[Secure-testing-team] mass prototypejs bug filing
Raphael Geissert
geissert at debian.org
Sat Oct 10 19:50:39 UTC 2009
Hi Michael,
Michael S Gilbert wrote:
[...]
> i am about to do a mass bug filing on the prototypejs embeds, and want
> to make sure that it is ok to do so ahead of time since it involves 32
> separate packages that are affected, which is a lot of bugs.
>
This kind of emails should be sent to -devel, following the usual
conventions.
[...]
> severity: serious
I don't think they all deserve such severity (read below).
[...]
> your package contains an embedded version of prototypejs that is
> vulnerable to either CVE-2007-2383 (affecting prototypejs 1.5.1 and
> earlier) [0], CVE-2008-7220 (affecting prototypejs 1.6.0.2 and
> earlier) [1], or both.
>
Would be great if you could tell which one it is; otherwise how do you
intend to track it?
> the version of your package specified above is the earliest version
> with the affected embed. if this version is in one or both of the
> stable releases, please coordinate with the release team to accept new
> packages for the next point release.
Hope you are taking into consideration that there might be an oldstable
upload, in which case the BTS would not think that the other branches (i.e.
stable, testing, unstable) are affected.
>
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383
> [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220
Please note that not all of the web apps using prototype might be affected,
as not all of them use the vulnerable features.
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
More information about the Secure-testing-team
mailing list