retitle 694642 glpi: embeds vulnerable and apparently useless SWF library
severity 694642 important
thanks
Hi,
I just had a look at the GLPI source, and here are my findings:
* the charts.swf file is indeed a vulnerable version;
* however, the JavaScript library points to
https://yui.yahooapis.com/2.8.2/build/charts/assets/charts.swf
instead of the embedded copy (urrrgh, not even https);
* anyway, this part of the API does not seem to be used from
anywhere in the actual GLPI code (GLPI generates SVG graphs, not
SWF ones).
So I don’t think it has an actual impact, although it should certainly
be removed from the binary package.
Cheers,
--
.''`. Josselin Mouette
: :' :
`. `'
`-
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
