YUI 3.10.1 Released to Fix SWF Vulnerability

By YUI TeamMay 14, 2013


Due to a recently discovered SWF vulnerability, we are releasing YUI 3.10.1. Any project which is self-hosting YUI 3 .swf files should read the security bulletin and take action to resolve potential vulnerabilities on your servers.

YUI 3.10.1 is identical to 3.10.0, with the vulnerable .swf files replaced with patched files. YUI 3.10.1 also reflects fixes in our build system that prevented some files from being included in the release. No other code changes have been included with this release.

You can find YUI 3.10.1 on the CDN, as a download, and on npm.

Special thanks to Aleksandr Dobkin and Sebastian Roschke of the Google Security Team for reporting the issue.

Note: This vulnerability is also listed under CVE-2013-4939, CVE-2013-4940, CVE-2013-4941, and CVE-2013-4942.

Development continues against our current Development Schedule. Please check out the Change History Rollup for this release.

Deprecated Modules

In accordance with our Deprecation Policy, we are taking this opportunity to announce the deprecation of Simple YUI, and our intention to deprecate all .swf-related features in a future release. Stay tuned to the Contributor Mailing List for ongoing discussion on these topics.