Proposed mass prototypejs bug filing for multiple security issues
Hi,
The prototypejs script has been found to be vulnerable to a couple
security issues [0],[1]. This script is embedded in about 32 other
packages and I would like to file bugs against all of those that are
affected. Since this would probably be considered a mass filing, I am
running it past -devel first.
I intend to send the following two bug reports for each vulnerable
package; one bug on the vulnerabilities themselves and the other bug
asking for the maintainer to switch to the system/shared prototypejs.
I will fill in affected version numbers (Y.Y.Y) on a per-package basis.
Let me know if this is OK, and whether there is anything else I should
be aware of.
Here are the affected source packages:
- auth2db <unfixed> (embed)
- webcit <unfixed> (embed)
- asterisk <unfixed> (embed)
- doc-iana <unfixed> (embed)
- libaws <unfixed> (embed)
- libgettext-ruby <unfixed> (embed)
- libjson-ruby <unfixed> (embed)
- lucene2 <unfixed> (embed)
- libopenid-ruby <unfixed> (embed)
- solr <unfixed> (embed)
- glpi <unfixed> (embed)
- mnemo2 <unfixed> (embed)
- nag2 <unfixed> (embed)
- knowledgeroot <unfixed> (embed)
- mediatomb <unfixed> (embed)
- mt-daapd <unfixed> (embed)
- op-panel <unfixed> (embed)
- ebug-http <unfixed> (embed)
- phpgedview <removed> (embed)
- poker-network <unfixed> (embed)
- webhelpers <unfixed> (embed)
- qwik <unfixed> (embed)
- rails <unfixed> (embed)
- typo3-src <unfixed> (embed)
- wordpress 2.5.0-2 (embed)
- zope <unfixed> (embed)
- smokeping <unfixed> (embed)
- ampache 3.4.1-2 (embed)
- exaile <unfixed> (embed)
- hobix <unfixed> (embed)
- pixelpost <unfixed> (embed)
- symfony <unfixed> (embed)
- zabbix <unfixed> (embed)
- turba2 <unfixed> (embed)
Mike
-------------------------------------------------------------------------
package: auth2db
version: 0.2.5-2+dfsg-1
severity: serious
tags: security
Hi,
Your package contains an embedded version of prototypejs that is
vulnerable to either CVE-2007-2383 (affecting prototypejs 1.5.1 and
earlier) [0], CVE-2008-7220 (affecting prototypejs 1.6.0.2 and
earlier) [1], or both.
Your package embeds prototypejs version Y.Y.Y and is affected [only
by CVE-2007-2383 / only by CVE-2008-7220 / by both issues].
This is a mass-filing, and the only checking done so far is a version
comparison, so please determine whether or not your package is itself
affected or not. If it is not affected please close the bug with a
message indicating this along with what you did to check.
The version of your package specified above is the earliest version
with the affected embedded code. If this version is in one or both of
the stable releases and you are affected, please coordinate with the
release team to prepare a proposed-update for your package to
stable/oldstable.
If you correct the problem in unstable, please make sure to include the
CVE number in your changelog.
Thank you for your attention to this problem.
Mike
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220
-------------------------------------------------------------------------
package: auth2db
version: 0.2.5-2+dfsg-1
severity: important
tags: security
Hi,
Your package embeds prototypejs version X.X.X, which makes security
updates very cumbersome, difficult, and potentially error-prone. Please
update your package to make use of the system prototypejsb provided by
the prototypejs package.
Thank you very much for your attention on this matter.
Mike
Reply to: