Your message dated Tue, 01 Dec 2009 10:02:24 +0000
with message-id <e1nfpyu-0003fc...@ries.debian.org>
and subject line Bug#555244: fixed in exaile 0.2.14+debian-2.2
has caused the Debian Bug report #555244,
regarding exaile: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
555244: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555244
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
package: exaile
version: 0.2.11.1+debian-2
severity: serious
tags: security
Hi,
Your package contains an embedded version of prototype.js that is
vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1)
[0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both.
Your package embeds the following prototype.js versions:
sid: 1.5.1.1
lenny: 1.5.1.1
etch: N/A
This is a mass-filing, and the only checking done so far is a version
comparison, so please determine whether or not your package is itself
affected or not. If it is not affected please close the bug with a
message indicating this along with what you did to check.
The version of your package specified above is the earliest version
with the affected embedded code. If this version is in one or both of
the stable releases and you are affected, please coordinate with the
release team to prepare a proposed-update for your package to
stable/oldstable.
There are patches available for CVE-2007-2383 [2] and a backport for
prototypejs 1.5 for CVE-2008-7720 [3].
If you correct the problem in unstable, please make sure to include the
CVE number in your changelog.
Thank you for your attention to this problem.
Mike
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220
[2] http://dev.rubyonrails.org/ticket/7910
[3]
http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security
--- End Message ---
--- Begin Message ---
Source: exaile
Source-Version: 0.2.14+debian-2.2
We believe that the bug you reported is fixed in the latest version of
exaile, which is due to be installed in the Debian FTP archive:
exaile_0.2.14+debian-2.2.diff.gz
to main/e/exaile/exaile_0.2.14+debian-2.2.diff.gz
exaile_0.2.14+debian-2.2.dsc
to main/e/exaile/exaile_0.2.14+debian-2.2.dsc
exaile_0.2.14+debian-2.2_all.deb
to main/e/exaile/exaile_0.2.14+debian-2.2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 555...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jan Hauke Rahm <j...@debian.org> (supplier of updated exaile package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 01 Dec 2009 10:17:01 +0100
Source: exaile
Binary: exaile
Architecture: source all
Version: 0.2.14+debian-2.2
Distribution: unstable
Urgency: medium
Maintainer: François Févotte <francois.fevo...@ensta.org>
Changed-By: Jan Hauke Rahm <j...@debian.org>
Description:
exaile - flexible audio player, similar to Amarok, but written in GTK+
Closes: 555244 558219
Changes:
exaile (0.2.14+debian-2.2) unstable; urgency=medium
.
* Non-maintainer upload.
* Really fix the prototype issue. Last upload introduced total nonsense due
to working on different packages at the same time. Sorry! Thanks to Ralf
Treinen and Xavier Lüthi for discovering it! (Closes: #555244, #558219)
Checksums-Sha1:
e50395912bae62ec30b29e7bda851f783e19f1b4 1253 exaile_0.2.14+debian-2.2.dsc
1c628e9ce9514206cb3557f365c56bcbcd84e2d3 5930 exaile_0.2.14+debian-2.2.diff.gz
4d557dbe463e00f94b8ec95af255a62dfac21fb1 1151720
exaile_0.2.14+debian-2.2_all.deb
Checksums-Sha256:
f6fa215c58be253b626a89821308556c0bdc69c7b4118b6fc08b7380e4e98f50 1253
exaile_0.2.14+debian-2.2.dsc
93d90aac21e9aca4afca91b7829357150f7da401ae0c20d2fedd71dd8b92da1a 5930
exaile_0.2.14+debian-2.2.diff.gz
3108d77b48c5b70c0602f86ea1efea573698b1549dfcbbcfbaf447be608accf4 1151720
exaile_0.2.14+debian-2.2_all.deb
Files:
c7f1fdc61a2b81fc03be20749824b378 1253 sound optional
exaile_0.2.14+debian-2.2.dsc
2b39a64b055fa92cec2982b4b9804082 5930 sound optional
exaile_0.2.14+debian-2.2.diff.gz
921cd4b1d5b0468dc854b5534a88793d 1151720 sound optional
exaile_0.2.14+debian-2.2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iFYEAREKAAYFAksU4UsACgkQGOp6XeD8cQ3HkgDeOWtlIJfNDZ6nHJf/o5e18EP5
YP9Ne1oCIi8EWgDfVheoMmZx/ZGcjUA+7LK8jW+FgHMEkBFRNitmIQ==
=zO1I
-----END PGP SIGNATURE-----
--- End Message ---
