[Secure-testing-team] mass prototypejs bug filing

Michael S Gilbert michael.s.gilbert at gmail.com
Mon Oct 19 00:12:43 UTC 2009


On Sat, 10 Oct 2009 14:50:39 -0500 Raphael Geissert wrote:
> Hi Michael,
> 
> Michael S Gilbert wrote:
> [...]
> > i am about to do a mass bug filing on the prototypejs embeds, and want
> > to make sure that it is ok to do so ahead of time since it involves 32
> > separate packages that are affected, which is a lot of bugs.
> > 
> 
> This kind of emails should be sent to -devel, following the usual
> conventions.

ok, will do.

> > your package contains an embedded version of prototypejs that is
> > vulnerable to either CVE-2007-2383 (affecting prototypejs 1.5.1 and
> > earlier) [0], CVE-2008-7220 (affecting prototypejs 1.6.0.2 and
> > earlier) [1], or both.
> > 
> 
> Would be great if you could tell which one it is; otherwise how do you
> intend to track it?

i'm making a list and will include appropriate info in each bug.

> > the version of your package specified above is the earliest version
> > with the affected embed.  if this version is in one or both of the
> > stable releases, please coordinate with the release team to accept new
> > packages for the next point release. 
>
> Please note that not all of the web apps using prototype might be affected,
> as not all of them use the vulnerable features.

i will add some wording that asks the maintainer to determine whether
they are affected or not.

thanks for the follow-up!  this was very useful.

mike



More information about the Secure-testing-team mailing list