[Pkg-javascript-devel] Bug#692434: Affected files included in other packages
Maximiliano Curia
maxy at debian.org
Sat Nov 24 12:49:30 UTC 2012
affects 692434 + icinga-web glpi
thanks
Hi,
The yui packages in Debian only include the following files:
/usr/share/doc/libjs-yui-doc/examples/storage/swfstore.swf.gz
/usr/share/doc/libjs-yui-doc/examples/swfstore/swfstore.swf.gz
/usr/share/doc/libjs-yui-doc/examples/uploader/assets/uploader.swf.gz
Since these are example files, we might just remove them.
I'm not sure how to build those files, and the list of md5sums in the
yuilibrary page suggests that it's not expected that users build those.
The build process of yui deletes the distributed swf files, and generates
them again. But it doesn't rebuild the "charts.swf" file.
Not generating the charts.swf file is a real security issue, since this file
is bundled in other packages (icinga-web and glpi), which include the swf
listed as version 2.8.2.
It would be a really good idea to build charts.swf from source, but I'm not
sure how to do it.
Thanks,
--
"Programs must be written for people to read, and only incidentally for
machines to execute."
-― Hal Abelson, "Structure and Interpretation of Computer Programs"
Saludos /\/\ /\ >< `/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-javascript-devel/attachments/20121124/a626c51d/attachment.pgp>
More information about the Pkg-javascript-devel
mailing list