Bug#555516: s-p-u: libjson-ruby security issues
On Mon, 2009-11-09 at 21:11 -0800, Ryan Niebur wrote:
> > Two security issues. Here's the changelog entry:
> > libjson-ruby (1.1.2-1+lenny1) stable-proposed-updates; urgency=low
> > * Security Fix for JSON::Pure::Parser. A specially designed string
> > could cause catastrophic backtracking in one of the parser's regular
> > expressions. (fixed upstream in version 1.1.7)
> > * Use the version of prototype.js from libjs-prototype. The included
> > version had a security issue. (Closes: #555224, #555223)
Apologies for not getting back to you sooner.
We've been discussing how to handle the prototype updates and will most
likely approve this update but would like to confirm a couple of things
a) that the current embedded copy of prototype is an unmodified version
from prototype upstream and
b) the package has been tested to ensure it operates correctly with the
new version of prototype on the relevant Debian release.
I have one small query specific to this update:
> > +binary-install/libjson-ruby-doc::
> > + rm $(BASEDIR)/libjson-ruby-doc/usr/share/doc/libjson-ruby-doc/examples/prototype.js
> > + dh_link -plibjson-ruby-doc
There doesn't appear to be a debian/libjson-ruby-doc.links (or indeed
debian/*.links) so the dh_link call appears to redundant.