[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#555266: marked as done (otrs2: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities)

Your message dated Tue, 10 Nov 2009 19:47:59 +0000
with message-id <E1N7wh5-0004Pz-Fc@ries.debian.org>
and subject line Bug#555266: fixed in otrs2 2.3.4-6
has caused the Debian Bug report #555266,
regarding otrs2: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org

555266: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555266
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
package: otrs2
version: 2.3.4-5
severity: serious
tags: security


Your package contains an embedded version of prototype.js that is
vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1)
[0], CVE-2008-7220 (affecting prototype.js before [1], or both.

Your package embeds the following prototype.js versions:

  sid: 1.5.1
  lenny: N/A
  etch: N/A

This is a mass-filing, and the only checking done so far is a version
comparison, so please determine whether or not your package is itself
affected or not.  If it is not affected please close the bug with a
message indicating this along with what you did to check.

The version of your package specified above is the earliest version
with the affected embedded code.  If this version is in one or both of
the stable releases and you are affected, please coordinate with the
release team to prepare a proposed-update for your package to

There are patches available for CVE-2007-2383 [2] and a backport for
prototypejs 1.5 for CVE-2008-7720 [3].

If you correct the problem in unstable, please make sure to include the
CVE number in your changelog.

Thank you for your attention to this problem.


[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220
[2] http://dev.rubyonrails.org/ticket/7910
[3] http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security

--- End Message ---
--- Begin Message ---
Source: otrs2
Source-Version: 2.3.4-6

We believe that the bug you reported is fixed in the latest version of
otrs2, which is due to be installed in the Debian FTP archive:

  to main/o/otrs2/otrs2_2.3.4-6.diff.gz
  to main/o/otrs2/otrs2_2.3.4-6.dsc
  to main/o/otrs2/otrs2_2.3.4-6_all.deb

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 555266@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Patrick Matthäi <pmatthaei@debian.org> (supplier of updated otrs2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)

Hash: SHA1

Format: 1.8
Date: Tue, 10 Nov 2009 20:14:00 +0100
Source: otrs2
Binary: otrs2
Architecture: source all
Version: 2.3.4-6
Distribution: unstable
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Patrick Matthäi <pmatthaei@debian.org>
 otrs2      - Open Ticket Request System
Closes: 555266 555267
 otrs2 (2.3.4-6) unstable; urgency=high
   * QA upload.
   * Do not use the embedded copy of prototype.js anymore.
     Closes: #555267
     - This also fixes CVE-2007-2383 and CVE-2008-7220.
       Closes: #555266
 2b14c97dc29fca0db3232922fd3f03176b666f9d 1131 otrs2_2.3.4-6.dsc
 3db6e7f962130553fa273c77dfbd97f456f67128 23288 otrs2_2.3.4-6.diff.gz
 e0307d2962a945cebe3b85548e4c709c519b7e8f 2566880 otrs2_2.3.4-6_all.deb
 818b951d95b3955197d4df463c59c70fde9ee60eadc79333b6f22d0937df3da1 1131 otrs2_2.3.4-6.dsc
 69dd0816128a5a7b129926422337b2a0d93f9a76c5035a8184534712e111b834 23288 otrs2_2.3.4-6.diff.gz
 3a0f61b4ed20dbb3768cd6b98a4bb58b7ea8360b8085b525d873df94ab64e90c 2566880 otrs2_2.3.4-6_all.deb
 81c88f7213e882fa3b800284fa8dfc72 1131 web optional otrs2_2.3.4-6.dsc
 68ff896f9840f59d1a41ebf28a94eb2d 23288 web optional otrs2_2.3.4-6.diff.gz
 bc6d4eb2d6a8da5b3f2e1fd615123c99 2566880 web optional otrs2_2.3.4-6_all.deb

Version: GnuPG v1.4.10 (GNU/Linux)


--- End Message ---

Reply to: