Your message dated Fri, 10 Dec 2010 00:34:36 +0000
with message-id <e1pqqww-0000dw...@franck.debian.org>
and subject line Bug#603513: fixed in yui 2.8.2r1~squeeze-1
has caused the Debian Bug report #603513,
regarding yui: multiple xss issues in included swf files
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
603513: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=603513
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: yui
Version: 2.5.0-1
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for yui.
CVE-2010-4207[0]:
| Cross-site scripting (XSS) vulnerability in the Flash component
| infrastructure in YUI 2.4.0 through 2.8.1, as used in Bugzilla,
| Moodle, and other products, allows remote attackers to inject
| arbitrary web script or HTML via vectors related to
| charts/assets/charts.swf.
CVE-2010-4208[1]:
| Cross-site scripting (XSS) vulnerability in the Flash component
| infrastructure in YUI 2.5.0 through 2.8.1, as used in Bugzilla,
| Moodle, and other products, allows remote attackers to inject
| arbitrary web script or HTML via vectors related to
| uploader/assets/uploader.swf.
CVE-2010-4209[2]:
| Cross-site scripting (XSS) vulnerability in the Flash component
| infrastructure in YUI 2.8.0 through 2.8.1, as used in Bugzilla 3.7.1
| through 3.7.3 and 4.1, allows remote attackers to inject arbitrary web
| script or HTML via vectors related to swfstore/swfstore.swf.
These are fixed in upstream 2.8.2. I couldn't find the patches, and
you're going to need source for the affected swf files anyway (i.e. fix
bug #591199 first).
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4207
http://security-tracker.debian.org/tracker/CVE-2010-4207
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4208
http://security-tracker.debian.org/tracker/CVE-2010-4208
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4209
http://security-tracker.debian.org/tracker/CVE-2010-4209
--- End Message ---
--- Begin Message ---
Source: yui
Source-Version: 2.8.2r1~squeeze-1
We believe that the bug you reported is fixed in the latest version of
yui, which is due to be installed in the Debian FTP archive:
libjs-yui-doc_2.8.2r1~squeeze-1_all.deb
to main/y/yui/libjs-yui-doc_2.8.2r1~squeeze-1_all.deb
libjs-yui_2.8.2r1~squeeze-1_all.deb
to main/y/yui/libjs-yui_2.8.2r1~squeeze-1_all.deb
yui_2.8.2r1~squeeze-1.diff.gz
to main/y/yui/yui_2.8.2r1~squeeze-1.diff.gz
yui_2.8.2r1~squeeze-1.dsc
to main/y/yui/yui_2.8.2r1~squeeze-1.dsc
yui_2.8.2r1~squeeze.orig.tar.gz
to main/y/yui/yui_2.8.2r1~squeeze.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 603...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jaldhar H. Vyas <jald...@debian.org> (supplier of updated yui package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 09 Dec 2010 06:58:09 -0500
Source: yui
Binary: libjs-yui libjs-yui-doc
Architecture: source all
Version: 2.8.2r1~squeeze-1
Distribution: unstable
Urgency: high
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Jaldhar H. Vyas <jald...@debian.org>
Description:
libjs-yui - Yahoo User Interface Library
libjs-yui-doc - Documentation and examples for the Yahoo User Interface Library
Closes: 601604 603513
Changes:
yui (2.8.2r1~squeeze-1) unstable; urgency=high
.
* New upstream version targeted at squeeze.
* This version updates the flash files included in the package to
address the issues in CVE-2010-4207, CVE-2010-4208, and CVE-2010-4209
(Closes: #603513, #601604)
Checksums-Sha1:
f26e0de61ae46de33c4a1482736665ff83db9116 1340 yui_2.8.2r1~squeeze-1.dsc
43dd07f38febf5cbc984efe77ffe35ea0f3cf308 10592116
yui_2.8.2r1~squeeze.orig.tar.gz
313d3d91ff1a800d38f2ae71b249233dc673e065 4855 yui_2.8.2r1~squeeze-1.diff.gz
f6aa15c6ce71cb47bbc0fa34ce30a9826f353281 2501262
libjs-yui_2.8.2r1~squeeze-1_all.deb
f96c45cb643bde02417c626a274e8c0679150f5c 7739666
libjs-yui-doc_2.8.2r1~squeeze-1_all.deb
Checksums-Sha256:
8125afb0649545cfd2abc52b047198f536ec8b9ebdbcd0b48785f005b8d3f5ef 1340
yui_2.8.2r1~squeeze-1.dsc
b9047527bb7b914b3c2ec20f5217268a10bb5d377479c4c054a61992ee4bff2c 10592116
yui_2.8.2r1~squeeze.orig.tar.gz
bcecaea8f9b1cca247de5ebcf9a0e08cedb0f92e361987088968cc0598107b8f 4855
yui_2.8.2r1~squeeze-1.diff.gz
69e72d03a89dde983ced0d19a7c642cc8f0551c61077357c3c3161fad21c77f6 2501262
libjs-yui_2.8.2r1~squeeze-1_all.deb
197a555180730fe787e81699196ef817789b859e03957150513d0338d3bd0185 7739666
libjs-yui-doc_2.8.2r1~squeeze-1_all.deb
Files:
2be1371f8abbd3d542e194ca385a1672 1340 web optional yui_2.8.2r1~squeeze-1.dsc
6723817569b67f678bbb13b9bca08a12 10592116 web optional
yui_2.8.2r1~squeeze.orig.tar.gz
89ef6a3b2fc443a825d0196ce59cf289 4855 web optional
yui_2.8.2r1~squeeze-1.diff.gz
c1bfd2cf0d06726a1983f0a36a795b04 2501262 web optional
libjs-yui_2.8.2r1~squeeze-1_all.deb
53e809f3000d370129009f04b6647172 7739666 doc optional
libjs-yui-doc_2.8.2r1~squeeze-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk0BctAACgkQ2kYOR+5txmpBeACgmZ2ujURL5nH2RN0tWiDA9m29
9O8An23c5kGlu27dGA6R3qvnkJMZgVFz
=QH0h
-----END PGP SIGNATURE-----
--- End Message ---
