Bug#557748: jifty: embeds libjs-yui

Michael Gilbert michael.s.gilbert at gmail.com
Tue Nov 24 03:37:14 UTC 2009


Package: jifty
Version: 0.90519-1
Severity: important
Tags: security

Hi,

Your package embeds the yahoo ui framework, which is vulnerable to
the following security issue:

CVE-2007-2385[0]:
| The Yahoo! UI framework exchanges data using JavaScript Object
| Notation (JSON) without an associated protection scheme, which allows
| remote attackers to obtain the data via a web page that retrieves the
| data through a URL in the SRC attribute of a SCRIPT element and
| captures the data using other JavaScript code, aka "JavaScript
| Hijacking."

Your package may or may not be vulnerable (please check).  Even if it
is not currently vulnerable to this issue, it should be udated to make
use of the system libjs-yui library instead of its own embedded copy.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2385
    http://security-tracker.debian.org/tracker/CVE-2007-2385





More information about the pkg-perl-maintainers mailing list