Adobe releases flash-plugin security update 7.0.68

Accepted:
 OK: flashplugin-nonfree_7.0.68~ubuntu1.dsc
     -> Component: multiverse Section: web
 OK: flashplugin-nonfree_7.0.68~ubuntu1.tar.gz
This upload awaits approval by a distro manager

********* *BEGIN ENCRYPTED or SIGNED PART* *********

Format: 1.7
Date: Wed, 13 Sep 2006 16:15:56 -0400
Source: flashplugin-nonfree
Binary: flashplugin-nonfree
Architecture: source
Version: 7.0.68~ubuntu1
Distribution: edgy
Urgency: low
Maintainer: Bart Martens <email address hidden>
Changed-By: Daniel T Chen <email address hidden>
Description:
 flashplugin-nonfree - Macromedia Flash Player plugin installer
Closes: 383948 384250
Changes:
 flashplugin-nonfree (7.0.68~ubuntu1) edgy; urgency=low
 .
   * This package retrieves upstream version 7.0.68:
     - [SECURITY]
       + Fix input validation errors,
       + Prevent circumvention of allowScriptAccess option.
     - References:
       + CVE-2006-3014
       + CVE-2006-3311
       + CVE-2006-3587
       + CVE-2006-3588
       + CVE-2006-4640
       http://www.adobe.com/support/security/bulletins/apsb06-11.html
   * Merge from Debian unstable. Remaining Ubuntu changes include:
     - Adding Simon Law's modified initscript,
     - Adjusting Depends and Recommends,
     - Invoking dh_installinit -umultiuser,
     - Updating md5sums for this release.
 .
 flashplugin-nonfree (7.0.63.8) unstable; urgency=low
 .
   * debian/control: Added libxt6, libxext6 and libxmu6 to the "Depends".
     Closes: #384250.
   * debian/control: Removed libstdc++2.10-glibc2.2 from the "Recommends".
     Closes: #383948.
Files:
 31ea1cf631551a35114147c52e83ef6c 553 contrib/web optional flashplugin-nonfree_7.0.68~ubuntu1.dsc
 4511255080968f60ad4a2681cade0cf9 20418 contrib/web optional flashplugin-nonfree_7.0.68~ubuntu1.tar.gz

********** *END ENCRYPTED or SIGNED PART* **********

==

Announcing to <email address hidden>

Thank you for your contribution to Ubuntu.

One comment: other versions of Ubuntu besides Edgy (Dapper, Breezy and Hoary) are also vulnerable to this security issue and should be upgraded to 7.0.68 as well.

That newer version has also entered Debian unstable (flashplugin-nonfree 7.0.68.0.1) recently

This update is now in dapper-backports. Shouldn't it be in -security?

The package in main is now more than useless: when installing the package, the installerscript will fail silently, leaving one with the package installed but no plugin.

Please put this fix into security! Dapper is broken.

requested backport fix to supported releases as per previous two comments.

More than 1 month (see date of comment https://launchpad.net/distros/ubuntu/+source/flashplugin-nonfree/+bug/60256/comments/2 ) and we're still vulnerable...

what's going on?

7.0.68 is available in the Dapper Backports repository.

https://launchpad.net/distros/ubuntu/+source/flashplugin-nonfree/7.0.68~ubuntu1~dapper1

Daniel Robitaille wrote:
> 7.0.68 is available in the Dapper Backports repository.
>
> https://launchpad.net/distros/ubuntu/+source/flashplugin-
> nonfree/7.0.68~ubuntu1~dapper1
>

Yes I know.

Backports repository is for new versions of software that cannot go to
Dapper because Dapper (and all other Ubuntu releases) only takes
security updates.

This one *is* a security update and needs to go to dapper-security...

Please put flashplugin-nonfree to dapper-security.

Wontfix for hoary, goes EOL tomorrow.

You might want to fix it for dapper though? Please remember:
1. old installs of flashplugin-nonfree ar insecure and should be updated
2. new installs of flashplugin-nonfree do not work at all, as the download fails. Well, better than case 1...

Feel free to create a source package for dapper-security if you feel strongly. In the meantime, a member of the backporters team is testing a candidate (based on current feisty's source package) for dapper-backports (and edgy-backports).

Daniel T Chen wrote:
> Feel free to create a source package for dapper-security if you feel
> strongly.

I'm wondering whether this is the way other security issues to be
backported to Dapper and Breezy are handled? By leaving the packaging
and testing of security fixes to the user and his/her mindset? I know
this package is in multiverse but still...

I'm sure I'm missing / misunderstanding something, but what?

thanks for the work :)

It is absolutely the way security issues for packages in universe and multiverse are handled -- best-effort by the community -- and as a community member, I apologise for not having the resources to invest in flashplugin-nonfree for anything save the current development branch.

flash9 is in dapper backports

Breezy support is over.. Today it's Breezy End Of Life!

Dapper Drake 6.06 is end of life, so MOTU SWAT will not fix it. I'm closing this bug.