Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

auth2db: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities

Related Vulnerabilities: CVE-2007-2383   CVE-2008-7720   CVE-2008-7220  

Source

Debian Bug report logs - #555217
auth4db: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities

version graph

Package: auth4db; Maintainer for auth4db is Ulises Vitulli <dererk@debian.org>; Source for auth4db is src:auth4db (PTS, buildd, popcon).

Reported by: Michael Gilbert <michael.s.gilbert@gmail.com>

Date: Mon, 9 Nov 2009 00:12:05 UTC

Severity: serious

Tags: security

Found in version auth4db/0.2.5-2+dfsg-1

Done: Dererk <dererk@madap.com.ar>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Ulises Vitulli <uvitulli@fi.uba.ar>:
Bug#555217; Package auth4db. (Mon, 09 Nov 2009 00:12:08 GMT) (full text, mbox, link).

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to Ulises Vitulli <uvitulli@fi.uba.ar>. (Mon, 09 Nov 2009 00:12:08 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: submit@bugs.debian.org
Subject: auth4db: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
Date: Sun, 8 Nov 2009 19:10:00 -0500
package: auth4db
version: 0.2.5-2+dfsg-1
severity: serious
tags: security

Hi,

Your package contains an embedded version of prototype.js that is
vulnerable to either CVE-2007-2383 (affecting prototype.js 1.5.1 and
earlier) [0], CVE-2008-7220 (affecting prototype.js 1.6.0.2 and
earlier) [1], or both.

Your package embeds the following prototype.js versions:

  sid: 1.5.0
  lenny: 1.5.0
  etch: N/A

This is a mass-filing, and the only checking done so far is a version
comparison, so please determine whether or not your package is itself
affected or not.  If it is not affected please close the bug with a
message indicating this along with what you did to check.

The version of your package specified above is the earliest version
with the affected embedded code.  If this version is in one or both of
the stable releases and you are affected, please coordinate with the
release team to prepare a proposed-update for your package to
stable/oldstable.

There are patches available for CVE-2007-2383 [2] and a backport for
prototypejs 1.5 for CVE-2008-7720 [3].

If you correct the problem in unstable, please make sure to include the
CVE number in your changelog.

Thank you for your attention to this problem.

Mike

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220
[2] http://dev.rubyonrails.org/ticket/7910
[3] http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security

Reply sent to Dererk <dererk@madap.com.ar>:
You have taken responsibility. (Mon, 09 Nov 2009 13:48:10 GMT) (full text, mbox, link).

Notification sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Mon, 09 Nov 2009 13:48:10 GMT) (full text, mbox, link).

Message #10 received at 555217-done@bugs.debian.org (full text, mbox, reply):

From: Dererk <dererk@madap.com.ar>
To: Michael Gilbert <michael.s.gilbert@gmail.com>, 555217-done@bugs.debian.org
Subject: Re: Bug#555217: auth4db: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
Date: Mon, 09 Nov 2009 10:35:33 -0300
[Message part 1 (text/plain, inline)]
Michael Gilbert escribió:
> package: auth4db
> version: 0.2.5-2+dfsg-1
> severity: serious
> tags: security
>
> Hi,
>
> Your package contains an embedded version of prototype.js that is
> vulnerable to either CVE-2007-2383 (affecting prototype.js 1.5.1 and
> earlier) [0], CVE-2008-7220 (affecting prototype.js 1.6.0.2 and
> earlier) [1], or both.
>
> Your package embeds the following prototype.js versions:
>   
Helo!

auth4DB indeed includes the referred .js at source, but It doesn't
include it on building target, instead depends on libjs-prototype which
is symlinked at my installation path.


Thanks for caring.


Greetings,

Dererk


-- 
BOFH excuse #359: 
YOU HAVE AN I/O ERROR -> Incompetent Operator error.



[signature.asc (application/pgp-signature, attachment)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 08 Dec 2009 07:27:46 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:18:50 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started