oss-sec mailing list archives
Re: YUI 2.x security issue regarding embedded SWF files -- or, How Not To Handle A Security Disclosure
From: Kurt Seifried <kseifried () redhat com>
Date: Sun, 04 Nov 2012 17:13:28 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/04/2012 01:34 PM, Reed Loden wrote:
I haven't seen this posted at all, but it seems there's some (major?) security issue regarding the SWF files embedded in YUI 2. The YUI team has published a blog post regarding this problem asking users to e-mail them for details. http://www.yuiblog.com/blog/2012/10/30/security-announcement-swf-vulnerability-in-yui-2/ The comments are a great read. Ryan Grove (former Yahoo! and YUI core team guy) hits the point on the head regarding disclosure handling of the issue. Apparently, some people/companies have already been notified directly weeks ago, and this is how the YUI team is continuing the disclosure process by just asking projects to e-mail them instead of just releasing the fix to the public at this stage. :/ Might want to go ahead and get a CVE assigned to whatever this issue is, and hope more details come out of this soon so YUI 2 users can actually get patched instead of having to request access to the fix... ~reed (speaking only for himself)
Have any CVE's been issued for this issue? I can't find any. More to the point does this kind of issue (is it a service strictly?) even get a CVE? Steve? - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQlwSoAAoJEBYNRVNeJnmTR2IP/AuM+UOoUrGTTtuY/xeUZSTx ff0uCbCB7cJND189EpAJGmhfMi8Q0yCjNVdyDUu2FtOgEAOfJDGcN0vySufeepLw aUoDt5Hjc+LTb1Bx+DoXo3j2cPEEeutpt7IcDotfVDNYzEnqfpixGv8PurumGq/a hRgP+SkocKO9IOVvatIKAOB3xr94jcSEtE2nB4mfKZd5tSG43e3HMmL2TBRSgjRV 4SqHDvydyK8th6tZjpCexbgt/SzxRCjuZgWeUwJUM8kAXxsxcvytgdSKBQqz0teY M9I+C+2Fa8DEeprD9pXir68MuUDXu09ps8Ldzd9wrXKCWrgSHeRiUKvzfg7KER++ Dby6q1CE35rS3Jma1uohauifgNVQg+lAmzt+fK7h6DvcCNJnWvzM+2t1GpYnFuiD MRyqytQbBzWUSwuHb+GWzL4HUdFFJg4XtQngyJKpQcVk+TNw2uphRaf3KVmLsWE8 8m2FN1dTsUTAZSk7upkAldYhwKPweaMKrQCqq6drzuGiykHYPzYpgKXVvTx2tz+Z cUVc7fxy9SZV7p0VHb39Wa4+gQztojX2y8phCJCgZOAkPEmU4hoy+/97482L3od8 W48mNc1ugmoUF/+3luT0S4FFqn4k1FW4LGQf3nPEcMtsvkruGWNBIeLyRQGusnr+ PnQnohDli058jmPzlKFC =smQ8 -----END PGP SIGNATURE-----
Current thread:
- YUI 2.x security issue regarding embedded SWF files -- or, How Not To Handle A Security Disclosure Reed Loden (Nov 04)
- Re: YUI 2.x security issue regarding embedded SWF files -- or, How Not To Handle A Security Disclosure Kurt Seifried (Nov 04)
- Re: YUI 2.x security issue regarding embedded SWF files -- or, How Not To Handle A Security Disclosure Reed Loden (Nov 04)
- Re: YUI 2.x security issue regarding embedded SWF files -- or, How Not To Handle A Security Disclosure Kurt Seifried (Nov 05)
- RE: YUI 2.x security issue regarding embedded SWF files -- or, How Not To Handle A Security Disclosure Christey, Steven M. (Nov 05)
- Re: YUI 2.x security issue regarding embedded SWF files -- or, How Not To Handle A Security Disclosure Jan Lieskovsky (Nov 06)
- Re: YUI 2.x security issue regarding embedded SWF files -- or, How Not To Handle A Security Disclosure Kurt Seifried (Nov 06)
- Re: YUI 2.x security issue regarding embedded SWF files -- or, How Not To Handle A Security Disclosure cve-assign (Nov 16)
- Re: YUI 2.x security issue regarding embedded SWF files -- or, How Not To Handle A Security Disclosure Kurt Seifried (Nov 04)