Package: flashplugin-nonfree Version: 7.0.25-5 Severity: grave Tags: security, sarge, upstream, fixed-upstream Justification: user security hole (and won't install)
Upstream for this package (Adobe) has released versions 7.0.70 and 9.0.48 as security updates for version 7.0.25. Like Debian, Adobe appears to be creating backported security updates (versions 7.0.69 and 7.0.68 were also security updates released after a new major version had been released). There is also an upstream security bulletin APSB07-12 at <http://www.adobe.com/support/security/bulletins/apsb07-12.html> it cross references [CVE-2007-2022]. It also cross references two other CVE numbers which maybe only affect versions not in oldstable (sarge), the Adobe advisory is unfortunately vague on that. The upstream security update 9.0.48 has already been included in unstable, but is not included in stable or oldstable. The upstream security update 7.0.70 has not yet been packaged for Debian, but since this is just an installer package, changing it to refer to the new upstream version should be trivial. stable (etch) contains version 9 of this plugin which is not affected by CVE-2007-2022. stable is affected by CVE-2007-3456 though, see separate bug report. CVE-2007-3457 is for upstream major version 8, which is neither in oldstable nor in stable. Additional note: as reported in bug #402822, the package currently in oldstable (sarge) does not install because Adobe has removed the vulnerable version from its download servers. Publishing a version of the oldstable package which downloads upstream version 9.0.48 or 7.0.70 on security.debian.org should fix that too. -- System Information: Debian Release: 3.1 APT prefers oldstable Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.21jbj3.4-21 Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
