Bug#555276: wesnoth: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities

[Michael Gilbert]

On Mon, 9 Nov 2009 20:43:45 +0100, Gerfried Fuchs wrote:
>  Can you please run your check also against packages from experimental -
> I am sure you will find at least wesnoth 1.7.6 also to be affected, I
> would expect.

yes, prototype.js is in the wesnoth 1.7.6 source package.

>  Actually, the package doesn't really use it. It's used in the stats
> server which isn't shipped or enabled or used in the Debian packages. If
> you feel like removing it from the source tarball might gain us anything
> I can offer to do that, too.

this isn't necessary.  as long as the problematic file is not included
in any binary package, then wesnoth can be considered not-affected, and
this bug can be safely closed.  since there were so many of these
embeds, i did not have time to individually check to see what each
package was doing.

> [a] well, symlinking. I ship jquery and tablesorter. The former is
>     available as package but the later not. Given that the two has to go
>     together I chose explicitly not to symlink jquery neither.

this is definitely a problem.  since a common version of jquery is
available, it should be used.  as for tablesorter you have the option
of either packaging it separately or sticking with the embed (if other
packages use tablesorter, then a separate package should be preferred).

mike