Your message dated Mon, 23 Nov 2009 13:49:13 +0000
with message-id <e1nczi1-0005ea...@ries.debian.org>
and subject line Bug#555244: fixed in exaile 0.2.14+debian-2.1
has caused the Debian Bug report #555244,
regarding exaile: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
555244: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555244
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
package: exaile
version: 0.2.11.1+debian-2
severity: serious
tags: security
Hi,
Your package contains an embedded version of prototype.js that is
vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1)
[0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both.
Your package embeds the following prototype.js versions:
sid: 1.5.1.1
lenny: 1.5.1.1
etch: N/A
This is a mass-filing, and the only checking done so far is a version
comparison, so please determine whether or not your package is itself
affected or not. If it is not affected please close the bug with a
message indicating this along with what you did to check.
The version of your package specified above is the earliest version
with the affected embedded code. If this version is in one or both of
the stable releases and you are affected, please coordinate with the
release team to prepare a proposed-update for your package to
stable/oldstable.
There are patches available for CVE-2007-2383 [2] and a backport for
prototypejs 1.5 for CVE-2008-7720 [3].
If you correct the problem in unstable, please make sure to include the
CVE number in your changelog.
Thank you for your attention to this problem.
Mike
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220
[2] http://dev.rubyonrails.org/ticket/7910
[3]
http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security
--- End Message ---
--- Begin Message ---
Source: exaile
Source-Version: 0.2.14+debian-2.1
We believe that the bug you reported is fixed in the latest version of
exaile, which is due to be installed in the Debian FTP archive:
exaile_0.2.14+debian-2.1.diff.gz
to main/e/exaile/exaile_0.2.14+debian-2.1.diff.gz
exaile_0.2.14+debian-2.1.dsc
to main/e/exaile/exaile_0.2.14+debian-2.1.dsc
exaile_0.2.14+debian-2.1_all.deb
to main/e/exaile/exaile_0.2.14+debian-2.1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 555...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jan Hauke Rahm <j...@debian.org> (supplier of updated exaile package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 18 Nov 2009 12:42:46 +0100
Source: exaile
Binary: exaile
Architecture: source all
Version: 0.2.14+debian-2.1
Distribution: unstable
Urgency: low
Maintainer: François Févotte <francois.fevo...@ensta.org>
Changed-By: Jan Hauke Rahm <j...@debian.org>
Description:
exaile - flexible audio player, similar to Amarok, but written in GTK+
Closes: 555244
Changes:
exaile (0.2.14+debian-2.1) unstable; urgency=low
.
* Non-maintainer upload.
* Fix "CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities"
by removing the embedded copy and linking to libjs-prototype
(Closes: #555244)
Checksums-Sha1:
1b37aeba6289a9741e453d46c601faa2382e9b1b 1257 exaile_0.2.14+debian-2.1.dsc
23203a8c7b458eabbe8079966b45fee2cc26005b 5815 exaile_0.2.14+debian-2.1.diff.gz
c69b163c1c722ec3f48e56d326c07f71a7b84cd5 1151292
exaile_0.2.14+debian-2.1_all.deb
Checksums-Sha256:
116df1b5025a6939d2cfad55a2a7cb5e2e4d113f0d6c6eb46389bfda4b3c70c5 1257
exaile_0.2.14+debian-2.1.dsc
d71be332dfb0f673920958df2ff59bf46b83e9cd411efc5d27b0f06cde074a8b 5815
exaile_0.2.14+debian-2.1.diff.gz
18b01c03dd180d6fd3e6b42c6c25fe6b1f85a4c7154c54b04545343b4f1a0330 1151292
exaile_0.2.14+debian-2.1_all.deb
Files:
23fdd4fcc6d9e57325b37170b4b1b9bd 1257 sound optional
exaile_0.2.14+debian-2.1.dsc
eee08c9a3ab1cd9efff8120592460f41 5815 sound optional
exaile_0.2.14+debian-2.1.diff.gz
9808f3c904f0b0730d8968d883db3074 1151292 sound optional
exaile_0.2.14+debian-2.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iFYEAREKAAYFAksD9IAACgkQGOp6XeD8cQ0r3ADfbzNHaF3aIbaLekEJulHR1YZz
apTrrnoJHy1khwDfVBm948efgfBc9w5W22aYfauzHENTgWg+jYFiTw==
=lvxI
-----END PGP SIGNATURE-----
--- End Message ---
