oss-sec mailing list archives

Re: CVE Request - Asterisk (AST-2009-008.html)

From: Alex Legler <a3li () gentoo org>
Date: Sat, 7 Nov 2009 19:04:49 +0100

On Sat, 7 Nov 2009 18:08:55 +0100, Moritz Muehlenhoff <jmm () inutil org>
wrote:

Jan Lieskovsky wrote:

The second issue (b,) already got an CVE id of CVE-2008-7220.

b, Cross-site AJAX request vulnerability (CVE-2008-7220)
   http://downloads.asterisk.org/pub/security/AST-2009-009.html


This seems to be a mistake; CVE-2008-7220 already identifies a
prototypejs issue.


This is correct. Asterisk ships a copy of prototype.js.

From the Asterisk advisory:

Asterisk includes a demonstration AJAX based manager interface,
ajamdemo.html which uses the prototype.js framework.


Alex

Attachment: signature.asc
Description:

Current thread:

CVE Request - Asterisk (AST-2009-008.html) Jan Lieskovsky (Nov 05)
- Re: CVE Request - Asterisk (AST-2009-008.html) Josh Bressers (Nov 05)
- Re: CVE Request - Asterisk (AST-2009-008.html) Moritz Muehlenhoff (Nov 07)
  - Re: CVE Request - Asterisk (AST-2009-008.html) Alex Legler (Nov 07)