[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFS: mantis (updated package)

On Thu, Dec 31, 2009 at 6:41 AM, sils <sils@powered-by-linux.com> wrote:

> #555264 was reported from a mass-filing advice, it was about
> prototypejs vulnerabilities, but it didn't affects to mantis, because
> prototype.js file is not longer distributed in mantis debian package
> since version 1.1.2+dfsg-1 (see changelog for more info [0]).
>
> Same thing applies to #555265, mantis do not embeds prototype.js in
> debian distribution.

In that case you can close the bug right now with a versioned -done message:

http://www.debian.org/Bugs/Developer#closing

#555265 is still kind of valid since the source tarball still contains
prototype.js, please consult with the security team about that one.

It seems there are several copies of jscalendar in the archive, you
might want to get that documented in the security team's
embedded-code-copies file and it added to lintian's warnings about
embedded Javascript files. Packaging it separately would be a good
idea too obviously.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise
Reply to: