On Fri, 20 Nov 2009 22:19:31 +0200, Niko Tyni wrote: > On Thu, Jan 01, 1970 at 12:00:00AM +0000, Niko Tyni wrote: > > On Wed, Nov 04, 2009 at 10:08:37PM -0500, Michael Gilbert wrote: > > > see [0] for a link to a patch for the 2007 issue. see [1] for info and a > > > link to a 1.5 version with the backported fix for the 2008 issue. > > > > > [0] http://dev.rubyonrails.org/ticket/7910 > > > [1] > > > http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security > > Thanks Michael. > > Given that the smokeping versions in Debian don't use JSON at all and > definitely don't have a server side component that sends it, I don't > see any attack vector for these vulnerabilities. Am I missing something?
i've never used smokeping before, so i'm not very familiar with it. i mainly work security issues, and for this one i've only spent enough time to determine whether the vulnerable code is present and nothing more. since you are the maintainer, you are in a much better position to correctly assess the impact and severity of the problem, so i will defer to your judgment. > (Smokeping is only using prototype.js through the scriptaculous library, > which gets used through cropper, which is a client-side image cropper UI.) is this functionality at all exposed through the web interface or could it be exposed via other unanticipated ways or via files (cgi or other) served through the web interface? if after checking and thoroughly reviewing all of the references (specifically the "javascript hijacking" reference in CVE-2007-2383) you feel that the package is not affected due to the library being used only in a safe manner, then please feel free to close the bug. thanks! mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
