mailing list archives
Re: YUI 2.x security issue regarding embedded SWF files -- or, How Not To Handle A Security Disclosure
From: Kurt Seifried <kseifried () redhat com>
Date: Sun, 04 Nov 2012 17:13:28 -0700
-----BEGIN PGP SIGNED MESSAGE-----
On 11/04/2012 01:34 PM, Reed Loden wrote:
I haven't seen this posted at all, but it seems there's some
(major?) security issue regarding the SWF files embedded in YUI 2.
The YUI team has published a blog post regarding this problem
asking users to e-mail them for details.
The comments are a great read. Ryan Grove (former Yahoo! and YUI
core team guy) hits the point on the head regarding disclosure
handling of the issue. Apparently, some people/companies have
already been notified directly weeks ago, and this is how the YUI
team is continuing the disclosure process by just asking projects
to e-mail them instead of just releasing the fix to the public at
this stage. :/
Might want to go ahead and get a CVE assigned to whatever this
issue is, and hope more details come out of this soon so YUI 2
users can actually get patched instead of having to request access
to the fix...
~reed (speaking only for himself)
Have any CVE's been issued for this issue? I can't find any. More to
the point does this kind of issue (is it a service strictly?) even get
a CVE? Steve?
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----