On Sat, 10 Oct 2009 14:50:39 -0500 Raphael Geissert wrote: > Hi Michael, > > Michael S Gilbert wrote: > [...] > > i am about to do a mass bug filing on the prototypejs embeds, and want > > to make sure that it is ok to do so ahead of time since it involves 32 > > separate packages that are affected, which is a lot of bugs. > > > > This kind of emails should be sent to -devel, following the usual > conventions.
ok, will do. > > your package contains an embedded version of prototypejs that is > > vulnerable to either CVE-2007-2383 (affecting prototypejs 1.5.1 and > > earlier) [0], CVE-2008-7220 (affecting prototypejs 1.6.0.2 and > > earlier) [1], or both. > > > > Would be great if you could tell which one it is; otherwise how do you > intend to track it? i'm making a list and will include appropriate info in each bug. > > the version of your package specified above is the earliest version > > with the affected embed. if this version is in one or both of the > > stable releases, please coordinate with the release team to accept new > > packages for the next point release. > > Please note that not all of the web apps using prototype might be affected, > as not all of them use the vulnerable features. i will add some wording that asks the maintainer to determine whether they are affected or not. thanks for the follow-up! this was very useful. mike _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
