[dojo-contributors] [SECURITY] New Dojo releases, all versions 1.4 through 1.10

Colin Snover dojo-contributors at zetafleet.com
Mon Dec 8 14:40:35 EST 2014


Hi,

Several cross-site scripting vulnerabilities have been discovered and
fixed in dojox/av, dojox/embed, and dojox/form.

These vulnerabilities only impact users that publish the dojox package.
Users that publish only the dojo and dijit packages are unaffected and
do not need to take any action.

The following new releases contain fixes for the discovered vulnerabilities:

http://downloads.dojotoolkit.org/release-1.4.6/
http://downloads.dojotoolkit.org/release-1.5.5/
http://downloads.dojotoolkit.org/release-1.6.3/
http://downloads.dojotoolkit.org/release-1.7.8/
http://downloads.dojotoolkit.org/release-1.8.9/
http://downloads.dojotoolkit.org/release-1.9.6/
http://downloads.dojotoolkit.org/release-1.10.3/

We recommend you upgrade your Dojo packages. Alternatively, out of an
abundance of caution, you may delete the following files if you do not
use any of these components:

dojox/av/resources/audio.swf
dojox/av/resources/video.swf
dojox/form/uploader.swf
dojox/form/fileuploader.swf

Dojo 1.2 and 1.3 are also impacted, but are end-of-life versions of the
Toolkit and will not receive updates for this or any other issue. Users
still running Dojo 1.2 or 1.3 should upgrade to a newer version of the
Toolkit.

A full announcement with additional details on the vulnerability will be
published to the Dojo Toolkit blog tomorrow.

Regards,

-- 
Colin Snover
http://zetafleet.com



More information about the dojo-contributors mailing list