Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 284890

Summary: dev-python/tg-widgets-scriptaculous: Prototype JavaScript framework Cross-Site AJAX requests issue (CVE-2008-7220)
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED WONTFIX    
Severity: minor CC: python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://github.com/sstephenson/prototype/blob/master/CHANGELOG
Whiteboard: B4 [cleanup masked]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 284874    

Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-14 10:23:22 UTC 
+++ This bug was initially created as a clone of Bug #284874 +++

CVE-2008-7220 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7220):
  Unspecified vulnerability in Prototype JavaScript framework
  (prototypejs) before 1.6.0.2 allows attackers to make "cross-site
  ajax requests" via unknown vectors.

dev-python/tg-widgets-scriptaculous ships 1.5.0_rc0 in scriptaculous/static/javascript/prototype.js
Comment 1 Chris Reffett (RETIRED) gentoo-dev Security 2013-07-08 23:00:10 UTC 
Upstream won't be happening, the page with the widgets appears to be dead. Python team: only package with a dependency on this is tg-widgets-lightbox. Lastrite it or pmask it?
Comment 2 Patrick McLean gentoo-dev 2013-07-08 23:03:30 UTC 
Go ahead and lastrite it.
Comment 3 Chris Reffett (RETIRED) gentoo-dev Security 2013-07-09 00:35:37 UTC 
+  09 Jul 2013; <creffett@gentoo.org> package.mask:
+  Mask tg-widgets-scriptaculous and tg-widgets-lightbox for lastrite, bug
+  284890.
+

Removal in 30 days.
Comment 4 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-17 14:59:24 UTC 
Removed dev-python/tg-widgets-* from tree.