Debian Bug report logs -
#693608
CVE-2012-5883, CVE-2012-5882, CVE-2012-5881 - YUI 2.x security issue regarding embedded SWF files
Reported by: Nico Golde <nion@debian.org>
Date: Sun, 18 Nov 2012 14:33:02 UTC
Severity: grave
Tags: patch, security
Merged with 692434
Fixed in version yui/2.9.0.dfsg.0.1-0.1
Done: Dominic Hargreaves <dom@earth.li>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#693608; Package yui.
(Sun, 18 Nov 2012 14:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Sun, 18 Nov 2012 14:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: yui
Severity: grave
Tags: security
Hi,
the following vulnerabilities were published for yui.
CVE-2012-5883[0]:
| Cross-site scripting (XSS) vulnerability in the Flash component
| infrastructure in YUI 2.8.0 through 2.9.0, as used in Bugzilla 3.7.x
| and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and
| 4.4.x before 4.4rc1, allows remote attackers to inject arbitrary web
| script or HTML via vectors related to swfstore.swf, a similar issue to
| CVE-2010-4209.
CVE-2012-5882[1]:
| Cross-site scripting (XSS) vulnerability in the Flash component
| infrastructure in YUI 2.5.0 through 2.9.0 allows remote attackers to
| inject arbitrary web script or HTML via vectors related to
| uploader.swf, a similar issue to CVE-2010-4208.
CVE-2012-5881[2]:
| Cross-site scripting (XSS) vulnerability in the Flash component
| infrastructure in YUI 2.4.0 through 2.9.0 allows remote attackers to
| inject arbitrary web script or HTML via vectors related to charts.swf,
| a similar issue to CVE-2010-4207.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5883
http://security-tracker.debian.org/tracker/CVE-2012-5883
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5882
http://security-tracker.debian.org/tracker/CVE-2012-5882
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5881
http://security-tracker.debian.org/tracker/CVE-2012-5881
http://yuilibrary.com/support/20121030-vulnerability/
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#693608; Package yui.
(Sat, 02 Feb 2013 12:42:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Sat, 02 Feb 2013 12:42:05 GMT) (full text, mbox, link).
Message #10 received at 693608@bugs.debian.org (full text, mbox, reply):
merge 692434 693608
retitle 692434 CVE-2012-5883, CVE-2012-5882, CVE-2012-5881 - YUI 2.x security issue regarding embedded SWF files
thanks
These two bugs are the same (reference:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5883
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5882
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5881
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5475
Note that CVE-2012-5475 has been rejected as being a duplicate of
the first three, so retitling.
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#693608; Package yui.
(Sat, 02 Feb 2013 12:48:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Sat, 02 Feb 2013 12:48:09 GMT) (full text, mbox, link).
Message #15 received at 693608@bugs.debian.org (full text, mbox, reply):
# Bug cloned for those
affects 692434 - icinga-web glpi
# Duplicate
merge 692434 693608
retitle 692434 CVE-2012-5883, CVE-2012-5882, CVE-2012-5881 - YUI 2.x security issue regarding embedded SWF files
thanks
These two bugs are the same (reference:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5883
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5882
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5881
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5475
Note that CVE-2012-5475 has been rejected as being a duplicate of
the first three, so retitling.
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
Merged 692434 693608
Request was from Dominic Hargreaves <dom@earth.li>
to control@bugs.debian.org.
(Sat, 02 Feb 2013 12:48:12 GMT) (full text, mbox, link).
Changed Bug title to 'CVE-2012-5883, CVE-2012-5882, CVE-2012-5881 - YUI 2.x security issue regarding embedded SWF files' from 'yui: multiple cross-site scripting issues in the flash component infrastructure'
Request was from Dominic Hargreaves <dom@earth.li>
to control@bugs.debian.org.
(Sat, 02 Feb 2013 12:48:13 GMT) (full text, mbox, link).
Added tag(s) patch.
Request was from Dominic Hargreaves <dom@earth.li>
to control@bugs.debian.org.
(Sat, 02 Feb 2013 16:42:09 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Dominic Hargreaves <dom@earth.li>
to control@bugs.debian.org.
(Sat, 02 Feb 2013 16:42:10 GMT) (full text, mbox, link).
Message #24 received at 692434-close@bugs.debian.org (full text, mbox, reply):
Source: yui
Source-Version: 2.9.0.dfsg.0.1-0.1
We believe that the bug you reported is fixed in the latest version of
yui, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 692434@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated yui package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 03 Feb 2013 11:54:19 +0000
Source: yui
Binary: libjs-yui libjs-yui-doc
Architecture: source all
Version: 2.9.0.dfsg.0.1-0.1
Distribution: unstable
Urgency: low
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Dominic Hargreaves <dom@earth.li>
Description:
libjs-yui - Yahoo User Interface Library
libjs-yui-doc - Documentation and examples for the Yahoo User Interface Library
Closes: 591199 692434
Changes:
yui (2.9.0.dfsg.0.1-0.1) unstable; urgency=low
.
* Non-maintainer upload.
* Disable installation of uploader.swf and swfstore.swf as examples
owing to unfixed security issues (Closes: #692434)
* Repack orig.tar.gz to remove all SWF files, including those
without source (Closes: #591199)
Checksums-Sha1:
e7945d332e3a9deba6acc5f19d032609372c9b11 1443 yui_2.9.0.dfsg.0.1-0.1.dsc
4602442034cf4b0a9ab12370ba94f7e6fce80649 10944741 yui_2.9.0.dfsg.0.1.orig.tar.gz
ecad33d65a1968cc80d495456e0d5ef3fec85037 24422 yui_2.9.0.dfsg.0.1-0.1.debian.tar.gz
6e312ccd553ef1eb33760c663248a2557b066b13 2478182 libjs-yui_2.9.0.dfsg.0.1-0.1_all.deb
16c824112ef7c4da3dae97cacf52ce528d016c62 7670202 libjs-yui-doc_2.9.0.dfsg.0.1-0.1_all.deb
Checksums-Sha256:
5d39440dbf4da7a57b77441599c09a0513267a319f4ae623754ca4b948595596 1443 yui_2.9.0.dfsg.0.1-0.1.dsc
aa3a2f09edb65cf0b6261164bece9f4f7784f2eb2c9363fa2c5f111d452169aa 10944741 yui_2.9.0.dfsg.0.1.orig.tar.gz
d61ebf8154b54868805535a1ba0175ff90c07d84f0bdc46356056a69c38f84a6 24422 yui_2.9.0.dfsg.0.1-0.1.debian.tar.gz
6281b3dbc0a13ba1e455d4841e7df95d49c2ff1cb9a02bde50bc35042337d5bf 2478182 libjs-yui_2.9.0.dfsg.0.1-0.1_all.deb
df795b752c806bccc05d957fbb9c04061487cf5e2b3140333c7fd71195f25d5c 7670202 libjs-yui-doc_2.9.0.dfsg.0.1-0.1_all.deb
Files:
a3363dd5c7386ec8979e29ec1b22cde0 1443 web optional yui_2.9.0.dfsg.0.1-0.1.dsc
b6e5418833e342e9dcaaf7b451657346 10944741 web optional yui_2.9.0.dfsg.0.1.orig.tar.gz
a58439ee57db6cd2641652fec8e40811 24422 web optional yui_2.9.0.dfsg.0.1-0.1.debian.tar.gz
0deff15a4a40ba4f03e34e66e271e88c 2478182 web optional libjs-yui_2.9.0.dfsg.0.1-0.1_all.deb
a03aa9a7315e5b92db238a3e5cd5bac3 7670202 doc optional libjs-yui-doc_2.9.0.dfsg.0.1-0.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFRDlC/YzuFKFF44qURAlo7AJ9V8NZHNEdPfDlxkv4nCkql3215oQCdGf5W
eWHQrU4WTBbwfbMg8jHE9uc=
=enZY
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 02 Jun 2013 07:32:32 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:26:16 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon