Bug#555276: wesnoth: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities

[Gerfried Fuchs]

severity 555276 minor
thanks

	Hi!

* Michael Gilbert <michael.s.gilbert at gmail.com> [2009-11-09 02:07:53 CET]:
> Your package contains an embedded version of prototype.js that is
> vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1)
> [0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both.

 The source package contains it, but it isn't shipped in any binary
package. If it were in the binary package I would switch to depending on
the libjs-prototype package and symlink it.[a] (Un)fortunately this is
only in the source package. :)

> Your package embeds the following prototype.js versions:
> 
>   sid: 1.6.0.1
>   lenny: N/A
>   etch: N/A

 Can you please run your check also against packages from experimental -
I am sure you will find at least wesnoth 1.7.6 also to be affected, I
would expect. Again, only in the source package, thus -done this bug,
from what I understand we don't fix stuff that we don't ship, do we?

 Anyway, it will be fixed with the next upstream release (not 1.6.6,
there probably won't be any, but in the 1.7 and shortly upcoming 1.8
release that will replace the 1.6 branch).

> This is a mass-filing, and the only checking done so far is a version
> comparison, so please determine whether or not your package is itself
> affected or not.  If it is not affected please close the bug with a
> message indicating this along with what you did to check.

 Actually, the package doesn't really use it. It's used in the stats
server which isn't shipped or enabled or used in the Debian packages. If
you feel like removing it from the source tarball might gain us anything
I can offer to do that, too.

 Thanks anyway for your report and for taking care for security!
Rhonda
[a] well, symlinking. I ship jquery and tablesorter. The former is
    available as package but the later not. Given that the two has to go
    together I chose explicitly not to symlink jquery neither.