[Pkg-javascript-devel] Bug#603513: Bug#603513: yui: multiple xss issues in included swf files
Moritz Muehlenhoff
jmm at inutil.org
Wed Dec 1 22:09:34 UTC 2010
Jaldhar H. Vyas wrote:
> On Mon, 29 Nov 2010, Thomas Goirand wrote:
>
>> Take care if you do that: there's some reverse dependencies involved!
>> I'd rather that you just remove the swf files from the package, and
>> create a non-free package for them. There's many cases were you will
>> need yui, but not the attached swf files!!!
>
> Good point. There are only four components that include swf files. It
> should be possible to seperate them out into a non-free package. I'll
> bear that in mind if there is no way to keep it all in main.
The following sourceless SWF files are included in YUI:
/usr/share/javascript/yui/connection/connection.swf
/usr/share/javascript/yui/uploader/assets/uploader.swf
/usr/share/javascript/yui/charts/assets/charts.swf
/usr/share/javascript/yui/swfstore/swfstore.swf
The following packages depend on libjs-yui:
serendipity
otrs2
moodle
loggerhead
jifty
fusionforge
extplorer
bugzilla3
webgui (sid only)
I only looked briefly in OTRS and Moodle and both seem to use
the connection module.
We should update the SWF files affected through #603513 with their
versions from YUI 2.8.2 and tag #591199 squeeze-ignore. For Wheezy
we can get the necessary SWF compilers into the archive and provide
a clean solution, but splitting these modules off to non-free has
the potential to cause all kinds of ugly breakage in important web
apps for very little gain.
Cheers,
Moritz
More information about the Pkg-javascript-devel
mailing list