Package: yui Version: 2.5.0-1 Severity: grave Tags: security Hi, the following CVE (Common Vulnerabilities & Exposures) ids were published for yui.
CVE-2010-4207[0]: | Cross-site scripting (XSS) vulnerability in the Flash component | infrastructure in YUI 2.4.0 through 2.8.1, as used in Bugzilla, | Moodle, and other products, allows remote attackers to inject | arbitrary web script or HTML via vectors related to | charts/assets/charts.swf. CVE-2010-4208[1]: | Cross-site scripting (XSS) vulnerability in the Flash component | infrastructure in YUI 2.5.0 through 2.8.1, as used in Bugzilla, | Moodle, and other products, allows remote attackers to inject | arbitrary web script or HTML via vectors related to | uploader/assets/uploader.swf. CVE-2010-4209[2]: | Cross-site scripting (XSS) vulnerability in the Flash component | infrastructure in YUI 2.8.0 through 2.8.1, as used in Bugzilla 3.7.1 | through 3.7.3 and 4.1, allows remote attackers to inject arbitrary web | script or HTML via vectors related to swfstore/swfstore.swf. These are fixed in upstream 2.8.2. I couldn't find the patches, and you're going to need source for the affected swf files anyway (i.e. fix bug #591199 first). If you fix the vulnerabilities please also make sure to include the CVE ids in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4207 http://security-tracker.debian.org/tracker/CVE-2010-4207 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4208 http://security-tracker.debian.org/tracker/CVE-2010-4208 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4209 http://security-tracker.debian.org/tracker/CVE-2010-4209 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
