Your message dated Fri, 04 Jun 2010 22:17:17 +0000
with message-id <e1okfcx-0007k8...@ries.debian.org>
and subject line Bug#555235: fixed in ebug-http 0.31-2.1
has caused the Debian Bug report #555235,
regarding ebug-http: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
555235: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555235
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
package: ebug-http
version: 0.31-2
severity: serious
tags: security
Hi,
Your package contains an embedded version of prototype.js that is
vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1)
[0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both.
Your package embeds the following prototype.js versions:
sid: 1.2.0
lenny: 1.2.0
etch: N/A
This is a mass-filing, and the only checking done so far is a version
comparison, so please determine whether or not your package is itself
affected or not. If it is not affected please close the bug with a
message indicating this along with what you did to check.
The version of your package specified above is the earliest version
with the affected embedded code. If this version is in one or both of
the stable releases and you are affected, please coordinate with the
release team to prepare a proposed-update for your package to
stable/oldstable.
There are patches available for CVE-2007-2383 [2] and a backport for
prototypejs 1.5 for CVE-2008-7720 [3].
If you correct the problem in unstable, please make sure to include the
CVE number in your changelog.
Thank you for your attention to this problem.
Mike
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220
[2] http://dev.rubyonrails.org/ticket/7910
[3]
http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security
--- End Message ---
--- Begin Message ---
Source: ebug-http
Source-Version: 0.31-2.1
We believe that the bug you reported is fixed in the latest version of
ebug-http, which is due to be installed in the Debian FTP archive:
ebug-http_0.31-2.1.diff.gz
to main/e/ebug-http/ebug-http_0.31-2.1.diff.gz
ebug-http_0.31-2.1.dsc
to main/e/ebug-http/ebug-http_0.31-2.1.dsc
ebug-http_0.31-2.1_all.deb
to main/e/ebug-http/ebug-http_0.31-2.1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 555...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Hideki Yamane <henr...@debian.org> (supplier of updated ebug-http package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 05 Jun 2010 06:36:56 +0900
Source: ebug-http
Binary: ebug-http
Architecture: source all
Version: 0.31-2.1
Distribution: unstable
Urgency: high
Maintainer: Peter Makholm <pe...@makholm.net>
Changed-By: Hideki Yamane <henr...@debian.org>
Description:
ebug-http - web front end to a simple, extensible Perl debugger
Closes: 555235
Changes:
ebug-http (0.31-2.1) unstable; urgency=high
.
* Non-maintainer upload.
* fix CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities by
using libjs-prototype package (Closes: #555235)
Checksums-Sha1:
9f92ad481ed905ee2e6557356c5cbf739162df53 2021 ebug-http_0.31-2.1.dsc
1a82312bacbb24c40fc19b1ceb0af3567bbbffc7 2719 ebug-http_0.31-2.1.diff.gz
5561dc62697a34e714fb22416b864e3b8218b261 35674 ebug-http_0.31-2.1_all.deb
Checksums-Sha256:
af424af030e7ae284b0dd550ccaa4d79198e54df33a9a7d96ed2bf6c9c275d60 2021
ebug-http_0.31-2.1.dsc
e3ff1579e657b1a81e881237f9f75172369d45551fa04f74f540d80890d2d7bb 2719
ebug-http_0.31-2.1.diff.gz
85a3c5612762311b5f83c0d14b62aeeb4357237186a3ee282d87abf86682147b 35674
ebug-http_0.31-2.1_all.deb
Files:
aee297889346ae99b763dbd787be0422 2021 perl optional ebug-http_0.31-2.1.dsc
b5ffa6dd3abb91c6d129ade530aa0e47 2719 perl optional ebug-http_0.31-2.1.diff.gz
a4510cdd69011cf0125526383f470048 35674 perl optional ebug-http_0.31-2.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBCgAGBQJMCXLHAAoJEF0yjQgqqrFAspsP/AkzVqf4Ila2MuzcTtU3bTtd
Gjnuwqiphv/d02TcbqnRQKO0fq1OKbKRKPeofBFWcfmFKO7BObDNEvcVuz/+9hzN
MSeC2FVqVOTKWFE2sfOCgQSpVaLwG/BvJ3EkvlR49swm70oRkPGMSIu7uq2j/q+W
HVmqkud73fqrULhfLXI5rLOCB3dKj0VX4tqy2oR4VRRu9kq+m0OeHbhOogtGn11t
zQnU5089SvG3dfq98nXCmHTVIYFCg5npdYhApX0NIC0Jars3g/NA136iKMNf5Ths
FRuGEc/dMlLM81NGx4mXmpToXDk68MaoEcAKSWgSSanqQCEQkTjbJuS5w6rGZZl2
lpvgGEWGSa+ykPGTZ7S8/BLVJP7q7Zwao8cN3HxFlKrAAjWJBbyPiEQbRDZB7VYz
uN1Xrw/SGB2HFMgIb939698lcVtczCTRN7LcU1hzN+W41AI0ALM1dYbNdI6yGDc5
87W3hhtRHCyGe+VArOukylLyxOZR+LQLZxubRkRTSSPfAU89Jc08P4YlZ3+ZkHe1
FJ6iKh0qr0KDYpaLXi5bUUUGtwTFg6iGXgb73VMypIIE/9drAdpFkVuj3ePYwKpJ
vfDWvLrC2QK+f9qKn9+pB5ldi7kSbcp80mtNTNG6galTi2q3TWXoi0Z8VkRANyi1
pMdQxGJQ0q7ejuDJ/Eqo
=acbX
-----END PGP SIGNATURE-----
--- End Message ---
