oss-sec mailing list archives
YUI 2.x security issue regarding embedded SWF files -- or, How Not To Handle A Security Disclosure
From: Reed Loden <reed () reedloden com>
Date: Sun, 4 Nov 2012 12:34:59 -0800
I haven't seen this posted at all, but it seems there's some (major?) security issue regarding the SWF files embedded in YUI 2. The YUI team has published a blog post regarding this problem asking users to e-mail them for details. http://www.yuiblog.com/blog/2012/10/30/security-announcement-swf-vulnerability-in-yui-2/ The comments are a great read. Ryan Grove (former Yahoo! and YUI core team guy) hits the point on the head regarding disclosure handling of the issue. Apparently, some people/companies have already been notified directly weeks ago, and this is how the YUI team is continuing the disclosure process by just asking projects to e-mail them instead of just releasing the fix to the public at this stage. :/ Might want to go ahead and get a CVE assigned to whatever this issue is, and hope more details come out of this soon so YUI 2 users can actually get patched instead of having to request access to the fix... ~reed (speaking only for himself)
Current thread:
- YUI 2.x security issue regarding embedded SWF files -- or, How Not To Handle A Security Disclosure Reed Loden (Nov 04)
- Re: YUI 2.x security issue regarding embedded SWF files -- or, How Not To Handle A Security Disclosure Kurt Seifried (Nov 04)
- Re: YUI 2.x security issue regarding embedded SWF files -- or, How Not To Handle A Security Disclosure Reed Loden (Nov 04)
- Re: YUI 2.x security issue regarding embedded SWF files -- or, How Not To Handle A Security Disclosure Kurt Seifried (Nov 05)
- RE: YUI 2.x security issue regarding embedded SWF files -- or, How Not To Handle A Security Disclosure Christey, Steven M. (Nov 05)
- Re: YUI 2.x security issue regarding embedded SWF files -- or, How Not To Handle A Security Disclosure Jan Lieskovsky (Nov 06)
- Re: YUI 2.x security issue regarding embedded SWF files -- or, How Not To Handle A Security Disclosure Kurt Seifried (Nov 06)
- Re: YUI 2.x security issue regarding embedded SWF files -- or, How Not To Handle A Security Disclosure cve-assign (Nov 16)
- Re: YUI 2.x security issue regarding embedded SWF files -- or, How Not To Handle A Security Disclosure Kurt Seifried (Nov 04)