Announcing YUI 2.8.2 — Important Security Update for All Users of YUI 2.4.0-2.8.1

By YUI TeamOctober 25th, 2010

The YUI team released YUI 2.8.2 today. This release corrects a security-related defect that was introduced in the YUI 2 Flash component infrastructure beginning with the YUI 2.4.0 release. This defect allows JavaScript injection exploits to be created against domains that host affected YUI .swf files. Visit the security bulletin for YUI 2.8.2 for full details about how to identify and replace affected files.

If your site hosts a YUI 2 distribution between version 2.4.0 and 2.8.1 that includes these files, it is affected by this vulnerability.

If your site loads YUI 2 from Yahoo’s CDN (yui.yahooapis.com) or from Google’s CDN (ajax.googleapis.com), and the files are not hosted on your own domain, you are not affected. YUI 3 is not affected by this issue.

You can download YUI 2.8.2 (and patched versions of YUI 2.4.0-2.8.1) from the YUILibrary.com downloads page.

See the security bulletin for information about how to determine whether your site is affected, how to remedy the problem, and how to verify the fix.

6 Comments

  1. There were some important fixes, which have been marked as 2.NEXT. This one for example:
    http://yuilibrary.com/projects/yui2/ticket/2529136
    I was disappointed to see they were not included in YUI 2.8.2

  2. There are some problems with the YUI 2.8.2 release. Please see my comments on the YUILibrary thread: http://yuilibrary.com/forum/viewtopic.php?f=14&t=5339&start=0

    Thanks,
    Mike

  3. 2.8.2r1 isn’t available from the Google CDN yet.

    http://ajax.googleapis.com/ajax/libs/yui/2.8.2r1/build/yahoo-dom-event/yahoo-dom-event.js

    When will it be available?

    e

  4. Eric — The Google team has the new release and is installing it. We don’t have an ETA, but in the past the process has been completed in a few days. Note, though, that 2.8.1 is safe to use from the Google (or Yahoo) CDN — if that is your usage pattern, there is no compelling reason to update your implementation. -Eric

  5. Iliyan — It has been our policy to isolate security patches in their own release to minimize the potential impact to implementers. There are other bugs worthy of fixing in YUI 2, but this was not the moment to address those. -Eric