Multiple security issues

Debian Bug report logs - #687574
Multiple security issues

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Multiple security issues

Date: Thu, 13 Sep 2012 23:27:29 +0200

Package: libv8
Severity: grave
Tags: security

Hi,
please check the status of these security issues in libv8.
They were all fixed in Chrome, but it's not clearly from
which Chrome release the libv8 package in Wheezy was cut:

http://security-tracker.debian.org/tracker/CVE-2011-3111
http://security-tracker.debian.org/tracker/CVE-2011-3057
http://security-tracker.debian.org/tracker/CVE-2011-2881
http://security-tracker.debian.org/tracker/CVE-2011-3115
http://security-tracker.debian.org/tracker/CVE-2011-3103
http://security-tracker.debian.org/tracker/CVE-2011-3092
http://security-tracker.debian.org/tracker/CVE-2011-2875

Cheers,
        Moritz

Message #10 received at 687574@bugs.debian.org (full text, mbox, reply):

From: Jérémy Lal <kapouer@melix.org>

To: Moritz Muehlenhoff <jmm@debian.org>, 687574@bugs.debian.org

Subject: Re: [Pkg-javascript-devel] Bug#687574: Multiple security issues

Date: Sat, 29 Sep 2012 00:01:46 +0200

On 13/09/2012 23:27, Moritz Muehlenhoff wrote:
> Package: libv8
> Severity: grave
> Tags: security
> 
> Hi,
> please check the status of these security issues in libv8.
> They were all fixed in Chrome, but it's not clearly from
> which Chrome release the libv8 package in Wheezy was cut:
> 
> http://security-tracker.debian.org/tracker/CVE-2011-3111
> http://security-tracker.debian.org/tracker/CVE-2011-3057
> http://security-tracker.debian.org/tracker/CVE-2011-2881
> http://security-tracker.debian.org/tracker/CVE-2011-3115
> http://security-tracker.debian.org/tracker/CVE-2011-3103
> http://security-tracker.debian.org/tracker/CVE-2011-3092
> http://security-tracker.debian.org/tracker/CVE-2011-2875

Hi, the current status of these CVE in libv8 3.8.9.20-1 is :

CVE-2011-3111
Fixed in upstream version libv8 3.8.9.23.

Those CVE are fixed or not applicable in libv8 3.8.9.20 :
CVE-2011-3057 fixed
CVE-2011-2881 fixed
CVE-2011-3115 affects libv8 >= 3.9
CVE-2011-3103 affects libv8 >= 3.9
CVE-2011-3092 affects libv8 >= 3.9
CVE-2011-2875 fixed


I'm preparing a libv8 3.8.9.20-2 package fixing CVE-2011-3111 (and few
other bugs).

Regards,
Jérémy

Message #17 received at 687574-close@bugs.debian.org (full text, mbox, reply):

From: Jérémy Lal <kapouer@melix.org>

To: 687574-close@bugs.debian.org

Subject: Bug#687574: fixed in libv8 3.8.9.20-2

Date: Sat, 29 Sep 2012 00:02:36 +0000

Source: libv8
Source-Version: 3.8.9.20-2

We believe that the bug you reported is fixed in the latest version of
libv8, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 687574@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jérémy Lal <kapouer@melix.org> (supplier of updated libv8 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 29 Sep 2012 01:04:06 +0200
Source: libv8
Binary: libv8-dev libv8-3.8.9.20 libv8-dbg
Architecture: source amd64
Version: 3.8.9.20-2
Distribution: unstable
Urgency: low
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Jérémy Lal <kapouer@melix.org>
Description: 
 libv8-3.8.9.20 - v8 JavaScript engine - runtime library
 libv8-dbg  - v8 JavaScript engine - debugging symbols
 libv8-dev  - v8 JavaScript engine - development files
Closes: 687574
Changes: 
 libv8 (3.8.9.20-2) unstable; urgency=low
 .
   * Cherry-picked four upstream patches from 3.8.9.29:
     + r11654.patch: fix CVE-2011-3111, closes:bug#687574.
     + r12161.patch: Fix ICs for slow objects with native accessor.
     + r12336.patch: Fix bug in compare IC.
     + r12460.patch: Fix some corner cases in skipping native methods
                     using caller. Fix binding in new Function().
Checksums-Sha1: 
 95ad70ce030f225a64f838b840a358f228bd3257 1494 libv8_3.8.9.20-2.dsc
 f81eb0041fd7fe2d21642ec4b8cb4717021981d4 26810 libv8_3.8.9.20-2.debian.tar.gz
 9e32f1620097819d6556e3cb27bcc370770113df 102308 libv8-dev_3.8.9.20-2_amd64.deb
 c65852a81c7246e9afed72002bb775166b703d73 1421448 libv8-3.8.9.20_3.8.9.20-2_amd64.deb
 a3b5796b5a8b61455736d9736a2ed481e3670ba7 24919168 libv8-dbg_3.8.9.20-2_amd64.deb
Checksums-Sha256: 
 addeefb6977cd6e87ef42acf33850916b333e145ae44cae4677132f49cd7bcc2 1494 libv8_3.8.9.20-2.dsc
 bcc101262c8774e72684202e5a2819c2addf3eb5301c007fa55563999be0b771 26810 libv8_3.8.9.20-2.debian.tar.gz
 6bf7a001a3d3b32d7195f361bb27dd673761d49e1ca8ab3752eee45b2f0a0fd6 102308 libv8-dev_3.8.9.20-2_amd64.deb
 d1becaab21163c1634092a57a021751f9a66b14502799e80618d886385b96f0d 1421448 libv8-3.8.9.20_3.8.9.20-2_amd64.deb
 cee53bb6df6cd8e632e83181549784e4597f231a2117780940ca63fe178e6603 24919168 libv8-dbg_3.8.9.20-2_amd64.deb
Files: 
 81f4b85b1f83292a02204543a6e2decd 1494 libs optional libv8_3.8.9.20-2.dsc
 facc48a76ca2ecf664aca1563da72658 26810 libs optional libv8_3.8.9.20-2.debian.tar.gz
 d3d494d82986d7f48883a98fb2ef56f9 102308 libdevel optional libv8-dev_3.8.9.20-2_amd64.deb
 760d50a395350f0c2ed6a4acc67d54e1 1421448 libs optional libv8-3.8.9.20_3.8.9.20-2_amd64.deb
 3ab4965f3c7514c2dfa3b75349be1fca 24919168 debug extra libv8-dbg_3.8.9.20-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlBmMlEACgkQDMRIEQdBQdwEcgCgrTABJOVPL+OTlTval4wzkBZE
c80AoJl/c6k6GB1A1FNPMPYAnEyraIqV
=ueES
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.