Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 284875 - <app-office/rabbit-0.6.3 Prototype JavaScript framework Cross-Site AJAX requests issue (CVE-2008-7220)
Summary: <app-office/rabbit-0.6.3 Prototype JavaScript framework Cross-Site AJAX reque...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
URL: http://github.com/sstephenson/prototy...
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks: CVE-2008-7220
  Show dependency tree
 
Reported: 2009-09-14 09:27 UTC by Alex Legler (RETIRED)
Modified: 2010-02-28 08:39 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-14 09:27:10 UTC 
+++ This bug was initially created as a clone of Bug #284874 +++

CVE-2008-7220 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7220):
  Unspecified vulnerability in Prototype JavaScript framework
  (prototypejs) before 1.6.0.2 allows attackers to make "cross-site
  ajax requests" via unknown vectors.

rabbit has version 1.4.0 in lib/rabbit/div/prototype.js
Comment 1 Hans de Graaff gentoo-dev Security 2009-09-14 17:50:35 UTC 
I've just removed rabbit 0.5.2 from the tree since it is an old version. Unfortunately the more recent rabbit 0.6.1 also includes a copy of prototype 1.4.0.
Comment 2 Hans de Graaff gentoo-dev Security 2010-01-05 16:37:09 UTC 
app-office/rabbit-0.6.3 has a copy of Prototype 1.6.0.3.

I've removed rabbit-0.6.1, so I believe we can close this bug.
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-02-28 08:39:00 UTC 
The package actually was never stable. → Closing noglsa. Thanks.