hi, i am about to do a mass bug filing on the prototypejs embeds, and want to make sure that it is ok to do so ahead of time since it involves 32 separate packages that are affected, which is a lot of bugs.
following is the mail that i intend to send. i suggest that maintainers push fixes in the next point release, rather than a dsa, with the logic being that it would be a major hassle to issue so many dsas. i will mark all of them no-dsa in the tracker. does that sound alright? mike ------------------------------------------------------------------------- package: auth2db version: 0.2.5-2+dfsg-1 severity: serious tags: security hi, your package contains an embedded version of prototypejs that is vulnerable to either CVE-2007-2383 (affecting prototypejs 1.5.1 and earlier) [0], CVE-2008-7220 (affecting prototypejs 1.6.0.2 and earlier) [1], or both. the version of your package specified above is the earliest version with the affected embed. if this version is in one or both of the stable releases, please coordinate with the release team to accept new packages for the next point release. thank you for your attention to this problem. mike [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220 _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
