YUI 3.10.3 Released to Fix Reintroduced SWF Vulnerability

By YUI TeamJune 6, 2013

Update: There was an issue with the downloadable .zip package that prevented successful extraction that has now been fixed.

We are releasing YUI 3.10.3 today to fix a .swf vulnerability that was inadvertantly reintroduced in YUI 3.10.2. Any project which is self-hosting the YUI 3.10.2 io.swf file should upgrade to YUI 3.10.3 to resolve the vulnerability. Any project which is not self-hosting the YUI 3.10.2 io.swf file is not affected by the vulnerability.

You can find YUI 3.10.3 on CDN, as a download, and on npm.

Details

We released YUI 3.10.1 last month to correct a .swf vulnerability. Unfortunately within the 3.10.2 release cycle, one of the older vulnerable .swf files (io.swf) was inadvertently reintroduced to the source tree and distributed in our latest 3.10.2 release in the npm and downloadable .zip packages.

YUI 3.10.3 replaces the vulnerable .swf with the correct patched file, and no other code changes have been included with this release. Note: This is not a new vulnerability, just a reintroduction of an older .swf file that contained the original vulnerability.

Full details of the original vulnerability are available in the security bulletin.

Note: This vulnerability is also listed under CVE-2013-4939, CVE-2013-4940, CVE-2013-4941, and CVE-2013-4942.

Resolution

Delete the File

If you are hosting io.swf but not using it in your application, simply delete the file to resolve the vulnerability.

Replace the Vulnerable Files

If you host and use this functionality, replace io.swf with the patched file provided below.

Version Replacement File Old MD5 Patched MD5
3.10.2 io.swf 1e642bb8a5105dc429f8f3979ac559c4 445cb13e3ca4dabe551a57b2bd072754

Plan To Remove All Flash-Based Features

In the future, we plan to remove all Flash-based features from the yui3 repo and instead host the source code in a separate yui3-swfs repo. This will allow projects continued access to the functionality via a compile-yourself and host-yourself model, while removing these problematic features from the core project. We are requesting community feedback on this topic on the mailing list.