On Sun, Nov 08, 2009 at 07:22:57PM -0500, Michael Gilbert wrote: > package: libjson-ruby > version: 1.1.2-1 > severity: serious > tags: security > > Hi, > > Your package contains an embedded version of prototype.js that is > vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1) > [0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both. > > Your package embeds the following prototype.js versions: > > sid: 1.6.0 > lenny: 1.6.0 > etch: N/A > > This is a mass-filing, and the only checking done so far is a version > comparison, so please determine whether or not your package is itself > affected or not. If it is not affected please close the bug with a > message indicating this along with what you did to check. > > The version of your package specified above is the earliest version > with the affected embedded code. If this version is in one or both of > the stable releases and you are affected, please coordinate with the > release team to prepare a proposed-update for your package to > stable/oldstable. > > There are patches available for CVE-2007-2383 [2] and a backport for > prototypejs 1.5 for CVE-2008-7720 [3]. > > If you correct the problem in unstable, please make sure to include the > CVE number in your changelog. >
this should have been fixed for unstable in 1.1.4-1, see #555224. what should happen for stable tho? -- _________________________ Ryan Niebur ryanrya...@gmail.com
signature.asc
Description: Digital signature
