Your message dated Sun, 20 Dec 2009 13:20:39 +0000
with message-id <e1nmlib-0005j5...@ries.debian.org>
and subject line Bug#555249: fixed in symfony 1.0.21-1.1
has caused the Debian Bug report #555249,
regarding symfony: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
555249: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555249
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
package: symfony
version: 1.0.17-4
severity: serious
tags: security
Hi,
Your package contains an embedded version of prototype.js that is
vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1)
[0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both.
Your package embeds the following prototype.js versions:
sid: 1.5.0
lenny: 1.5.0
etch: N/A
This is a mass-filing, and the only checking done so far is a version
comparison, so please determine whether or not your package is itself
affected or not. If it is not affected please close the bug with a
message indicating this along with what you did to check.
The version of your package specified above is the earliest version
with the affected embedded code. If this version is in one or both of
the stable releases and you are affected, please coordinate with the
release team to prepare a proposed-update for your package to
stable/oldstable.
There are patches available for CVE-2007-2383 [2] and a backport for
prototypejs 1.5 for CVE-2008-7720 [3].
If you correct the problem in unstable, please make sure to include the
CVE number in your changelog.
Thank you for your attention to this problem.
Mike
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220
[2] http://dev.rubyonrails.org/ticket/7910
[3]
http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security
--- End Message ---
--- Begin Message ---
Source: symfony
Source-Version: 1.0.21-1.1
We believe that the bug you reported is fixed in the latest version of
symfony, which is due to be installed in the Debian FTP archive:
php5-symfony1.0_1.0.21-1.1_all.deb
to main/s/symfony/php5-symfony1.0_1.0.21-1.1_all.deb
symfony_1.0.21-1.1.debian.tar.gz
to main/s/symfony/symfony_1.0.21-1.1.debian.tar.gz
symfony_1.0.21-1.1.dsc
to main/s/symfony/symfony_1.0.21-1.1.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 555...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Federico Gimenez Nieto <fgime...@coit.es> (supplier of updated symfony package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 15 Dec 2009 19:44:21 +0100
Source: symfony
Binary: php5-symfony1.0
Architecture: source all
Version: 1.0.21-1.1
Distribution: unstable
Urgency: medium
Maintainer: Martin Meredith <m...@debian.org>
Changed-By: Federico Gimenez Nieto <fgime...@coit.es>
Description:
php5-symfony1.0 - Open-Source PHP Web Framework
Closes: 555249
Changes:
symfony (1.0.21-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Fix "CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities"
by replacing prototype 1.5.0 with 1.5.1.2 (Closes: #555249) with
quilt patch (also added source format 3.0 (quilt))
* Fixed required dependency on php-pear (pear is used in postinst script)
Checksums-Sha1:
cce6c6ac9b75880e102a6c978b1603e49a9c6c69 1055 symfony_1.0.21-1.1.dsc
f519fd906ad61580890ad363a03e9586ff50a42c 23154 symfony_1.0.21-1.1.debian.tar.gz
8b7fbbc01755b12b868ca3f41347edcb4b89ff83 2629130
php5-symfony1.0_1.0.21-1.1_all.deb
Checksums-Sha256:
c8be6361984974380a25eb1fa596759cc1850cebde9e6213a760dd128632dfae 1055
symfony_1.0.21-1.1.dsc
310e25f325d1bea217478390b0a4390e8902c1a8642b1e888930a533eae632df 23154
symfony_1.0.21-1.1.debian.tar.gz
97e011e7b0e176df844aa05705833870c73bc3adb77a2ef7a03697705ef68e9b 2629130
php5-symfony1.0_1.0.21-1.1_all.deb
Files:
1d812966b92672146447d9b6a69d56f3 1055 php optional symfony_1.0.21-1.1.dsc
2e9ae96b09429b8cedb4e57702749e34 23154 php optional
symfony_1.0.21-1.1.debian.tar.gz
4e3507ce2c735361b5a65b471dc878f0 2629130 php optional
php5-symfony1.0_1.0.21-1.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAksuHPMACgkQMDatjqUaT905rQCgnOv9GTuVD4UzqDIWPAPrLq6h
xSIAoIN7sH/meSrR4aNTkrhsIvSgYUoc
=jAtX
-----END PGP SIGNATURE-----
--- End Message ---
