[Secure-testing-team] mass prototypejs bug filing
Michael S Gilbert
michael.s.gilbert at gmail.com
Mon Oct 19 00:12:43 UTC 2009
On Sat, 10 Oct 2009 14:50:39 -0500 Raphael Geissert wrote:
> Hi Michael,
>
> Michael S Gilbert wrote:
> [...]
> > i am about to do a mass bug filing on the prototypejs embeds, and want
> > to make sure that it is ok to do so ahead of time since it involves 32
> > separate packages that are affected, which is a lot of bugs.
> >
>
> This kind of emails should be sent to -devel, following the usual
> conventions.
ok, will do.
> > your package contains an embedded version of prototypejs that is
> > vulnerable to either CVE-2007-2383 (affecting prototypejs 1.5.1 and
> > earlier) [0], CVE-2008-7220 (affecting prototypejs 1.6.0.2 and
> > earlier) [1], or both.
> >
>
> Would be great if you could tell which one it is; otherwise how do you
> intend to track it?
i'm making a list and will include appropriate info in each bug.
> > the version of your package specified above is the earliest version
> > with the affected embed. if this version is in one or both of the
> > stable releases, please coordinate with the release team to accept new
> > packages for the next point release.
>
> Please note that not all of the web apps using prototype might be affected,
> as not all of them use the vulnerable features.
i will add some wording that asks the maintainer to determine whether
they are affected or not.
thanks for the follow-up! this was very useful.
mike
More information about the Secure-testing-team
mailing list