hi, i am about to do a mass bug filing on the prototypejs embeds, and want to make sure that it is ok to do so ahead of time since it involves 32 separate packages that are affected, which is a lot of bugs. following is the mail that i intend to send. i suggest that maintainers push fixes in the next point release, rather than a dsa, with the logic being that it would be a major hassle to issue so many dsas. i will mark all of them no-dsa in the tracker. does that sound alright? mike ------------------------------------------------------------------------- package: auth2db version: 0.2.5-2+dfsg-1 severity: serious tags: security hi, your package contains an embedded version of prototypejs that is vulnerable to either CVE-2007-2383 (affecting prototypejs 1.5.1 and earlier) [0], CVE-2008-7220 (affecting prototypejs 1.6.0.2 and earlier) [1], or both. the version of your package specified above is the earliest version with the affected embed. if this version is in one or both of the stable releases, please coordinate with the release team to accept new packages for the next point release. thank you for your attention to this problem. mike [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220
Hi Michael, Michael S Gilbert wrote: [...]> i am about to do a mass bug filing on the prototypejs embeds, and want > to make sure that it is ok to do so ahead of time since it involves 32 > separate packages that are affected, which is a lot of bugs. >This kind of emails should be sent to -devel, following the usual conventions. [...]> severity: seriousI don''t think they all deserve such severity (read below). [...]> your package contains an embedded version of prototypejs that is > vulnerable to either CVE-2007-2383 (affecting prototypejs 1.5.1 and > earlier) [0], CVE-2008-7220 (affecting prototypejs 1.6.0.2 and > earlier) [1], or both. >Would be great if you could tell which one it is; otherwise how do you intend to track it?> the version of your package specified above is the earliest version > with the affected embed. if this version is in one or both of the > stable releases, please coordinate with the release team to accept new > packages for the next point release.Hope you are taking into consideration that there might be an oldstable upload, in which case the BTS would not think that the other branches (i.e. stable, testing, unstable) are affected.> > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383 > [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220Please note that not all of the web apps using prototype might be affected, as not all of them use the vulnerable features. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
On Sat, 10 Oct 2009 14:50:39 -0500 Raphael Geissert wrote:> Hi Michael, > > Michael S Gilbert wrote: > [...] > > i am about to do a mass bug filing on the prototypejs embeds, and want > > to make sure that it is ok to do so ahead of time since it involves 32 > > separate packages that are affected, which is a lot of bugs. > > > > This kind of emails should be sent to -devel, following the usual > conventions.ok, will do.> > your package contains an embedded version of prototypejs that is > > vulnerable to either CVE-2007-2383 (affecting prototypejs 1.5.1 and > > earlier) [0], CVE-2008-7220 (affecting prototypejs 1.6.0.2 and > > earlier) [1], or both. > > > > Would be great if you could tell which one it is; otherwise how do you > intend to track it?i''m making a list and will include appropriate info in each bug.> > the version of your package specified above is the earliest version > > with the affected embed. if this version is in one or both of the > > stable releases, please coordinate with the release team to accept new > > packages for the next point release. > > Please note that not all of the web apps using prototype might be affected, > as not all of them use the vulnerable features.i will add some wording that asks the maintainer to determine whether they are affected or not. thanks for the follow-up! this was very useful. mike