On Sun, 2007-02-04 at 22:20 +0100, Moritz Muehlenhoff wrote: > Bart Martens wrote: > > Bug 402822 was tagged "security" on 14 Dec 2006. I'm not sure whether > > your team scans the BTS daily for bugs tagged "security". :) > > > > Any suggestions on how to handle this bug? > > > > New sarge users won't install the insecure plugin, because installing > > flashplugin-nonfree 7.0.25-5 cannot download the insecure plugin. So > > removing flashplugin-nonfree 7.0.25-5 from "stable" won't make anything > > more secure. > > > > Existing sarge users might still be using the insecure plugin. I could > > create flashplugin-nonfree 7.0.25-6 removing the insecure plugin without > > installing a new plugin, with a debconf dialog at level "critical" > > explaining the removal and suggesting backports.org. > > non-free/contrib isn't supported by the Security Team. However, it appears > to me as if upgrading Sarge through a stable point update to the latest fixed > upstream (9.?) would be the best solution. It's a rocky upgrade path, but > that's what you have to bear when running proprietary software.
So your advice is to create a package for Sarge to install Flash 9. Two questions about that: 1. Must that package be created starting from 7.0.25-5 (ruby), or is it OK to start from 9.0.31.0.1 (shell scripting) ? 2. Which procedure must be followed, "uploads to the stable distribution" or "Handling security-related bugs" ? http://www.debian.org/doc/manuals/developers-reference/ch-pkgs.en.html#s-upload-stable http://www.debian.org/doc/manuals/developers-reference/ch-pkgs.en.html#s-bug-security Regards, Bart Martens
signature.asc
Description: This is a digitally signed message part
