Bug#557748: jifty: embeds libjs-yui
Michael Gilbert
michael.s.gilbert at gmail.com
Tue Nov 24 03:37:14 UTC 2009
Package: jifty
Version: 0.90519-1
Severity: important
Tags: security
Hi,
Your package embeds the yahoo ui framework, which is vulnerable to
the following security issue:
CVE-2007-2385[0]:
| The Yahoo! UI framework exchanges data using JavaScript Object
| Notation (JSON) without an associated protection scheme, which allows
| remote attackers to obtain the data via a web page that retrieves the
| data through a URL in the SRC attribute of a SCRIPT element and
| captures the data using other JavaScript code, aka "JavaScript
| Hijacking."
Your package may or may not be vulnerable (please check). Even if it
is not currently vulnerable to this issue, it should be udated to make
use of the system libjs-yui library instead of its own embedded copy.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2385
http://security-tracker.debian.org/tracker/CVE-2007-2385
More information about the pkg-perl-maintainers
mailing list