Your message dated Thu, 07 Feb 2013 12:19:08 +0000 with message-id <e1u3qry-00054o...@franck.debian.org> and subject line Bug#692434: fixed in yui 2.9.0.dfsg.0.1-0.1 has caused the Debian Bug report #692434, regarding CVE-2012-5883, CVE-2012-5882, CVE-2012-5881 - YUI 2.x security issue regarding embedded SWF files to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 692434: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692434 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: yui Severity: grave Tags: security Hi, the following vulnerabilities were published for yui. CVE-2012-5883[0]: | Cross-site scripting (XSS) vulnerability in the Flash component | infrastructure in YUI 2.8.0 through 2.9.0, as used in Bugzilla 3.7.x | and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and | 4.4.x before 4.4rc1, allows remote attackers to inject arbitrary web | script or HTML via vectors related to swfstore.swf, a similar issue to | CVE-2010-4209. CVE-2012-5882[1]: | Cross-site scripting (XSS) vulnerability in the Flash component | infrastructure in YUI 2.5.0 through 2.9.0 allows remote attackers to | inject arbitrary web script or HTML via vectors related to | uploader.swf, a similar issue to CVE-2010-4208. CVE-2012-5881[2]: | Cross-site scripting (XSS) vulnerability in the Flash component | infrastructure in YUI 2.4.0 through 2.9.0 allows remote attackers to | inject arbitrary web script or HTML via vectors related to charts.swf, | a similar issue to CVE-2010-4207. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5883 http://security-tracker.debian.org/tracker/CVE-2012-5883 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5882 http://security-tracker.debian.org/tracker/CVE-2012-5882 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5881 http://security-tracker.debian.org/tracker/CVE-2012-5881 http://yuilibrary.com/support/20121030-vulnerability/ Kind regards Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0AAAApgpiYlJW3T9ty.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: yui Source-Version: 2.9.0.dfsg.0.1-0.1 We believe that the bug you reported is fixed in the latest version of yui, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 692...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Dominic Hargreaves <d...@earth.li> (supplier of updated yui package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sun, 03 Feb 2013 11:54:19 +0000 Source: yui Binary: libjs-yui libjs-yui-doc Architecture: source all Version: 2.9.0.dfsg.0.1-0.1 Distribution: unstable Urgency: low Maintainer: Debian Javascript Maintainers <pkg-javascript-de...@lists.alioth.debian.org> Changed-By: Dominic Hargreaves <d...@earth.li> Description: libjs-yui - Yahoo User Interface Library libjs-yui-doc - Documentation and examples for the Yahoo User Interface Library Closes: 591199 692434 Changes: yui (2.9.0.dfsg.0.1-0.1) unstable; urgency=low . * Non-maintainer upload. * Disable installation of uploader.swf and swfstore.swf as examples owing to unfixed security issues (Closes: #692434) * Repack orig.tar.gz to remove all SWF files, including those without source (Closes: #591199) Checksums-Sha1: e7945d332e3a9deba6acc5f19d032609372c9b11 1443 yui_2.9.0.dfsg.0.1-0.1.dsc 4602442034cf4b0a9ab12370ba94f7e6fce80649 10944741 yui_2.9.0.dfsg.0.1.orig.tar.gz ecad33d65a1968cc80d495456e0d5ef3fec85037 24422 yui_2.9.0.dfsg.0.1-0.1.debian.tar.gz 6e312ccd553ef1eb33760c663248a2557b066b13 2478182 libjs-yui_2.9.0.dfsg.0.1-0.1_all.deb 16c824112ef7c4da3dae97cacf52ce528d016c62 7670202 libjs-yui-doc_2.9.0.dfsg.0.1-0.1_all.deb Checksums-Sha256: 5d39440dbf4da7a57b77441599c09a0513267a319f4ae623754ca4b948595596 1443 yui_2.9.0.dfsg.0.1-0.1.dsc aa3a2f09edb65cf0b6261164bece9f4f7784f2eb2c9363fa2c5f111d452169aa 10944741 yui_2.9.0.dfsg.0.1.orig.tar.gz d61ebf8154b54868805535a1ba0175ff90c07d84f0bdc46356056a69c38f84a6 24422 yui_2.9.0.dfsg.0.1-0.1.debian.tar.gz 6281b3dbc0a13ba1e455d4841e7df95d49c2ff1cb9a02bde50bc35042337d5bf 2478182 libjs-yui_2.9.0.dfsg.0.1-0.1_all.deb df795b752c806bccc05d957fbb9c04061487cf5e2b3140333c7fd71195f25d5c 7670202 libjs-yui-doc_2.9.0.dfsg.0.1-0.1_all.deb Files: a3363dd5c7386ec8979e29ec1b22cde0 1443 web optional yui_2.9.0.dfsg.0.1-0.1.dsc b6e5418833e342e9dcaaf7b451657346 10944741 web optional yui_2.9.0.dfsg.0.1.orig.tar.gz a58439ee57db6cd2641652fec8e40811 24422 web optional yui_2.9.0.dfsg.0.1-0.1.debian.tar.gz 0deff15a4a40ba4f03e34e66e271e88c 2478182 web optional libjs-yui_2.9.0.dfsg.0.1-0.1_all.deb a03aa9a7315e5b92db238a3e5cd5bac3 7670202 doc optional libjs-yui-doc_2.9.0.dfsg.0.1-0.1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFRDlC/YzuFKFF44qURAlo7AJ9V8NZHNEdPfDlxkv4nCkql3215oQCdGf5W eWHQrU4WTBbwfbMg8jHE9uc= =enZY -----END PGP SIGNATURE-----
--- End Message ---