-
Technical Work
-
Resolution: Done
-
Minor
-
1.3.0-M3
-
None
We're using older YUI (2.8.0) which is affected by a security vulnerability regarding hosted .swf files (see http://yuilibrary.com/support/2.8.2/#dropins).
Rather than upgrade to 2.8.2 at this time (due to concerns about YUI backward compatibility) we can patch to replace 2.8.0 swf files (charts.swf swfstore.swf. yui_uploader_270.swf, which is affected but should no longer be needed).
yui 2.8.0:
File: /build/charts/assets/charts.swf
Old MD5: 59c6e2c9ae7de87f11dd3db3336de8b6
New MD5: 25c4e8920988020517d26a3aff582522 Patch: charts.swf
File: /build/uploader/assets/uploader.swf
Old MD5: 52f36a13ac4ee2743531de3e29c0b55c
New MD5: a8a77cd419fedd4ca8b85a88acac327a Patch: uploader.swf
File: /build/swfstore/swfstore.swf
Old MD5: f619420748b08a2d453c049ef190e2f3
New MD5: 8526b66bd23fe8cebfa3426ad9c74ff0 Patch: swfstore.swf
yui 2.7.0:
File: /build/uploader/assets/uploader.swf
Old MD5: 02e3dab263ab0ed0d2a30bba9e091d96
New MD5: 20fa166d664c0151c1c7fb872104068f Patch: uploader.swf
Rather than upgrade to 2.8.2 at this time (due to concerns about YUI backward compatibility) we can patch to replace 2.8.0 swf files (charts.swf swfstore.swf. yui_uploader_270.swf, which is affected but should no longer be needed).
yui 2.8.0:
File: /build/charts/assets/charts.swf
Old MD5: 59c6e2c9ae7de87f11dd3db3336de8b6
New MD5: 25c4e8920988020517d26a3aff582522 Patch: charts.swf
File: /build/uploader/assets/uploader.swf
Old MD5: 52f36a13ac4ee2743531de3e29c0b55c
New MD5: a8a77cd419fedd4ca8b85a88acac327a Patch: uploader.swf
File: /build/swfstore/swfstore.swf
Old MD5: f619420748b08a2d453c049ef190e2f3
New MD5: 8526b66bd23fe8cebfa3426ad9c74ff0 Patch: swfstore.swf
yui 2.7.0:
File: /build/uploader/assets/uploader.swf
Old MD5: 02e3dab263ab0ed0d2a30bba9e091d96
New MD5: 20fa166d664c0151c1c7fb872104068f Patch: uploader.swf