oldstable: mt-daapd update addressing #555231

Hi,

I've prepared an update of mt-daapd for oldstable, addressing #555231
(two CVEs in prototype.js). Changelog:

 mt-daapd (0.2.4+r1376-1.1+etch3) oldstable; urgency=low
 .
   * debian/rules, debian/prototype-1.6.1.js:
     + Ship an updated copy of the prototype library, fixing a number
       of issues including CVE-2007-2383 and CVE-2008-7720 (closes: #555231).

Permission to upload?

Thanks,

JB.

--
 Julien BLACHE - Debian & GNU/Linux Developer - <jblache@...>
 
 Public key available on <http://www.jblache.org> - KeyID: F5D6 5169
 GPG Fingerprint : 935A 79F1 C8B3 3521 FD62 7CC7 CD61 4FD7 F5D6 5169


--
To UNSUBSCRIBE, email to debian-release-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

On Wed, 11 Nov 2009 23:02:23 +0100 Julien BLACHE wrote:
the prototype.js CVEs do apply to 1.4.0.

> > The bug log also mentions that you were planning to upload a fixed
> > package to oldstable-security; is that no longer the case?
>
> Re-reading the report, it doesn't actually ask for a security upload. I
> have no preference for security vs. opu, although I don't think this
> issue is worth a security upload given mt-daapd is not a web app, which
> reduces the scope of the vulnerabilities considerably IMO.

from the security team's perspective, there are way too many
packages affected by the prototype.js flaw to issue DSAs for all of
them, so they all will/should be handled via stable-proposed-updates.

mike


--
To UNSUBSCRIBE, email to debian-release-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Hi,

On Wed, 2009-11-11 at 10:59 +0100, Julien BLACHE wrote:
> I've prepared an update of mt-daapd for oldstable, addressing #555231
> (two CVEs in prototype.js). Changelog:
>
>  mt-daapd (0.2.4+r1376-1.1+etch3) oldstable; urgency=low
>  .
>    * debian/rules, debian/prototype-1.6.1.js:
>      + Ship an updated copy of the prototype library, fixing a number
>        of issues including CVE-2007-2383 and CVE-2008-7720 (closes: #555231).

How big is the diff from prototype 1.4.0 (as used in the current
package) to 1.6.1?  The bug report mentions that patches fixing the two
CVEs are available, although I wasn't entirely clear as to whether they
apply to 1.4.0 or not.

The bug log also mentions that you were planning to upload a fixed
package to oldstable-security; is that no longer the case?

Regards,

Adam


--
To UNSUBSCRIBE, email to debian-release-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

"Adam D. Barratt" <adam@...> wrote:

Hi,

> How big is the diff from prototype 1.4.0 (as used in the current
> package) to 1.6.1?  The bug report mentions that patches fixing the two

Don't know, I haven't even looked. There were other issues before those
two I believe, and they never got fixed. I know that the web interface
works just fine with 1.6.1 so upgrading to 1.6.1 is not an issue.

> CVEs are available, although I wasn't entirely clear as to whether they
> apply to 1.4.0 or not.

My bet is they don't; 1.4.0 is pretty ancient now.

> The bug log also mentions that you were planning to upload a fixed
> package to oldstable-security; is that no longer the case?

Re-reading the report, it doesn't actually ask for a security upload. I
have no preference for security vs. opu, although I don't think this
issue is worth a security upload given mt-daapd is not a web app, which
reduces the scope of the vulnerabilities considerably IMO.

JB.

--
 Julien BLACHE <jblache@...>  |  Debian, because code matters more
 Debian & GNU/Linux Developer        |       <http://www.debian.org>
 Public key available on <http://www.jblache.org> - KeyID: F5D6 5169
 GPG Fingerprint : 935A 79F1 C8B3 3521 FD62 7CC7 CD61 4FD7 F5D6 5169


--
To UNSUBSCRIBE, email to debian-release-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

[re-sending with corrected recipient list having realised that #555231
isn't a release.d.o bug]

On Wed, 2009-11-11 at 14:35 -0500, Michael Gilbert wrote:
For the avoidance of any doubt, I meant whether the /patches/ apply to
1.4.0.

Regards,

Adam


--
To UNSUBSCRIBE, email to debian-release-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

"Adam D. Barratt" <adam@...> wrote:

Hi,

>> > > CVEs are available, although I wasn't entirely clear as to whether they
>> > > apply to 1.4.0 or not.
>> >
>> > My bet is they don't; 1.4.0 is pretty ancient now.
>>
>> the prototype.js CVEs do apply to 1.4.0.
>
> For the avoidance of any doubt, I meant whether the /patches/ apply to
> 1.4.0.

That was clear in your mail, however my reply broke that sentence in two
pieces.

JB.

--
 Julien BLACHE - Debian & GNU/Linux Developer - <jblache@...>
 
 Public key available on <http://www.jblache.org> - KeyID: F5D6 5169
 GPG Fingerprint : 935A 79F1 C8B3 3521 FD62 7CC7 CD61 4FD7 F5D6 5169


--
To UNSUBSCRIBE, email to debian-release-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

"Adam D. Barratt" <adam@...> wrote:

Hi,

> The bug log also mentions that you were planning to upload a fixed
> package to oldstable-security; is that no longer the case?

So, in the end, where do we stand with this?

JB.

--
 Julien BLACHE - Debian & GNU/Linux Developer - <jblache@...>
 
 Public key available on <http://www.jblache.org> - KeyID: F5D6 5169
 GPG Fingerprint : 935A 79F1 C8B3 3521 FD62 7CC7 CD61 4FD7 F5D6 5169


--
To UNSUBSCRIBE, email to debian-release-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

On Sat, 2009-11-14 at 17:27 +0100, Julien BLACHE wrote:
> "Adam D. Barratt" <adam@...> wrote:
>
> Hi,
>
> > The bug log also mentions that you were planning to upload a fixed
> > package to oldstable-security; is that no longer the case?
>
> So, in the end, where do we stand with this?

Apologies for not getting back to you sooner.

We've been discussing how to handle the prototype updates and will most
likely approve this update but would like to confirm a couple of things
first:

a) that the current embedded copy of prototype is an unmodified version
from prototype upstream and

b) the package has been tested to ensure it operates correctly with the
new version of prototype on the relevant Debian release; this is
particularly important for etch updates, as there are likely to be a
maximum of two further etch point releases.

Regards,

Adam


--
To UNSUBSCRIBE, email to debian-release-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

"Adam D. Barratt" <adam@...> wrote:

Hi,

> a) that the current embedded copy of prototype is an unmodified version
> from prototype upstream and

Virtually unmodified, only a harmless change was done to the copy
shipped with mt-daapd.

    Make prototype.js first test for XMLHttprequest object
    and then the IE active-x thingies. This forces IE 7 to use
    the native XMLHttprequest object. (and debugging on gecko
    browsers easier)

------------------------ admin-root/lib-js/prototype.js ------------------------
index e9ccd3c..19a577c 100644
@@ -549,9 +549,9 @@ var $R = function(start, end, exclusive) {
 var Ajax = {
   getTransport: function() {
     return Try.these(
+      function() {return new XMLHttpRequest()},
       function() {return new ActiveXObject('Msxml2.XMLHTTP')},
-      function() {return new ActiveXObject('Microsoft.XMLHTTP')},
-      function() {return new XMLHttpRequest()}
+      function() {return new ActiveXObject('Microsoft.XMLHTTP')}
     ) || false;
   },

> b) the package has been tested to ensure it operates correctly with the
> new version of prototype on the relevant Debian release; this is
> particularly important for etch updates, as there are likely to be a
> maximum of two further etch point releases.

My tests show that the web interface behaves as good as always; besides,
the portion of the web interface that's deemed stable hasn't seen much
changes between the version included in Etch and subsequent
versions. The experimental parts of the web interface are not
shipped/not used/not reachable/not usable anyway.

JB.

--
 Julien BLACHE <jblache@...>  |  Debian, because code matters more
 Debian & GNU/Linux Developer        |       <http://www.debian.org>
 Public key available on <http://www.jblache.org> - KeyID: F5D6 5169
 GPG Fingerprint : 935A 79F1 C8B3 3521 FD62 7CC7 CD61 4FD7 F5D6 5169


--
To UNSUBSCRIBE, email to debian-release-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Hi,

On Sun, 2009-11-15 at 21:56 +0100, Julien BLACHE wrote:
This appears to have been incorporated in the upstream library, so isn't
a problem.

Thanks for the confirmation.  Please go ahead with the upload for
oldstable.

Regards,

Adam


--
To UNSUBSCRIBE, email to debian-release-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

"Adam D. Barratt" <adam@...> wrote:

Hi,

> Thanks for the confirmation.  Please go ahead with the upload for
> oldstable.

Uploaded. Haven't got a message from the queue daemon about it, so hope
everything went OK with that... If you don't see the files anywhere, let
me know.

JB.

--
 Julien BLACHE <jblache@...>  |  Debian, because code matters more
 Debian & GNU/Linux Developer        |       <http://www.debian.org>
 Public key available on <http://www.jblache.org> - KeyID: F5D6 5169
 GPG Fingerprint : 935A 79F1 C8B3 3521 FD62 7CC7 CD61 4FD7 F5D6 5169


--
To UNSUBSCRIBE, email to debian-release-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...