Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 4 Nov 2012 12:34:59 -0800
From: Reed Loden <reed@...dloden.com>
To: <oss-security@...ts.openwall.com>
Subject: YUI 2.x security issue regarding embedded SWF files -- or, How Not
 To Handle A Security Disclosure

I haven't seen this posted at all, but it seems there's some (major?)
security issue regarding the SWF files embedded in YUI 2. The YUI team
has published a blog post regarding this problem asking users to e-mail
them for details.

http://www.yuiblog.com/blog/2012/10/30/security-announcement-swf-vulnerability-in-yui-2/

The comments are a great read. Ryan Grove (former Yahoo! and YUI core
team guy) hits the point on the head regarding disclosure handling of
the issue. Apparently, some people/companies have already been notified
directly weeks ago, and this is how the YUI team is continuing the
disclosure process by just asking projects to e-mail them instead of
just releasing the fix to the public at this stage. :/

Might want to go ahead and get a CVE assigned to whatever this issue
is, and hope more details come out of this soon so YUI 2 users can
actually get patched instead of having to request access to the fix...

~reed
(speaking only for himself)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.