Orbeon Forms community mailing list

Orbeon 2016.3: YUI version 2.8.1 security Vulnerabilties

classic Classic list List threaded Threaded
4 messages Options
Naveen
Reply | Threaded
Open this post in threaded view
|

Orbeon 2016.3: YUI version 2.8.1 security Vulnerabilties

Naveen
Hi
We recently upgraded Orbeon to 2016.3 version. Our security scan has
identified vulnerabilities with included YUI 2.8.1 version (details below).
My question is
1. Is there any version of Orbeon which has YUI version 2.9.1 or above? If
so we would like to upgrade Orbeon once again.
2. Is it appropriate to just replace YUI version 2.8.1 with 2.9.1 inside
orbeon-resources-public.jar?
--------------Details -----------------
The library YUI version 2.8.1 has known security issues.
For more information, visit those websites:
http://www.cvedetails.com/cve/CVE-2012-5883/
Affected versions
The vulnerability is affecting all versions prior 2.9.1 (between 2.8.0 and
2.9.1)

Thanks
Nav

--
Sent from: http://discuss.orbeon.com/

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Alessandro Vernet
Reply | Threaded
Open this post in threaded view
|

Re: Orbeon 2016.3: YUI version 2.8.1 security Vulnerabilties

Alessandro Vernet
Administrator
Hi Nav,

This has been taken care of since 2016.1: not only all YUI Flash files have
been removed (since we don't use them), but the JavaScript code that loads
those files in YUI has been removed as well. For reference, this was issue
2396 (see link below). Since you're on 2016.3, you're all good with this.

https://github.com/orbeon/orbeon-forms/issues/2396

Alex

-----
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
--
Sent from: http://discuss.orbeon.com/

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
Naveen
Reply | Threaded
Open this post in threaded view
|

Re: Orbeon 2016.3: YUI version 2.8.1 security Vulnerabilties

Naveen
Hi Alex,

Are you referring to below vulnerabilities (please see attached). Now we
have upgraded to Orbeon 2017.2 but wanted to confirm if this have been take
care.  <http://discuss.orbeon.com/file/t375630/Capture.gif>

--
Sent from: http://discuss.orbeon.com/

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Alessandro Vernet
Reply | Threaded
Open this post in threaded view
|

Re: Orbeon 2016.3: YUI version 2.8.1 security Vulnerabilties

Alessandro Vernet
Administrator
Hi Nav,

Yes, you're good with this as well:  CVE-2012-5882
<https://www.cvedetails.com/cve/CVE-2012-5882/>   has also been taken care
of since 2016.1, as all YUI Flash files have been removed, this as part of
#2535 <https://github.com/orbeon/orbeon-forms/issues/2535>  .

Alex

-----
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
--
Sent from: http://discuss.orbeon.com/

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
Free forum by Nabble Edit this page