On Sun, 8 Nov 2009 22:19:13 -0800 Ryan Niebur wrote: > On Sun, Nov 08, 2009 at 07:22:57PM -0500, Michael Gilbert wrote: > > package: libjson-ruby > > version: 1.1.2-1 > > severity: serious > > tags: security > > > > Hi, > > > > Your package contains an embedded version of prototype.js that is > > vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1) > > [0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both. > > > > Your package embeds the following prototype.js versions: > > > > sid: 1.6.0 > > lenny: 1.6.0 > > etch: N/A > > > > This is a mass-filing, and the only checking done so far is a version > > comparison, so please determine whether or not your package is itself > > affected or not. If it is not affected please close the bug with a > > message indicating this along with what you did to check. > > > > The version of your package specified above is the earliest version > > with the affected embedded code. If this version is in one or both of > > the stable releases and you are affected, please coordinate with the > > release team to prepare a proposed-update for your package to > > stable/oldstable. > > > > There are patches available for CVE-2007-2383 [2] and a backport for > > prototypejs 1.5 for CVE-2008-7720 [3]. > > > > If you correct the problem in unstable, please make sure to include the > > CVE number in your changelog. > > > > this should have been fixed for unstable in 1.1.4-1, see #555224. what > should happen for stable tho?
you should prepare an update for proposed-updates. see debian docs and talk to the release team for more info. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
