[Pkg-javascript-devel] Bug#692434: Bug#692434: Affected files included in other packages
Jonas Smedegaard
dr at jones.dk
Sat Nov 24 13:43:02 UTC 2012
Quoting Maximiliano Curia (2012-11-24 13:49:30)
> I'm not sure how to build [SWF] files, and the list of md5sums in the
> yuilibrary page suggests that it's not expected that users build those.
> The build process of yui deletes the distributed swf files, and generates
> them again. But it doesn't rebuild the "charts.swf" file.
Beware that commonly upstream do not distinguish between
(re)distributors and (end-)users.
Debian Policy mandates that we compile from (true!) source, no matter if
upstream encourages that or not.
> Not generating the charts.swf file is a real security issue, since
> this file is bundled in other packages (icinga-web and glpi), which
> include the swf listed as version 2.8.2.
Convenience copies of code from other upstream projects should always be
reported to the security team, not only _when_ it becomes a security
issue: please report above ones to the security team!
> It would be a really good idea to build charts.swf from source, but
> I'm not sure how to do it.
Neither am I, but I know that Debian contains some SWF compilers...
- Jonas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-javascript-devel/attachments/20121124/5944b2a2/attachment.pgp>
More information about the Pkg-javascript-devel
mailing list