Hi Stable Debian-Release, Hi Security Team, On 11 July I was notified of a newer upstream release of the Adobe Flash plugin. I updated flashplugin-nonfree in Unstable on the same day. On 12 July I uploaded flashplugin-nonfree 9.0.48.0.1etch1 to Stable. I did not go via the Security Team because last time I was told that the Security Team does not support "contrib" so that such updates should go via Stable release. On 18 July I uploaded flashplugin-nonfree 9.0.48.0.2~bpo.1 to Backports, just in case the Stable release would take time. Now I read this: http://ftp-master.debian.org/proposed-updates.html NOK flashplugin-nonfree - Fix download patch This should probably better go via volatile/backports as one doesn't necessarily want to upgrade the installed version... I don't know when that was written. Did I overlook an e-mail? Going via Volatile and/or Backports is interesting, but that does not inform Stable users who don't have Volatile or Backports in their /etc/apt/sources.list. So I guess that many Debian Stable users are still unknownly using an insecure version of the Flash plugin, installed via the Debian package flashplugin-nonfree in Stable. And that is Not Good. The question now is, do we have a short term solution for the Stable users ? Possible approaches: 1. We could flashplugin-nonfree 9.0.48.0.1etch1 to Stable soon. The only change is the update of the MD5 checksums. Obviously the upstream Flash plugin itself may have been modified heavily, no idea. 2. I can create a special flashplugin-nonfree package for Stable to remove the insecure plugin from the Stable systems, notifying the users of this removal, and suggesting them to use Backports. Can you contact me about further steps that fit your policies please? Regards, Bart Martens
Attachment:
signature.asc
Description: This is a digitally signed message part