regarding mediatomb: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
555232: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555232
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
package: mediatomb
version: 0.11.0-3
severity: serious
tags: security

Hi,

Your package contains an embedded version of prototype.js that is
vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1)
[0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both.

Your package embeds the following prototype.js versions:

  sid: 1.5.1.1
  lenny: 1.5.1.1
  etch: N/A

This is a mass-filing, and the only checking done so far is a version
comparison, so please determine whether or not your package is itself
affected or not.  If it is not affected please close the bug with a
message indicating this along with what you did to check.

The version of your package specified above is the earliest version
with the affected embedded code.  If this version is in one or both of
the stable releases and you are affected, please coordinate with the
release team to prepare a proposed-update for your package to
stable/oldstable.

There are patches available for CVE-2007-2383 [2] and a backport for
prototypejs 1.5 for CVE-2008-7720 [3].

If you correct the problem in unstable, please make sure to include the
CVE number in your changelog.

Thank you for your attention to this problem.

Mike

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220
[2] http://dev.rubyonrails.org/ticket/7910
[3] 
http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security

--- End Message ---
--- Begin Message --- 
Source: mediatomb
Source-Version: 0.12.0~svn2018-5

We believe that the bug you reported is fixed in the latest version of
mediatomb, which is due to be installed in the Debian FTP archive:

mediatomb-common_0.12.0~svn2018-5_amd64.deb
  to main/m/mediatomb/mediatomb-common_0.12.0~svn2018-5_amd64.deb
mediatomb-daemon_0.12.0~svn2018-5_all.deb
  to main/m/mediatomb/mediatomb-daemon_0.12.0~svn2018-5_all.deb
mediatomb_0.12.0~svn2018-5.diff.gz
  to main/m/mediatomb/mediatomb_0.12.0~svn2018-5.diff.gz
mediatomb_0.12.0~svn2018-5.dsc
  to main/m/mediatomb/mediatomb_0.12.0~svn2018-5.dsc
mediatomb_0.12.0~svn2018-5_all.deb
  to main/m/mediatomb/mediatomb_0.12.0~svn2018-5_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 555...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andres Mejia <mcita...@gmail.com> (supplier of updated mediatomb package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 04 Feb 2010 08:57:05 -0500
Source: mediatomb
Binary: mediatomb-common mediatomb-daemon mediatomb
Architecture: source amd64 all
Version: 0.12.0~svn2018-5
Distribution: unstable
Urgency: medium
Maintainer: Debian multimedia packages maintainers 
<pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Andres Mejia <mcita...@gmail.com>
Description: 
 mediatomb  - UPnP MediaServer (main package)
 mediatomb-common - UPnP MediaServer (base package)
 mediatomb-daemon - UPnP MediaServer (daemon package)
Closes: 475279 555232 555233 560468 562372
Changes: 
 mediatomb (0.12.0~svn2018-5) unstable; urgency=medium
 .
   [ Mehdi Dogguy ]
   * Non-maintainer upload.
   * Fix FTBFS due to invalid string constant to char* conversion in
     src/tools.cc (added const_char_conversion.patch) (Closes: #560468)
   * Fix non-uninstallability of mediatomb-daemon, thanks to Raul Sanchez
     Siles for the hint (Closes: #562372)
   * Fix security issue in prototype.js (CVE-2008-7720 and CVE-2007-2383)
     by using the one from the Debian package libjs-prototype
     (Closes: #555232, #555233, #475279)
     + set urgency to medium
     + Make mediatomb-common depend on libjs-prototype
     + Set a symbolic link to prototype.js using mediatomb-common.links
Checksums-Sha1: 
 eb60096271a6c1456b7b0df698a60f79505c0a03 1665 mediatomb_0.12.0~svn2018-5.dsc
 45ff3eaa45528750a77db64bfeb569ec77aa9ce3 232818 
mediatomb_0.12.0~svn2018-5.diff.gz
 d41b3873d96fa8923b8bb9c6e05682fd1c429d70 1065454 
mediatomb-common_0.12.0~svn2018-5_amd64.deb
 476ebbfa53bab95543b2abfc4833c116d8c2368c 23166 
mediatomb-daemon_0.12.0~svn2018-5_all.deb
 aea6b74aa2ec88d39970f96f299d1a6559ac331a 20584 
mediatomb_0.12.0~svn2018-5_all.deb
Checksums-Sha256: 
 4602ad05b06ca92f4f1209b1656dd5e15b85ed60ba2e435dce4aa2d5a4cde6bf 1665 
mediatomb_0.12.0~svn2018-5.dsc
 c39153f3e90cafe6fae591bb315897599a96902be9a69428d0de111c59fda301 232818 
mediatomb_0.12.0~svn2018-5.diff.gz
 43a3121c2beaf4195ede940ef2d27c756313a48e1da9d83f6ee1030cd177402e 1065454 
mediatomb-common_0.12.0~svn2018-5_amd64.deb
 48bf154bbcae4be58516d80daaac00610d5f129659ca62fb409dc54d52050194 23166 
mediatomb-daemon_0.12.0~svn2018-5_all.deb
 194903cda3ba36473d6f6b9d4b4bf9841fadaf669ebb4ba1be19e87d6c79badf 20584 
mediatomb_0.12.0~svn2018-5_all.deb
Files: 
 38eb1d578dc6f6e1a11fe07885305eaf 1665 net optional 
mediatomb_0.12.0~svn2018-5.dsc
 01885c603b0a01d441b5be5f1040c6cd 232818 net optional 
mediatomb_0.12.0~svn2018-5.diff.gz
 4d65badb257a8cb782ecc0a82137356d 1065454 net optional 
mediatomb-common_0.12.0~svn2018-5_amd64.deb
 392795765d87e98d806cb81c14bc4ae8 23166 net optional 
mediatomb-daemon_0.12.0~svn2018-5_all.deb
 78c512151ef2b49346e2a3fa821a5254 20584 net optional 
mediatomb_0.12.0~svn2018-5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAktq2BcACgkQgsFbAuXxMZZ53ACeNhS+PCBozsvpB/p2E5yjcz0k
5TcAoI50nSZ/nS/zy9iGs8pnUYAgLeZe
=kVkw
-----END PGP SIGNATURE-----

--- End Message ---
_______________________________________________
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-multimedia-maintainers

Reply via email to