284886 – net-misc/mediatomb Prototype JavaScript framework Cross-Site AJAX requests issue (CVE-2008-7220)

Bug 284886 - net-misc/mediatomb Prototype JavaScript framework Cross-Site AJAX requests issue (CVE-2008-7220)

Summary: net-misc/mediatomb Prototype JavaScript framework Cross-Site AJAX requests is...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://github.com/sstephenson/prototy...
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:
Blocks:	CVE-2008-7220
	Show dependency tree

Reported:	2009-09-14 10:08 UTC by Alex Legler (RETIRED)
Modified:	2010-09-16 20:58 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alex Legler (RETIRED) archtester

2009-09-14 10:08:24 UTC

+++ This bug was initially created as a clone of Bug #284874 +++

CVE-2008-7220 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7220):
  Unspecified vulnerability in Prototype JavaScript framework
  (prototypejs) before 1.6.0.2 allows attackers to make "cross-site
  ajax requests" via unknown vectors.

Mediatomb ships prototype 1.5.1.1 in web/js/

Comment 1 Diego Elio Pettenò (RETIRED) gentoo-dev

2009-09-14 10:46:47 UTC

I'm tempted to mask and remove…

Comment 2 BT 2009-12-24 13:03:47 UTC

This has been fixed by upstream in SVN r2036[1] and will be part of MediaTomb 0.12.0 which is scheduled for January 2010 release.

[1] http://mediatomb.svn.sourceforge.net/viewvc/mediatomb?view=rev&revision=2036

Comment 3 BT 2010-03-29 22:21:17 UTC

This is fixed in bug #264235.

Comment 4 Jeremy Olexa (darkside) (RETIRED) archtester

2010-03-29 22:35:31 UTC

(In reply to comment #3)
> This is fixed in bug #264235.
> 

Thanks. 0.12.0 is in the tree but I would like to wait some time for a security stabilization to see if any new bugs arise.

Comment 5 Jeremy Olexa (darkside) (RETIRED) archtester

2010-04-15 16:25:28 UTC

net-misc/mediatomb-0.12.1 is ok to stable. Thanks.

Comment 6 Christian Faulhammer (RETIRED) gentoo-dev

2010-04-16 09:19:15 UTC

x86 stable

Comment 7 Markus Meier gentoo-dev

2010-04-18 12:29:25 UTC

amd64 stable, all arches done.

Comment 8 Jeremy Olexa (darkside) (RETIRED) archtester

2010-08-19 02:06:05 UTC

removing myself to clean up bug queue

Comment 9 Alex Legler (RETIRED) archtester

2010-09-16 20:58:54 UTC

Closing noglsa because of the low severity of this issue.