According to https://helpx.adobe.com/security/products/flash-player/apsb16-25.html the listed CVEs are:
CVE-2016-4172, CVE-2016-4173, CVE-2016-4174, CVE-2016-4175,
CVE-2016-4176, CVE-2016-4177, CVE-2016-4178, CVE-2016-4179,
CVE-2016-4180, CVE-2016-4181, CVE-2016-4182, CVE-2016-4183,
CVE-2016-4184, CVE-2016-4185, CVE-2016-4186, CVE-2016-4187,
CVE-2016-4188, CVE-2016-4189, CVE-2016-4190, CVE-2016-4217,
CVE-2016-4218, CVE-2016-4219, CVE-2016-4220, CVE-2016-4221,
CVE-2016-4222, CVE-2016-4223, CVE-2016-4224, CVE-2016-4225,
CVE-2016-4226, CVE-2016-4227, CVE-2016-4228, CVE-2016-4229,
CVE-2016-4230, CVE-2016-4231, CVE-2016-4232, CVE-2016-4233,
CVE-2016-4234, CVE-2016-4235, CVE-2016-4236, CVE-2016-4237,
CVE-2016-4238, CVE-2016-4239, CVE-2016-4240, CVE-2016-4241,
CVE-2016-4242, CVE-2016-4243, CVE-2016-4244, CVE-2016-4245,
CVE-2016-4246, CVE-2016-4247, CVE-2016-4248, CVE-2016-4249
I am sorry but I have not tried to pin down which of them actually
related to the Linux OS, but at least one of them seems to be "bad"
enough for steps to have been taken to address the issue for "Stable"
and "Testing", it is just that this has not made it back into "OldStable".
As for "affected flashplayer versions" 11.2.202.626 is a victim
according to the same web-page and 11.2.202.632 is "the cure",
regrettably, flashplugin-nonfree 3.2 from the "OldStable" distribution
will leave "626" in place as it does not have the "fixes" that the later
versions 3.6.1 or 3.7 have.
I believe that the needed changes are the ones that:
* replaces the "get-upstream-version.pl" if it is older than 2016-08-04
09:35" in /usr/sbin/update-flashplugin-nonfree
* revises the user-agent string in the file referred to, i.e.
/var/cache/flashplugin-nonfree/get-upstream-version.pl (so it does not
have a "KH" in it?) AND does NOT use "fp10"(?) (as a download source).
I would be lying if I said I fully understood the revisions that have
been made to the package but as I understand these are so that the
package does not try and download something with a 20.xxx version
numbers which "is NOT the file that we are looking for"!
As I said, FireFox is now actively blocking that older flash version so
there is a loss of functionality as it attempts to protect users from
the vulnerabilities...
I hope that helps!
Regards
Stephen
On 28/08/16 07:05, Bart Martens wrote:
> Control tags 835649 moreinfo
>
> On Sat, Aug 27, 2016 at 11:41:02PM +0100, Stephen Lyons wrote:
>> I believe the version of this package for Debian 7 installations
>> ("OldStable") is *critically* out of date and still has the CVEs that
>> have been addressed by later versions 1:3.6.1 in "Stable" or 1:3.7
>> "Testing" and "Unstable".
>
> Which CVEs exactly?
>
>> For the record, backporting by hand-editing in the differences between
>> 3.2 and 3.7 into the 3.2 version does seem to do the job
>
> Which differences exactly matter?
>
> Regards,
>
> Bart Martens
>
signature.asc
Description: OpenPGP digital signature
