On Thu, Jul 26, 2007 at 08:28:41AM +0200, Bart Martens wrote:
> Hi Stable Debian-Release,
> Hi Security Team,
>
Not speaking in any official capacity here, but:
Lets have a look at the vulnerabilities which still affect etch:
CVE-2007-2022 - "Unspecified vulnerability ... unspecified impact and
remote attack vectors." but looks like a keylogger if
someone visits a malicious webpage.
CVE-2007-3456 - "Unspecified vulnerability .. related to an input
validation error." - arbitrary code execution.
So fairly serious.
It seems that 9.0.45.0 was only for Mac/Windows, and 9.0.47.0/9.0.48.0
is only for linux.
AFAICT, 9.0.48.0 is 9.0.31.0 + security fixes (as described in
APSB07-12[0]), except for sparc, which implements the 9.0.31.0 features
for that arch (probably a good thing).
> 1. We could flashplugin-nonfree 9.0.48.0.1etch1 to Stable soon. The
> only change is the update of the MD5 checksums. Obviously the upstream
> Flash plugin itself may have been modified heavily, no idea.
> 2. I can create a special flashplugin-nonfree package for Stable to
> remove the insecure plugin from the Stable systems, notifying the users
> of this removal, and suggesting them to use Backports.
I'd suggest heavy testing (if this hasn't been done already) on the
9.0.48.0 package with the aim of working out if new features have been
added.
If not, then it may be possible that this really is a bugfix only
release, and IMO would be suitable for an update.
Neil
[0] http://www.adobe.com/go/apsb07-12
--
A. Because it breaks the logical sequence of discussion
Q. Why is top posting bad?
gpg key - http://www.halon.org.uk/pubkey.txt ; the.earth.li B345BDD3
Attachment:
signature.asc
Description: Digital signature