oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

YUI 2.x security issue regarding embedded SWF files -- or, How Not To Handle A Security Disclosure

From: Reed Loden <reed () reedloden com>
Date: Sun, 4 Nov 2012 12:34:59 -0800
I haven't seen this posted at all, but it seems there's some (major?)
security issue regarding the SWF files embedded in YUI 2. The YUI team
has published a blog post regarding this problem asking users to e-mail
them for details.

http://www.yuiblog.com/blog/2012/10/30/security-announcement-swf-vulnerability-in-yui-2/

The comments are a great read. Ryan Grove (former Yahoo! and YUI core
team guy) hits the point on the head regarding disclosure handling of
the issue. Apparently, some people/companies have already been notified
directly weeks ago, and this is how the YUI team is continuing the
disclosure process by just asking projects to e-mail them instead of
just releasing the fix to the public at this stage. :/

Might want to go ahead and get a CVE assigned to whatever this issue
is, and hope more details come out of this soon so YUI 2 users can
actually get patched instead of having to request access to the fix...

~reed
(speaking only for himself)
Previous By Date Next
Previous By Thread Next

Current thread: