CVE-2007-2383

NameCVE-2007-2383
DescriptionThe Prototype (prototypejs) framework before 1.5.1 RC3 exchanges data ...
SourceCVE (at NVD; oss-sec, OSVDB, EDB, Red Hat, Ubuntu, Gentoo, SuSE, more)
ReferencesDSA-1952-1
Debian Bugs555217, 555220, 555221, 555225, 555228, 555229, 555231, 555232, 555234, 555235, 555237, 555240, 555246, 555248, 555250, 555255, 555268, 555274, 558977
Debian/oldstablenot vulnerable.
Debian/stablenot vulnerable.
Debian/testingnot vulnerable.
Debian/unstablenot vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
activeldap (PTS)squeeze1.2.2-1fixed
asterisk (PTS)squeeze, squeeze (security)1:1.6.2.9-2+squeeze12fixed
wheezy, wheezy (security)1:1.8.13.1~dfsg1-3+deb7u3fixed
jessie, sid1:11.8.1~dfsg-1fixed
auth2db (PTS)squeeze0.2.5-2+dfsg-3fixed
jessie, wheezy, sid0.2.5-2+dfsg-4fixed
ebug-http (PTS)squeeze0.31-2.1fixed
exaile (PTS)squeeze0.2.14+debian-2.3fixed
wheezy0.3.2.2-3fixed
jessie, sid3.3.2-1fixed
glpi (PTS)squeeze0.72.4-2.1fixed
wheezy0.83.31-1fixed
jessie, sid0.84.3+dfsg.1-1fixed
hobix (PTS)squeeze0.5~svn20070319-4fixed
jscropperui (PTS)squeeze1.2.1-2fixed
jessie, wheezy, sid1.2.2-1fixed
knowledgeroot (PTS)squeeze, wheezy, sid0.9.9.5-6fixed
libaws (PTS)squeeze2.7-4fixed
jessie, wheezy, sid2.10.2-4fixed
libhtml-prototype-perl (PTS)squeeze, wheezy1.48-3fixed
jessie, sid1.48-4fixed
libjson-ruby (PTS)squeeze1.1.9-1fixed
lucene2 (PTS)squeeze2.9.2+ds1-1fixed
jessie, wheezy, sid2.9.4+ds1-4fixed
mantis (PTS)squeeze, squeeze (security)1.1.8+dfsg-10squeeze2fixed
wheezy1.2.11-1.2fixed
mediatomb (PTS)squeeze0.12.0~svn2018-6.1fixed
wheezy0.12.1-4fixed
jessie, sid0.12.1-5fixed
mt-daapd (PTS)squeeze0.9~r1696.dfsg-16fixed
op-panel (PTS)squeeze, wheezy, sid0.30~dfsg-3fixed
otrs2 (PTS)squeeze2.4.9+dfsg1-3+squeeze4fixed
squeeze (security)2.4.9+dfsg1-3+squeeze5fixed
wheezy3.1.7+dfsg1-8+deb7u3fixed
wheezy (security)3.1.7+dfsg1-8+deb7u4fixed
jessie, sid3.3.6-1fixed
poker-network (PTS)squeeze1.7.7-3.2fixed
prototypejs (PTS)squeeze1.6.1-1fixed
wheezy1.7.0-2fixed
jessie, sid1.7.1-3fixed
rt-extension-emailcompletion (PTS)squeeze0.06-3fixed
scriptaculous (PTS)squeeze1.8.3-1fixed
jessie, wheezy, sid1.9.0-2fixed
webhelpers (PTS)squeeze1.1-1fixed
jessie, wheezy, sid1.3-4fixed
wordpress (PTS)squeeze3.6.1+dfsg-1~deb6u1fixed
squeeze (security)3.6.1+dfsg-1~deb6u2fixed
wheezy3.6.1+dfsg-1~deb7u1fixed
wheezy (security)3.6.1+dfsg-1~deb7u2fixed
jessie3.8.2+dfsg-1fixed
sid3.8.3+dfsg-1fixed

The information above is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
activeldapsource(unstable)(not affected)
asterisksource(unstable)1:1.6.2.0~rc3-1low555220
asterisksourcelenny1:1.4.21.2~dfsg-3+lenny1DSA-1952-1
auth2dbsource(unstable)0.2.5-2+dfsg-1low555217
ebug-httpsource(unstable)0.31-2.1low555235
exailesource(unstable)(not affected)
glpisource(unstable)0.72.3-1low555228
hobixsource(unstable)0.5~svn20070319-4low555246
jscropperuisource(unstable)1.2.1-1low555255
knowledgerootsource(unstable)0.9.9.5-1low555229
knowledgerootsourcelenny(not affected)
libawssource(unstable)2.7-1low555221
libhtml-prototype-perlsource(unstable)1.48-3low558977
libjson-rubysource(unstable)(not affected)
lucene2source(unstable)2.9.1+ds1-2low555225
lucene2sourceetch(not affected)
mantissource(unstable)(not affected)
mediatombsource(unstable)0.11.0-3low555232
mt-daapdsource(unstable)0.9~r1696.dfsg-6low555231
op-panelsource(unstable)0.30~dfsg-1low555234
otrs2source(unstable)(not affected)
pixelpostsource(unstable)1.7.1-6low555248
plone3source(unstable)(unfixed)low555274
poker-networksource(unstable)1.7.6-1low555237
prototypejssource(unstable)(not affected)
qwiksource(unstable)(unfixed)low555240
rt-extension-emailcompletionsource(unstable)(not affected)
scriptaculoussource(unstable)(not affected)
symfonysource(unstable)1.0.21-1.1low555250
webcalendarsource(unstable)1.2~b1-2low555268
webcalendarsourcelenny(not affected)
webhelperssource(unstable)(not affected)
wesnothunknown(unstable)(not affected)
wordpresssource(unstable)(not affected)

Notes

- prototypejs <not-affected> (fixed before initial upload)
[etch] - asterisk <no-dsa> (minor issue)
[lenny] - asterisk <no-dsa> (minor issue)
[etch] - libaws <no-dsa> (minor issue)
[lenny] - libaws <no-dsa> (minor issue)
- libjson-ruby <not-affected> (has prototype.js >= 1.5.1)
[etch] - lucene2 <not-affected> (prototype.js not present)
[lenny] - lucene2 <no-dsa> (minor issue)
[etch] - glpi <no-dsa> (minor issue)
[lenny] - glpi <no-dsa> (minor issue)
[etch] - knowledgeroot <no-dsa> (minor issue)
[lenny] - knowledgeroot <not-affected> (Uses the prototype.js copy from scriptaculous)
[etch] - mt-daapd <no-dsa> (minor issue)
[lenny] - ebug-http <no-dsa> (Minor issue)
[etch] - poker-network <no-dsa> (minor issue)
- webhelpers <not-affected> (fixed since initial inclusion)
[etch] - qwik <no-dsa> (minor issue)
[lenny] - qwik <no-dsa> (minor issue)
- wordpress <not-affected> (fixed since initial inclusion)
- exaile <not-affected> (fixed since initial inclusion)
[lenny] - hobix <no-dsa> (minor issue)
[lenny] - pixelpost <no-dsa> (minor issue)
[lenny] - symfony <no-dsa> (minor issue)
[lenny] - jscropperui <no-dsa> (minor issue)
- rt-extension-emailcompletion <not-affected> (fixed since initial inclusion)
- scriptaculous <not-affected> (fixed since initial inclusion)
- activeldap <not-affected> (fixed since initial inclusion)
- mantis <not-affected> (fixed since initial inclusion)
- otrs2 <not-affected> (fixed since initial inclusion)
[lenny] - webcalendar <not-affected> (prototype.js not present)
- wesnoth <not-affected> (fixed since initial inclusion)
[etch] - libhtml-prototype-perl <no-dsa> (minor issue)
[lenny] - libhtml-prototype-perl <no-dsa> (minor issue)
see http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf
This allows to steal data from affected websites. Therefore web applications should
only be considered vunerabile if they process confidential data.
The frameworks should be fixed in any case.

Search for package or bug name: Reporting problems

Home - Testing Security Team - Debian Security - Source (SVN)