Home page logo
/

oss-sec logo oss-sec mailing list archives

YUI 2.x security issue regarding embedded SWF files -- or, How Not To Handle A Security Disclosure
From: Reed Loden <reed () reedloden com>
Date: Sun, 4 Nov 2012 12:34:59 -0800

I haven't seen this posted at all, but it seems there's some (major?)
security issue regarding the SWF files embedded in YUI 2. The YUI team
has published a blog post regarding this problem asking users to e-mail
them for details.

http://www.yuiblog.com/blog/2012/10/30/security-announcement-swf-vulnerability-in-yui-2/

The comments are a great read. Ryan Grove (former Yahoo! and YUI core
team guy) hits the point on the head regarding disclosure handling of
the issue. Apparently, some people/companies have already been notified
directly weeks ago, and this is how the YUI team is continuing the
disclosure process by just asking projects to e-mail them instead of
just releasing the fix to the public at this stage. :/

Might want to go ahead and get a CVE assigned to whatever this issue
is, and hope more details come out of this soon so YUI 2 users can
actually get patched instead of having to request access to the fix...

~reed
(speaking only for himself)


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault