[Pkg-javascript-devel] Bug#603513: yui: multiple xss issues in included swf files
Michael Gilbert
michael.s.gilbert at gmail.com
Sun Nov 14 20:53:48 UTC 2010
Package: yui
Version: 2.5.0-1
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for yui.
CVE-2010-4207[0]:
| Cross-site scripting (XSS) vulnerability in the Flash component
| infrastructure in YUI 2.4.0 through 2.8.1, as used in Bugzilla,
| Moodle, and other products, allows remote attackers to inject
| arbitrary web script or HTML via vectors related to
| charts/assets/charts.swf.
CVE-2010-4208[1]:
| Cross-site scripting (XSS) vulnerability in the Flash component
| infrastructure in YUI 2.5.0 through 2.8.1, as used in Bugzilla,
| Moodle, and other products, allows remote attackers to inject
| arbitrary web script or HTML via vectors related to
| uploader/assets/uploader.swf.
CVE-2010-4209[2]:
| Cross-site scripting (XSS) vulnerability in the Flash component
| infrastructure in YUI 2.8.0 through 2.8.1, as used in Bugzilla 3.7.1
| through 3.7.3 and 4.1, allows remote attackers to inject arbitrary web
| script or HTML via vectors related to swfstore/swfstore.swf.
These are fixed in upstream 2.8.2. I couldn't find the patches, and
you're going to need source for the affected swf files anyway (i.e. fix
bug #591199 first).
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4207
http://security-tracker.debian.org/tracker/CVE-2010-4207
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4208
http://security-tracker.debian.org/tracker/CVE-2010-4208
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4209
http://security-tracker.debian.org/tracker/CVE-2010-4209
More information about the Pkg-javascript-devel
mailing list