[DRE-maint] Bug#555263: activeldap: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
package: activeldap version: 1.0.1-1 severity: serious tags: security Hi, Your package contains an embedded version of prototype.js that is vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1) [0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both. Your package embeds the following prototype.js versions: sid: 1.6.0.3 (not affected) lenny: 1.6.0.1 etch: N/A This is a mass-filing, and the only checking done so far is a version comparison, so please determine whether or not your package is itself affected or not. If it is not affected please close the bug with a message indicating this along with what you did to check. The version of your package specified above is the earliest version with the affected embedded code. If this version is in one or both of the stable releases and you are affected, please coordinate with the release team to prepare a proposed-update for your package to stable/oldstable. There are patches available for CVE-2007-2383 [2] and a backport for prototypejs 1.5 for CVE-2008-7720 [3]. If you correct the problem in unstable, please make sure to include the CVE number in your changelog. Thank you for your attention to this problem. Mike [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220 [2] http://dev.rubyonrails.org/ticket/7910 [3] http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security ___ Pkg-ruby-extras-maintainers mailing list Pkg-ruby-extras-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-ruby-extras-maintainers
[DRE-maint] Bug#555263: activeldap: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
Coin, Quoting Michael Gilbert : Your package embeds the following prototype.js versions: sid: 1.6.0.3 (not affected) lenny: 1.6.0.1 etch: N/A You're right, libactiveldap-ruby-doc has a prototype.js file included. Happily, it is not part of the software itself, but of one of the examples, provided in the /usr/share/doc/libactiveldap-ruby-doc/examples/al-admin.tgz tarball. As it is only an example, and not directly usuable, i guess the severity of this bug could be lowered a bit. I guess i should have a look at the other potentially embedded libraries, like the Spinelz one, which is just discovered, as it could have the same sort of problems. I plan to have a look at this problem in a few days, when back from my holidays. Thanks for the report. -- Marc Dequènes (Duck) pgpwtMYWEruFa.pgp Description: PGP Digital Signature ___ Pkg-ruby-extras-maintainers mailing list Pkg-ruby-extras-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-ruby-extras-maintainers