YUI 3.10.3 Released to Fix Reintroduced SWF Vulnerability
Update: There was an issue with the downloadable
.zip package that prevented successful extraction that has now been fixed.
We are releasing YUI 3.10.3 today to fix a
.swf vulnerability that was inadvertantly reintroduced in YUI 3.10.2. Any project which is self-hosting the YUI 3.10.2
io.swf file should upgrade to YUI 3.10.3 to resolve the vulnerability. Any project which is not self-hosting the YUI 3.10.2
io.swf file is not affected by the vulnerability.
We released YUI 3.10.1 last month to correct a
.swf vulnerability. Unfortunately within the 3.10.2 release cycle, one of the older vulnerable
.swf files (
io.swf) was inadvertently reintroduced to the source tree and distributed in our latest 3.10.2 release in the npm and downloadable
YUI 3.10.3 replaces the vulnerable
.swf with the correct patched file, and no other code changes have been included with this release. Note: This is not a new vulnerability, just a reintroduction of an older
.swf file that contained the original vulnerability.
Full details of the original vulnerability are available in the security bulletin.
Delete the File
If you are hosting
io.swf but not using it in your application, simply delete the file to resolve the vulnerability.
Replace the Vulnerable Files
If you host and use this functionality, replace
io.swf with the patched file provided below.
|Version||Replacement File||Old MD5||Patched MD5|
Plan To Remove All Flash-Based Features
In the future, we plan to remove all Flash-based features from the yui3 repo and instead host the source code in a separate yui3-swfs repo. This will allow projects continued access to the functionality via a compile-yourself and host-yourself model, while removing these problematic features from the core project. We are requesting community feedback on this topic on the mailing list.