Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 284890 - dev-python/tg-widgets-scriptaculous: Prototype JavaScript framework Cross-Site AJAX requests issue (CVE-2008-7220)
Summary: dev-python/tg-widgets-scriptaculous: Prototype JavaScript framework Cross-Sit...
Status: RESOLVED WONTFIX
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://github.com/sstephenson/prototy...
Whiteboard: B4 [cleanup masked]
Keywords:
Depends on:
Blocks: CVE-2008-7220
  Show dependency tree
 
Reported: 2009-09-14 10:23 UTC by Alex Legler (RETIRED)
Modified: 2013-08-17 14:59 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-14 10:23:22 UTC
+++ This bug was initially created as a clone of Bug #284874 +++

CVE-2008-7220 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7220):
  Unspecified vulnerability in Prototype JavaScript framework
  (prototypejs) before 1.6.0.2 allows attackers to make "cross-site
  ajax requests" via unknown vectors.

dev-python/tg-widgets-scriptaculous ships 1.5.0_rc0 in scriptaculous/static/javascript/prototype.js
Comment 1 Chris Reffett (RETIRED) gentoo-dev Security 2013-07-08 23:00:10 UTC
Upstream won't be happening, the page with the widgets appears to be dead. Python team: only package with a dependency on this is tg-widgets-lightbox. Lastrite it or pmask it?
Comment 2 Patrick McLean gentoo-dev 2013-07-08 23:03:30 UTC
Go ahead and lastrite it.
Comment 3 Chris Reffett (RETIRED) gentoo-dev Security 2013-07-09 00:35:37 UTC
+  09 Jul 2013; <creffett@gentoo.org> package.mask:
+  Mask tg-widgets-scriptaculous and tg-widgets-lightbox for lastrite, bug
+  284890.
+

Removal in 30 days.
Comment 4 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-17 14:59:24 UTC
Removed dev-python/tg-widgets-* from tree.