[Secure-testing-team] mass prototypejs bug filing
Michael S Gilbert
michael.s.gilbert at gmail.com
Sat Oct 10 02:29:55 UTC 2009
hi,
i am about to do a mass bug filing on the prototypejs embeds, and want
to make sure that it is ok to do so ahead of time since it involves 32
separate packages that are affected, which is a lot of bugs.
following is the mail that i intend to send. i suggest that
maintainers push fixes in the next point release, rather than a dsa,
with the logic being that it would be a major hassle to issue so many
dsas. i will mark all of them no-dsa in the tracker. does that sound
alright?
mike
-------------------------------------------------------------------------
package: auth2db
version: 0.2.5-2+dfsg-1
severity: serious
tags: security
hi,
your package contains an embedded version of prototypejs that is
vulnerable to either CVE-2007-2383 (affecting prototypejs 1.5.1 and
earlier) [0], CVE-2008-7220 (affecting prototypejs 1.6.0.2 and
earlier) [1], or both.
the version of your package specified above is the earliest version
with the affected embed. if this version is in one or both of the
stable releases, please coordinate with the release team to accept new
packages for the next point release.
thank you for your attention to this problem.
mike
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220
More information about the Secure-testing-team
mailing list