Re: flashplugin-nonfree 9.0.48.0.1etch1 for Stable

To: debian-release@lists.debian.org
Cc: debian-release@lists.debian.org, team@security.debian.org, 432755@bugs.debian.org
Subject: Re: flashplugin-nonfree 9.0.48.0.1etch1 for Stable
From: Ron Johnson <ron.l.johnson@cox.net>
Date: Fri, 27 Jul 2007 08:22:59 -0500
Message-id: <[🔎] 46A9F1B3.6040907@cox.net>
In-reply-to: <[🔎] 20070726223055.GC14431@mx0.halon.org.uk>
References: <[🔎] 1185431321.2869.72.camel@localhost> <[🔎] 20070726223055.GC14431@mx0.halon.org.uk>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/26/07 17:30, Neil McGovern wrote:
> On Thu, Jul 26, 2007 at 08:28:41AM +0200, Bart Martens wrote:
>> Hi Stable Debian-Release,
>> Hi Security Team,
>>
> 
> Not speaking in any official capacity here, but:
> 
> Lets have a look at the vulnerabilities which still affect etch:
> CVE-2007-2022 - "Unspecified vulnerability ... unspecified impact and
>                  remote attack vectors." but looks like a keylogger if
>                  someone visits a malicious webpage.
> CVE-2007-3456 - "Unspecified vulnerability .. related to an input
>                  validation error." - arbitrary code execution.
> 
> So fairly serious.
> 
> It seems that 9.0.45.0 was only for Mac/Windows, and 9.0.47.0/9.0.48.0
> is only for linux.
> AFAICT, 9.0.48.0 is 9.0.31.0 + security fixes (as described in
> APSB07-12[0]), except for sparc, which implements the 9.0.31.0 features
> for that arch (probably a good thing).

It apparently also has some feature upgrade(s)/bug fixes, because
.48 plays New York Times videos, whereas .31 would not.

>> 1. We could flashplugin-nonfree 9.0.48.0.1etch1 to Stable soon.  The
>> only change is the update of the MD5 checksums.  Obviously the upstream
>> Flash plugin itself may have been modified heavily, no idea.
>> 2. I can create a special flashplugin-nonfree package for Stable to
>> remove the insecure plugin from the Stable systems, notifying the users
>> of this removal, and suggesting them to use Backports.
> 
> I'd suggest heavy testing (if this hasn't been done already) on the
> 9.0.48.0 package with the aim of working out if new features have been
> added.
> 
> If not, then it may be possible that this really is a bugfix only
> release, and IMO would be suitable for an update.
> 
> Neil
> [0] http://www.adobe.com/go/apsb07-12


- --
Ron Johnson, Jr.
Jefferson LA  USA

Give a man a fish, and he eats for a day.
Hit him with a fish, and he goes away for good!

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGqfGzS9HxQb37XmcRAuonAJ9Qfa21ZzjG6N3jDD3JfApiMTmEWQCfUv5V
YHJfmcYzfGdRZHAmi5Q21gk=
=Fjm9
-----END PGP SIGNATURE-----

Reply to:

References:
- flashplugin-nonfree 9.0.48.0.1etch1 for Stable
  - From: Bart Martens <bartm@knars.be>
- Re: flashplugin-nonfree 9.0.48.0.1etch1 for Stable
  - From: Neil McGovern <neilm@debian.org>

Prev by Date: Re: Please bin NMU APT "rdeps"
Next by Date: Re: fw: gfortran transition release goal proposal
Previous by thread: Re: flashplugin-nonfree 9.0.48.0.1etch1 for Stable
Next by thread: hint for vips and nip2
Index(es):
- Date
- Thread