Marius Schilder of Google Security reported that when a XMLHttpRequest is made to a same-origin resource which 302 redirects to a resource in a different domain, the response from the cross-domain resource is readable by the site issuing the XHR. Cookies marked HttpOnly were not readable, but other potentially sensitive data could be revealed in the XHR response including URL parameters and content in the response body.
This is now public: http://www.mozilla.org/security/announce/2008/mfsa2008-64.html
seamonkey-1.1.14-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
xulrunner-1.9.0.5-1.fc10, firefox-3.0.5-1.fc10, epiphany-2.24.1-3.fc10, epiphany-extensions-2.24.0-3.fc10, blam-1.8.5-5.fc10, devhelp-0.22-2.fc10, evolution-rss-0.1.2-3.fc10, galeon-2.0.7-4.fc10, gecko-sharp2-0.13-3.fc10, gnome-python2-extras-2.19.1-25.fc10, gnome-web-photo-0.3-13.fc10, google-gadgets-0.10.3-2.fc10, kazehakase-0.5.6-1.fc10.2, Miro-1.2.7-3.fc10, mozvoikko-0.9.5-5.fc10, mugshot-1.2.2-4.fc10, pcmanx-gtk2-0.3.8-4.fc10, ruby-gnome2-0.18.1-2.fc10, yelp-2.24.0-4.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
xulrunner-1.9.0.5-1.fc9, firefox-3.0.5-1.fc9, epiphany-2.22.2-6.fc9, epiphany-extensions-2.22.1-6.fc9, blam-1.8.5-4.fc9.1, cairo-dock-1.6.3.1-1.fc9.2, chmsee-1.0.1-7.fc9, devhelp-0.19.1-7.fc9, evolution-rss-0.1.0-5.fc9, galeon-2.0.7-4.fc9, gnome-python2-extras-2.19.1-22.fc9, gnome-web-photo-0.3-16.fc9, google-gadgets-0.10.3-2.fc9, gtkmozembedmm-1.4.2.cvs20060817-24.fc9, kazehakase-0.5.6-1.fc9.2, Miro-1.2.7-3.fc9, mozvoikko-0.9.5-5.fc9, mugshot-1.2.2-4.fc9, ruby-gnome2-0.17.0-4.fc9, totem-2.23.2-9.fc9, yelp-2.22.1-7.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
seamonkey-1.1.14-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
firefox-2.0.0.19-1.fc8, epiphany-2.20.3-9.fc8, epiphany-extensions-2.20.1-12.fc8, blam-1.8.3-20.fc8, cairo-dock-1.6.3.1-1.fc8.2, chmsee-1.0.0-6.31.fc8, devhelp-0.16.1-12.fc8, evolution-rss-0.0.8-14.fc8, galeon-2.0.4-7.fc8.3, gnome-python2-extras-2.19.1-20.fc8, gnome-web-photo-0.3-15.fc8, kazehakase-0.5.6-1.fc8.2, liferea-1.4.15-6.fc8, Miro-1.2.7-3.fc8, openvrml-0.17.10-3.0.fc8, ruby-gnome2-0.17.0-4.fc8, yelp-2.20.0-15.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
seamonkey-1.1.14-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This was addressed via: Red Hat Enterprise Linux version 4 (firefox) RHSA-2008:1036 Red Hat Enterprise Linux version 5 (firefox) RHSA-2008:1036 Red Hat Enterprise Linux version 2.1 (seamonkey) RHSA-2008:1037 Red Hat Enterprise Linux version 3 (seamonkey) RHSA-2008:1037 Red Hat Enterprise Linux version 4 (seamonkey) RHSA-2008:1037 Red Hat Enterprise Linux version 4 (thunderbird) RHSA-2009:0002 Red Hat Enterprise Linux Desktop version 5 (thunderbird) RHSA-2009:0002 RHEL Optional Productivity Applications version 5 (thunderbird) RHSA-2009:0002