Hi Michael, Michael S Gilbert wrote: [...] > i am about to do a mass bug filing on the prototypejs embeds, and want > to make sure that it is ok to do so ahead of time since it involves 32 > separate packages that are affected, which is a lot of bugs. >
This kind of emails should be sent to -devel, following the usual conventions. [...] > severity: serious I don't think they all deserve such severity (read below). [...] > your package contains an embedded version of prototypejs that is > vulnerable to either CVE-2007-2383 (affecting prototypejs 1.5.1 and > earlier) [0], CVE-2008-7220 (affecting prototypejs 1.6.0.2 and > earlier) [1], or both. > Would be great if you could tell which one it is; otherwise how do you intend to track it? > the version of your package specified above is the earliest version > with the affected embed. if this version is in one or both of the > stable releases, please coordinate with the release team to accept new > packages for the next point release. Hope you are taking into consideration that there might be an oldstable upload, in which case the BTS would not think that the other branches (i.e. stable, testing, unstable) are affected. > > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383 > [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220 Please note that not all of the web apps using prototype might be affected, as not all of them use the vulnerable features. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
