Bug#555223: marked as done (libjson-ruby: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities)

[Debian Bug Tracking System]

Your message dated Sun, 31 Jan 2010 19:56:44 +0000
with message-id <e1nbfuw-0005by...@ries.debian.org>
and subject line Bug#555223: fixed in libjson-ruby 1.1.2-1+lenny1
has caused the Debian Bug report #555223,
regarding libjson-ruby: CVE-2007-2383 and CVE-2008-7720 prototypejs 
vulnerabilities
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
555223: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555223
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

package: libjson-ruby
version: 1.1.2-1
severity: serious
tags: security

Hi,

Your package contains an embedded version of prototype.js that is
vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1)
[0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both.

Your package embeds the following prototype.js versions:

  sid: 1.6.0
  lenny: 1.6.0
  etch: N/A

This is a mass-filing, and the only checking done so far is a version
comparison, so please determine whether or not your package is itself
affected or not.  If it is not affected please close the bug with a
message indicating this along with what you did to check.

The version of your package specified above is the earliest version
with the affected embedded code.  If this version is in one or both of
the stable releases and you are affected, please coordinate with the
release team to prepare a proposed-update for your package to
stable/oldstable.

There are patches available for CVE-2007-2383 [2] and a backport for
prototypejs 1.5 for CVE-2008-7720 [3].

If you correct the problem in unstable, please make sure to include the
CVE number in your changelog.

Thank you for your attention to this problem.

Mike

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220
[2] http://dev.rubyonrails.org/ticket/7910
[3] 
http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security

--- End Message ---

--- Begin Message ---

Source: libjson-ruby
Source-Version: 1.1.2-1+lenny1

We believe that the bug you reported is fixed in the latest version of
libjson-ruby, which is due to be installed in the Debian FTP archive:

edit-json_1.1.2-1+lenny1_all.deb
  to main/libj/libjson-ruby/edit-json_1.1.2-1+lenny1_all.deb
libjson-ruby-doc_1.1.2-1+lenny1_all.deb
  to main/libj/libjson-ruby/libjson-ruby-doc_1.1.2-1+lenny1_all.deb
libjson-ruby1.8_1.1.2-1+lenny1_i386.deb
  to main/libj/libjson-ruby/libjson-ruby1.8_1.1.2-1+lenny1_i386.deb
libjson-ruby_1.1.2-1+lenny1.diff.gz
  to main/libj/libjson-ruby/libjson-ruby_1.1.2-1+lenny1.diff.gz
libjson-ruby_1.1.2-1+lenny1.dsc
  to main/libj/libjson-ruby/libjson-ruby_1.1.2-1+lenny1.dsc
libjson-ruby_1.1.2-1+lenny1_all.deb
  to main/libj/libjson-ruby/libjson-ruby_1.1.2-1+lenny1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 555...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ryan Niebur <r...@debian.org> (supplier of updated libjson-ruby package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 08 Nov 2009 22:33:47 -0800
Source: libjson-ruby
Binary: libjson-ruby libjson-ruby-doc libjson-ruby1.8 edit-json
Architecture: source all i386
Version: 1.1.2-1+lenny1
Distribution: stable-proposed-updates
Urgency: low
Maintainer: Esteban Manchado Velázquez <z...@debian.org>
Changed-By: Ryan Niebur <r...@debian.org>
Description: 
 edit-json  - JSON files editor
 libjson-ruby - JSON library for Ruby (default Ruby version)
 libjson-ruby-doc - JSON library for Ruby (documentation)
 libjson-ruby1.8 - JSON library for Ruby (Ruby 1.8 version)
Closes: 555223 555224
Changes: 
 libjson-ruby (1.1.2-1+lenny1) stable-proposed-updates; urgency=low
 .
   * Security Fix for JSON::Pure::Parser. A specially designed string
     could cause catastrophic backtracking in one of the parser's regular
     expressions. (fixed upstream in version 1.1.7)
   * Use the version of prototype.js from libjs-prototype. The included
     version had a security issue. (Closes: #555224, #555223)
Checksums-Sha1: 
 204b4def027b9dd86bda44b16eeb0cff14bfcc0b 1539 libjson-ruby_1.1.2-1+lenny1.dsc
 cd4dbe1a6c908dfe754caac1976f96cda6631cff 4739 
libjson-ruby_1.1.2-1+lenny1.diff.gz
 555c324dd53c491516642b1b379bc8fe45c4fd26 7024 
libjson-ruby_1.1.2-1+lenny1_all.deb
 2be0c3991aadc353c228afaeecc393455b62800f 917484 
libjson-ruby-doc_1.1.2-1+lenny1_all.deb
 020bbaf3f77fea8fa2f6144816af42bb0380d3fa 33328 edit-json_1.1.2-1+lenny1_all.deb
 9faee952bcbad6314c3a8c89e80debac958b336f 34694 
libjson-ruby1.8_1.1.2-1+lenny1_i386.deb
Checksums-Sha256: 
 e436703bad8b5e1e84426c24839a97a1f4021004aebc6963cbfef36cf780e663 1539 
libjson-ruby_1.1.2-1+lenny1.dsc
 6e18dcaf3e74e423340a1732548df412bda82b8a5a9b229f6e89e14986a241d0 4739 
libjson-ruby_1.1.2-1+lenny1.diff.gz
 1b7eb3ce18444792112295cac69cef183863f407ce40656de4aa6f52a908a571 7024 
libjson-ruby_1.1.2-1+lenny1_all.deb
 8ace3a32477fe0c7be3288435ffef1a930d00f05071ae61598c4054776eacd08 917484 
libjson-ruby-doc_1.1.2-1+lenny1_all.deb
 fa6a3ffd8413582258a3caefeaf3ba564e63baeda751be2e9a1917bcbf1b96a4 33328 
edit-json_1.1.2-1+lenny1_all.deb
 2efb71dacf0974868f79a089e01bd803c0691211a9bc57f3d46b6b7673ab3076 34694 
libjson-ruby1.8_1.1.2-1+lenny1_i386.deb
Files: 
 f7c8b92b8eeb172d4f432cdd7350d771 1539 libs optional 
libjson-ruby_1.1.2-1+lenny1.dsc
 c32ef2974a824c33ce13370503982dae 4739 libs optional 
libjson-ruby_1.1.2-1+lenny1.diff.gz
 5d876f2537ea1ca31ce4473e82de8499 7024 libs optional 
libjson-ruby_1.1.2-1+lenny1_all.deb
 6cc12d6501720604aed1f3d6dd85d26c 917484 doc optional 
libjson-ruby-doc_1.1.2-1+lenny1_all.deb
 2706f97288b16ec3d1919b8756881af7 33328 devel optional 
edit-json_1.1.2-1+lenny1_all.deb
 82e36836cbbdd2b61de3d56bfe09c3d1 34694 libs optional 
libjson-ruby1.8_1.1.2-1+lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAktj4i8ACgkQMihv+PacasU0SwCg0/ngKLPL37qYBDnKZ0Dj5aaK
1WQAoMbpWFevb7U6W2ppAWqZwWUTGCQb
=HC7F
-----END PGP SIGNATURE-----

--- End Message ---