Package: flashplugin-nonfree Severity: grave Tags: wontfix, security, help
I'm tagging this bug "wontfix" to express that I don't intend to spend time on this old version of flashplugin-nonfree written in Ruby in "oldstable". As said before on bugs 433687 and 402822, NMU welcome.
--- Begin Message ---Hi, the following CVE (Common Vulnerabilities & Exposures) ids were published for flashplugin-nonfree some time ago. CVE-2005-2628[0]: | Macromedia Flash 6 and 7 (Flash.ocx) allows remote attackers to | execute arbitrary code via a SWF file with a modified frame type | identifier that is used as an out-of-bounds array index to a function | pointer. CVE-2005-3591[1]: | Macromedia Flash plugin (1) Flash.ocx 7.0.19.0 (Windows) and earlier | and (2) libflashplayer.so before 7.0.25.0 (Unix) allows remote | attackers to cause a denial of service (crash) and possibly execute | arbitrary code via parameters to the ActionDefineFunction ActionScript | call in a SWF file, which causes an improper memory access condition, | a different vulnerability than CVE-2005-2628. CVE-2006-5330[2]: | CRLF injection vulnerability in Adobe Flash Player plugin 9.0.16 and | earlier for Windows, 7.0.63 and earlier for Linux, 7.x before 7.0 r67 | for Solaris, and before 9.0.28.0 for Mac OS X, allows remote attackers | to modify HTTP headers of client requests and conduct HTTP Request | Splitting attacks via CRLF sequences in arguments to the ActionScript | functions (1) XML.addRequestHeader and (2) XML.contentType. NOTE: the | flexibility of the attack varies depending on the type of web browser | being used. Unfortunately the vulnerabilities described above are not important enough to get them fixed via regular security update in Debian oldstable. They do not not warrant a DSA. However it would be nice if this could get fixed via a regular point update. Please contact the release time for this. This is an automatically generated mail, in case you are already working on an upgrade this is of course pointless. You can see the status of this vulnerability on: http://security-tracker.debian.net/tracker/CVE-2005-2628 http://security-tracker.debian.net/tracker/CVE-2005-3591 http://security-tracker.debian.net/tracker/CVE-2006.5330 For further information: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2628 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3591 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5330 Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpz9T4z5llLx.pgp
Description: PGP signature
--- End Message ---
signature.asc
Description: This is a digitally signed message part
