Your message dated Wed, 02 Apr 2008 19:56:36 +0200
with message-id <[EMAIL PROTECTED]>
and subject line flashplugin-nonfree: removed from stable and from oldstable
has caused the Debian Bug report #433687,
regarding flashplugin-nonfree: Security issue fixed upstream [CVE-2007-2022]
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
433687: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=433687
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: flashplugin-nonfree
Version: 7.0.25-5
Severity: grave
Tags: security, sarge, upstream, fixed-upstream
Justification: user security hole (and won't install)
Upstream for this package (Adobe) has released versions 7.0.70 and
9.0.48 as security updates for version 7.0.25. Like Debian, Adobe
appears to be creating backported security updates (versions 7.0.69
and 7.0.68 were also security updates released after a new major
version had been released).
There is also an upstream security bulletin APSB07-12 at
<http://www.adobe.com/support/security/bulletins/apsb07-12.html>
it cross references [CVE-2007-2022]. It also cross references two
other CVE numbers which maybe only affect versions not in
oldstable (sarge), the Adobe advisory is unfortunately vague on
that.
The upstream security update 9.0.48 has already been included in
unstable, but is not included in stable or oldstable. The upstream
security update 7.0.70 has not yet been packaged for Debian,
but since this is just an installer package, changing it to refer to
the new upstream version should be trivial.
stable (etch) contains version 9 of this plugin which is not
affected by CVE-2007-2022. stable is affected by CVE-2007-3456
though, see separate bug report. CVE-2007-3457 is for upstream
major version 8, which is neither in oldstable nor in stable.
Additional note: as reported in bug #402822, the package currently
in oldstable (sarge) does not install because Adobe has removed the
vulnerable version from its download servers. Publishing a version of
the oldstable package which downloads upstream version 9.0.48 or 7.0.70
on security.debian.org should fix that too.
-- System Information:
Debian Release: 3.1
APT prefers oldstable
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.21jbj3.4-21
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
--- End Message ---
--- Begin Message ---
http://packages.qa.debian.org/f/flashplugin-nonfree/news/20080331T151403Z.html
http://packages.qa.debian.org/f/flashplugin-nonfree/news/20080216T124605Z.html
--- End Message ---
