Why don't provide local YUI Files for security fix

**Steve Machol** · Thu 2 Jun '11, 7:26am

AFAIK there is no known security issue with the .js files. As per this, only the .swf are affected and are not used in 3.8:

Page not found · GitHub Pages

http://yuilibrary.com/support/2.8.2/

If you have proof of an exploit in the .js files, then please provide it.

**ThomasTr** · Fri 3 Jun '11, 8:00am

Hi,

I don't have any exploit in the .js files. But why do you provide an patch for vbulletin which forces users to use 2.9.0 remote and don't patch the local files to 2.9.0 even if the exploited swf files aren't used (local and remote)?

**Steve Machol** · Fri 3 Jun '11, 8:10am

There is no patch because there is no security expolit. You are free to change the one character manually, but that does not really fix anything.

**m0rgulvale** · Sun 12 Jun '11, 9:42pm

ideally it would be nice to have the local files.. i don't want to need to rely on google / yahoo to host these external files forever... what happens if they stop providing the external service? then that will break my site.

please provide the updated local files.

**Samir** · Sun 19 Jun '11, 6:57am

I'm sure there's a way you can download the current version of YUI and put it on your server manually. There's redistribution rules when incorporating software from other authors, so this simply may not have been feasible in order to roll out the patch as quickly as possible.

**BirdOPrey5** · Sun 19 Jun '11, 8:10am

You can download the Yahoo YUI file yourself: http://developer.yahoo.com/yui/2/

vBulletin 3 End of Life

Why don't provide local YUI Files for security fix

Why don't provide local YUI Files for security fix

Comment

Comment

Comment

Comment

Comment

Comment

Related Topics