Ubuntu
flashplugin-nonfree package

Macromedia has released an upgrade of Flash Player 7 plugin

Bug #4430 reported by Daniel Robitaille
10
Affects Status Importance Assigned to Milestone
flashplugin-nonfree (Ubuntu)
Invalid
Medium
Unassigned
Warty
Invalid
Medium
Unassigned
Hoary
Invalid
Medium
Unassigned
Breezy
Invalid
Medium
Unassigned
Dapper
Fix Released
Medium
MOTU

Bug Description

According to the Macromedia download page, the latest version of the Flash player is now 7.0.61. All versions of Ubuntu (from Warty to Dapper) currently contain 7.0.25. According to the notes included with the plugin, Macromedia describes this upgrade as:

"In an effort to keep our customers up to date with the most recent features, functionality and bug fixes, we have issued a new version of the player. Macromedia recommends that all users upgrade to the latest version of Macromedia Flash Player. This update is version 7.0.61.0."

CVE References

Daniel Holbach (dholbach)
Changed in flashplugin-nonfree:
assignee: nobody → motu
assignee: nobody → motu
Revision history for this message
Sitsofe Wheeler (sitsofe) wrote :

This "update" is in all probability a security update too:
http://www.advogato.org/person/mjcox/diary.html?start=144

Revision history for this message
Daniel Robitaille (robitaille) wrote :

Yes it is now a security update according to Macromedia advisory:

http://www.macromedia.com/devnet/security/security_zone/mpsb05-07.html

Interestingly, when I first opened this bug report 2 days ago, That advisory was stating that only Flash 7.0.19 and earlier was vulnerable (Debian/Ubuntu are at 7.0.25). but in the last 48 hours they have changed the text of their document such that now it seems 7.0.53 and earlier is vulnerable.

Revision history for this message
StefanPotyra (sistpoty) wrote :

I've uploaded an updated version of flashplugin-nonfree for dapper. It still has issues: It can no longer check if an updated version should be downloaded, but it should solve this bug.
I'll leave this bug open, since not only dapper is affected.

Daniel Robitaille (robitaille)
Changed in flashplugin-nonfree:
status: Unconfirmed → Fix Released
Revision history for this message
Daniel Robitaille (robitaille) wrote :

Macromedia has released a new security advisory yesterday:
http://www.macromedia.com/devnet/security/security_zone/apsb06-03.html

It calls the vulnerabilities "critical", and recommand to upgrade to the latest version of the flash plugin. For Linux, this is version 7.0.63.

All version of Ubuntu are currently vulnerable.

Revision history for this message
Loïc Corbasson (cnb) wrote :

Dapper has been updated.
According to http://packages.ubuntu.com/cgi-bin/search_packages.pl?keywords=flashplugin-nonfree&searchon=names&subword=1&version=all&release=all
previous versions are still vulnerable.

Barry deFreese (bddebian)
Changed in flashplugin-nonfree:
status: Unconfirmed → Confirmed
status: Unconfirmed → Confirmed
status: Unconfirmed → Confirmed
status: Unconfirmed → Confirmed
Daniel T Chen (crimsun)
Changed in flashplugin-nonfree:
status: Confirmed → Rejected
status: Confirmed → Rejected
status: Confirmed → Rejected
Revision history for this message
Christian Reis (kiko) wrote :

If I understand the statuses on this bug correctly, it doesn't make sense to say that the Ubuntu bug is still open -- it is fixed in Dapper, which is the development release. The fact that the backport fixes have been rejected also indicates that there is no more work to be done here. Can someone explain?

Revision history for this message
Daniel Robitaille (robitaille) wrote :

While I'm the initial reporter, I didn't add all the extra status, nor removed them.

But in my mind this bug is not fixed yet in Warty/Hoary/Breezy: the version we currently ship for these three Ubuntu versions has security issues that can only be solved by an upgrade to the latest binary from Macromedia (as shown by the the two CVE links).

Revision history for this message
Jonathan Carter (jonathan) wrote :

Is the newer plugin now included in Dapper? Can this be resolved? Or is there question whether this should be a security update for previous releases?

Revision history for this message
Daniel Robitaille (robitaille) wrote :

The newest plugin is indeed in Dapper. But it is my understanding that the older plugin is the only ones available for Hoary/Breezy; thus these 2 Ubuntu versions are in theory still vulnerable to CVE 2005-2628 and 2006-0024 since they are only at version 7.0.25 instead of the latest 7.0.63.

Revision history for this message
Bart Martens (bartm) wrote :

Today this bug is not in 7.0.63.3ubuntu3.

Revision history for this message
Bart Martens (bartm) wrote :

And it's also not in 7.0.63.5. I'm marking this bug as "rejected" now. Feel free to reopen and explain why, in case I've missed something.

Changed in flashplugin-nonfree:
assignee: motu → nobody
status: Confirmed → Rejected
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.