[AWS] Debian reports security vulnerabilities in prototype.js bundled with AWS

Ludovic Brenta ludovic at ludovic-brenta.org
Mon Nov 9 10:15:12 CET 2009

Next message: [AWS] Debian reports security vulnerabilities in prototype.js bundled with AWS
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Please see the two bugs filed today:

Bug#555221: libaws: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
Bug#555222: libaws: embeds prototype.js

http://bugs.debian.org/555221
http://bugs.debian.org/555222

What is the current situation in the Subversion repository?  The
versions of AWS involved are 2.5w (r124785) in stable and 2.5 (r125080)
in testing and unstable.

What is prototype.js used for? Examples only or actual functionality?  I
see it is part of web_elements.

What would be the effort to migrate to the version of prototype.js
provided in Debian (currently 1.6.0.2-4 in stable and 1.6.1-1 in testing
and unstable)?

Since these are security vulnerabilities affecting stable, these bugs
get the highest priority and I will upload a security fix to stable.  If
a fix is not possible, AWS will be removed from Debian stable
altogether: it is better to have nothing at all than insecure software.
OTOH, if the prototype.js is only used in examples and not in the actual
library, the problem is not really serious (I think this is the case but
I'd like confirmation).

Thanks for your help and attention.

PS. As a long-term enhancement request, I ask that you NOT bundle ANY
software with AWS or any other software, i.e. remove any bundled
software from Subversion and, instead, add instructions to the README or
INSTALL files explaining the dependencies.  Today's security
vulnerabilities are just the last in a long list of problems caused by
software bundled in AdaCore's source trees.  Previous problems included
copyright infringements (see the discussions we had on
polyorb-users at l.adacore.com a couple months ago) and at least one severe
bug in GPS (see http://bugs.debian.org/297980 - two months elapsed time
and 3 volunteers spending dozens of hours investigating).

-- 
Ludovic Brenta.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/aws/attachments/20091109/0e798a6b/attachment.pgp

Next message: [AWS] Debian reports security vulnerabilities in prototype.js bundled with AWS
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the AWS mailing list