Your message dated Sat, 07 Jan 2012 23:03:21 +0000 with message-id <e1rjfih-0000kn...@franck.debian.org> and subject line Bug#653962: fixed in libv8 3.6.6.14-2 has caused the Debian Bug report #653962, regarding libv8 predictable hash collisions to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 653962: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=653962 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: libv8 Severity: serious Tags: security Hi, It was reported that V8 is affected by the predictable hash collisions attack that made its rounds around the net this week. This is tracked at http://security-tracker.debian.org/tracker/CVE-2011-5037 Can you ensure that fixed packages are uploaded to sid as soon as possible, and assert whether a fix for squeeze would be necessary? Also please note that the security tracker has a number of other open issues for libv8. Do you have any more information on the status of those? http://security-tracker.debian.org/tracker/source-package/libv8 Cheers, Thijssignature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---Source: libv8 Source-Version: 3.6.6.14-2 We believe that the bug you reported is fixed in the latest version of libv8, which is due to be installed in the Debian FTP archive: libv8-3.6.6.14_3.6.6.14-2_amd64.deb to main/libv/libv8/libv8-3.6.6.14_3.6.6.14-2_amd64.deb libv8-dbg_3.6.6.14-2_amd64.deb to main/libv/libv8/libv8-dbg_3.6.6.14-2_amd64.deb libv8-dev_3.6.6.14-2_amd64.deb to main/libv/libv8/libv8-dev_3.6.6.14-2_amd64.deb libv8_3.6.6.14-2.debian.tar.gz to main/libv/libv8/libv8_3.6.6.14-2.debian.tar.gz libv8_3.6.6.14-2.dsc to main/libv/libv8/libv8_3.6.6.14-2.dsc A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 653...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jérémy Lal <kapo...@melix.org> (supplier of updated libv8 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sat, 07 Jan 2012 22:29:06 +0100 Source: libv8 Binary: libv8-dev libv8-3.6.6.14 libv8-dbg Architecture: source amd64 Version: 3.6.6.14-2 Distribution: unstable Urgency: low Maintainer: Debian Javascript Maintainers <pkg-javascript-de...@lists.alioth.debian.org> Changed-By: Jérémy Lal <kapo...@melix.org> Description: libv8-3.6.6.14 - v8 JavaScript engine - runtime library libv8-dbg - v8 JavaScript engine - debugging symbols libv8-dev - v8 JavaScript engine - development files Closes: 653962 Changes: libv8 (3.6.6.14-2) unstable; urgency=low . * Land hash collision fix for V8 3.6. Closes: bug#653962. This fixes CVE-2011-5037. * snapshot=off, because hash is randomized by a secret key that is otherwise readable in the snapshot. Checksums-Sha1: c5c654ff4115c625b8c73d579977674c7783ace8 1495 libv8_3.6.6.14-2.dsc e0edf72fc2a1ea458a686d60640c4b1cfa731921 37335 libv8_3.6.6.14-2.debian.tar.gz f966762ca40d55d2e7129cade4fe5f27861605b1 96966 libv8-dev_3.6.6.14-2_amd64.deb 2a7712d536c3b8927f4d575b22e4ebe6c7b6a828 1321006 libv8-3.6.6.14_3.6.6.14-2_amd64.deb a1756c52116ecffe2e88bf48db45fbb39eda8fe8 24053204 libv8-dbg_3.6.6.14-2_amd64.deb Checksums-Sha256: 184b9afa79582121e8279dbc6138dd2ee4147adfc231713159647e1ac2a6e4f2 1495 libv8_3.6.6.14-2.dsc ff8708aa0ffd93bf223c8130809098e691dc5adcf4976fed169fed80bdca4793 37335 libv8_3.6.6.14-2.debian.tar.gz 261ea3db425c9a0cddd5eac24ad31287403d3de8977622a34c5751b10a907032 96966 libv8-dev_3.6.6.14-2_amd64.deb 6183d283b9be46ee893aec5917e19596b4216ccedd80d05656250cc8929967a2 1321006 libv8-3.6.6.14_3.6.6.14-2_amd64.deb 3ee3653a3a45a24fca7662d8af14d376cbd202dac000075e910e7629d3ee2e1d 24053204 libv8-dbg_3.6.6.14-2_amd64.deb Files: 42cefd63d0f4980785895b3a217cb63a 1495 libs optional libv8_3.6.6.14-2.dsc 60f2a7b749770d68ca2627aebf330f0a 37335 libs optional libv8_3.6.6.14-2.debian.tar.gz befb8f1cb26d397b7c1d384233adbaf2 96966 libdevel optional libv8-dev_3.6.6.14-2_amd64.deb d5e384a37159319645e11c2b7557b1cd 1321006 libs optional libv8-3.6.6.14_3.6.6.14-2_amd64.deb 2ddb24e947f91ba7aa065781d1896b7e 24053204 debug extra libv8-dbg_3.6.6.14-2_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk8IxcgACgkQDMRIEQdBQdzASQCfX21Y+UvUuIZQ8f50AnOQ8vZK OFUAoL9UdPZs8Em5M/ay7eTLGes4jDaZ =r9RP -----END PGP SIGNATURE-----
--- End Message ---