Jakob Bohm wrote:
> Package: flashplugin-nonfree
> Version: 7.0.25-5
> Severity: grave
> Tags: security, sarge, upstream, fixed-upstream
> Justification: user security hole (and won't install)
>
> Upstream for this package (Adobe) has released versions 7.0.70 and
> 9.0.48 as security updates for version 7.0.25. Like Debian, Adobe
> appears to be creating backported security updates (versions 7.0.69
> and 7.0.68 were also security updates released after a new major
> version had been released).
>
> There is also an upstream security bulletin APSB07-12 at
> <http://www.adobe.com/support/security/bulletins/apsb07-12.html>
> it cross references [CVE-2007-2022]. It also cross references two
> other CVE numbers which maybe only affect versions not in
> oldstable (sarge), the Adobe advisory is unfortunately vague on
> that.
>
> The upstream security update 9.0.48 has already been included in
> unstable, but is not included in stable or oldstable. The upstream
> security update 7.0.70 has not yet been packaged for Debian,
> but since this is just an installer package, changing it to refer to
> the new upstream version should be trivial.
>
> stable (etch) contains version 9 of this plugin which is not
> affected by CVE-2007-2022. stable is affected by CVE-2007-3456
> though, see separate bug report. CVE-2007-3457 is for upstream
> major version 8, which is neither in oldstable nor in stable.
>
> Additional note: as reported in bug #402822, the package currently
> in oldstable (sarge) does not install because Adobe has removed the
> vulnerable version from its download servers. Publishing a version of
> the oldstable package which downloads upstream version 9.0.48 or 7.0.70
> on security.debian.org should fix that too.
Non-free is not supported security-wise, see Debian Security FAQ.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
