Announcing YUI 3.1.2: Critical Security Update for All YUI 3.1.x/3.2.0pr1 Users

August 19, 2010 at 12:35 pm by Eric Miraglia | In Development | Comments Off

The YUI team released YUI 3.1.2 today. This is an important security update for all users of YUI 3.1.x and 3.2.0pr1. If you are hosting YUI 3.1.x or 3.2.0pr1 on your site, or if you use YUI 3.1.x/3.2.0pr1 IO’s cross-domain functionality, you are affected.

XDR in YUI’s IO utility implements a Flash transport as a fallback for browsers that don’t support native XDR. An error in our implementation of the Flash fallback in YUI versions 3.1.x and 3.2.0pr1 allows the io.swf file to operate unsafely whether served from the Yahoo! CDN or from your own server. The remedy for this problem is twofold:

  • If you have deployed the full YUI 3.1.x/3.2.0pr1 build directory to your server, replace build/io/io.swf in the affected version with the version included in YUI 3.1.2. Do so whether or not you are using the IO utility or its XDR feature.
  • If you are using IO’s XDR feature, upgrading to the 3.1.2 version of io-swf addresses the security problem. Host version 3.1.2 of io.swf on your own server (this file cannot operate safely from a CDN; it is not included on the CDN as of 3.1.2). If you have been drawing io.swf from http://yui.yahooapis.com, remove this domain from your crossdomain.xml file.

More details about this issue can be found in the IO utility documentation.

Find conversations: bloglines | technorati

Share and extend: Bookmark with del.icio.us | digg it! | reddit!

No Comments yet

Sorry, the comment form is closed at this time.

Hosted by Yahoo!

Copyright © 2006-2012 Yahoo! Inc. All rights reserved. Privacy Policy - Terms of Service

Powered by WordPress on Yahoo! Web Hosting.