Re: Is Flash 9.0.31 secure enough?
Le December 20, 2007 09:30:43 am Nico Golde, vous avez écrit :
> Hi Philippe,
>
> * Philippe Cloutier <chealer@gmail.com> [2007-12-20 14:34]:
> > should someone who already has Flash 9.0.31 installed from stable's
> > flashplugin-nonfree uninstall it due to security issues? I only see one
> > important security bug, CVE-2007-5275.
>
> This is the wrong mailing list, I think
> debian-security@lists.d.o would be appropriate.
I thought that removing flashplugin-nonfree did not remove the plugin so that
we would need to find a solution other than just removing flashplugin-nonfree
from Etch, but I was wrong. Anyway, it's true that the answer can be
interesting for debian-security, so I sent a mail there.
> Anyway,
> CVE-2007-5275 is not the only issue which was fixed
> recently, have a look at:
> http://www.adobe.com/support/security/bulletins/apsb07-20.html
>
> The update fixes:
> CVE-2007-6242, CVE-2007-4768, CVE-2007-5275, CVE-2007-6243,
> CVE-2007-6244, CVE-2007-6245, CVE-2007-4324, CVE-2007-6246
> and CVE-2007-5476. Since this fixes also vulnerabilities
> leading to code execution it is at least not secure to stay
> with this version.
Thank you.
>
> However I think reinstalling the package
> should solve this as the package just downloads the
> install_flash_player_9_linux.tar.gz tarball from the adobe
> site and the name did not change after the security update.
It checks the checksum, so it needs to be updated for each version (see
#432755).
Reply to: