Bug#558977: marked as done (libhtml-prototype-perl: CVE-2007-2383 and CVE-2008-7720)

[Debian Bug Tracking System]

Your message dated Wed, 02 Dec 2009 18:33:54 +0000
with message-id <e1nfu1s-0001fg...@ries.debian.org>
and subject line Bug#558977: fixed in libhtml-prototype-perl 1.48-3
has caused the Debian Bug report #558977,
regarding libhtml-prototype-perl: CVE-2007-2383 and CVE-2008-7720
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
558977: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=558977
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

package: libhtml-prototype-perl
version: 1.48-1
severity: serious
tags: security

Hi,

Your package contains an embedded version of prototype.js that is
vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1)
[0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both.

Your package embeds the following prototype.js versions:

  sid: 1.4.0
  lenny: 1.4.0
  etch: 1.4.0

This is a mass-filing, and the only checking done so far is a version
comparison, so please determine whether or not your package is itself
affected or not.  If it is not affected please close the bug with a
message indicating this along with what you did to check.

The version of your package specified above is the earliest version
with the affected embedded code.  If this version is in one or both of
the stable releases and you are affected, please coordinate with the
release team to prepare a proposed-update for your package to
stable/oldstable.

There are patches available for CVE-2007-2383 [2] and a backport for
prototypejs 1.5 for CVE-2008-7720 [3].

If you correct the problem in unstable, please make sure to include the
CVE number in your changelog.

Thank you for your attention to this problem.

Mike

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220
[2] http://dev.rubyonrails.org/ticket/7910
[3] 
http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security

--- End Message ---

--- Begin Message ---

Source: libhtml-prototype-perl
Source-Version: 1.48-3

We believe that the bug you reported is fixed in the latest version of
libhtml-prototype-perl, which is due to be installed in the Debian FTP archive:

libhtml-prototype-perl_1.48-3.diff.gz
  to main/libh/libhtml-prototype-perl/libhtml-prototype-perl_1.48-3.diff.gz
libhtml-prototype-perl_1.48-3.dsc
  to main/libh/libhtml-prototype-perl/libhtml-prototype-perl_1.48-3.dsc
libhtml-prototype-perl_1.48-3_all.deb
  to main/libh/libhtml-prototype-perl/libhtml-prototype-perl_1.48-3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 558...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tim Retout <t...@retout.co.uk> (supplier of updated libhtml-prototype-perl 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 02 Dec 2009 10:59:47 +0000
Source: libhtml-prototype-perl
Binary: libhtml-prototype-perl
Architecture: source all
Version: 1.48-3
Distribution: unstable
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintain...@lists.alioth.debian.org>
Changed-By: Tim Retout <t...@retout.co.uk>
Description: 
 libhtml-prototype-perl - module to generate HTML and Javascript for the 
Prototype library
Closes: 538920 558977
Changes: 
 libhtml-prototype-perl (1.48-3) unstable; urgency=high
 .
   * Set urgency to 'high' for security bug fix.
   * debian/control:
     + Add self to Uploaders.
     + Bump Standards-Version to 3.8.3.
     + Build-Depend on debhelper (>= 7.0.8) and quilt (>= 0.46-7).
     + Add Build-Depends-Indep and Depends on libjs-prototype and
       libjs-scriptaculous.
   * debian/rules: Add --with quilt.
   * debian/README.source: New standard quilt README.source.
   * debian/copyright: Add self to debian/* stanza.
   * debian/patches/use-system-prototype: New patch to make use of the
     prototype library provided by Debian, rather than the embedded copy.
     Addresses CVE-2007-2383 and CVE-2008-7720. (Closes: #558977)
   * debian/patches/use-system-scriptaculous-controls,
     debian/patches/use-system-scriptaculous-dragdrop,
     debian/patches/use-system-scriptaculous-effects: New patches to make
     use of the Debian libjs-scriptaculous library. (Closes: #538920)
Checksums-Sha1: 
 514ee2773690983d1b6992bc98316d5c0642557a 2243 libhtml-prototype-perl_1.48-3.dsc
 c71322e676b40739a6207dd2caf5a65261f841d4 32006 
libhtml-prototype-perl_1.48-3.diff.gz
 79b661e9d49feb66dd0e11d46aa909717e52ff93 45702 
libhtml-prototype-perl_1.48-3_all.deb
Checksums-Sha256: 
 79dbb2ce47130ed2421a495fe6ca39a9cdae2771c95f86b8bd27351c9f993970 2243 
libhtml-prototype-perl_1.48-3.dsc
 98c60db643947328a50a8224edc14e55d581704e314f7f5e24bc7f626f5bb325 32006 
libhtml-prototype-perl_1.48-3.diff.gz
 869317cd6829608976f94af3917744cf59fab391a6930130bef118d30d84a50a 45702 
libhtml-prototype-perl_1.48-3_all.deb
Files: 
 edca8574e144a8f37560ec5aa25ebb4d 2243 perl optional 
libhtml-prototype-perl_1.48-3.dsc
 55d7949f8ae1ea5a76f0138ead994202 32006 perl optional 
libhtml-prototype-perl_1.48-3.diff.gz
 3c99aeccfd9dc9950dd9cd70c1f0bcf5 45702 perl optional 
libhtml-prototype-perl_1.48-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCAAGBQJLFq+uAAoJELs6aAGGSaoGE9IP/iPIZarEC6FARNKdmhdEi+t/
Dzdrm/u2RjiJfNsbgW5kknzYsCzAdt1GXSZPnlOmEKaClal2qr5YyRTSPDNQOkgy
UOXA+ZWaNxGXKc8zvHR/PYU4qJjNy4/FsWDC9IsYH0MMzMU/ddsiKiVgFtLk/DU2
xSfdACOUtqv49HLCcDpQl/K588B97DtUxzfiNFFHdcVL8XbPgAUYmRLsaLYCXiIE
gzj3sTLSQbJ26uh9YssNqnxZKFneuSJeQ9EIqEicaevX8BuwOTdqJtbrh1fMohYL
Z5G3dvti5mOMD6/Q+IcpAV8UtayiEks4xf8yksxwYjv2OEehjkj2rnywt+28zB2E
aXf5eC5Se7OSSo6nsGaLy0Pm8rTBik/phIhiufQ5cWALalu8idyBR2tmvWxthbzy
qxYTzVMUdvYvVhZY45c6Vw8bu9xQ7umotWzp+sxQHC1UqLLSPm9YHONTMPHXnDPt
xtRSl0o7QXIWz7paN1sNUwp4iTLrlXnt4ECoqfMo3RRF2y1CyOToHv7iKPju5akg
oQZNEMgct+yOPobPTHCs9b+gx4zWB1pCC/Lkk7UGMfvo5UXKEGm+cEUezMdbmdg2
PL4eZHhB2gFUxcTLHzI7YQRtAP/S5dO8sm3kuxZYvM7n7AqHhMhl+lfTiwXm2mcZ
yRZlZ5qwy2QSOpXsfkeo
=9Rj7
-----END PGP SIGNATURE-----

--- End Message ---