[Secure-testing-team] Bug#835649: [flashplugin-nonfree] OldStable (Wheezy) version of package is critically out of date

Stephen Lyons slysven at virginmedia.com
Sat Aug 27 22:41:02 UTC 2016 

Package: flashplugin-nonfree
Version: 1:3.2+wheezy1
Severity: critical
Tags: security
X-Debbugs-CC: secure-testing-team at lists.alioth.debian.org

--- Please enter the report below this line. ---

I believe the version of this package for Debian 7 installations
("OldStable") is *critically* out of date and still has the CVEs that
have been addressed by later versions 1:3.6.1 in "Stable" or 1:3.7
"Testing" and "Unstable".  Whilst I appreciate that "Wheezy" is long in
the tooth, it still should be getting security updates for a little
while longer!

For the record, backporting by hand-editing in the differences between
3.2 and 3.7 into the 3.2 version does seem to do the job - the
diagnostic stuff below does not represent the exact state of a Wheezy
system because I got fed up with the FireFox blacklisting of the old
flashplayer version so manually installed it myself and dropped it into
the "alternatives" system but other users of "OldStable" might not be so
able to munge things themselves...

Regards

Stephen

--- System information. ---
Architecture: amd64
Kernel:       Linux 3.16.0-0.bpo.4-amd64

Debian Release: 7.11
  500 wheezy-backports mozilla.debian.net   500 stable
apt.spideroak.com   500 oldstable-updates mirror.sov.uk.goscomb.net
500 oldstable-proposed-updates mirror.sov.uk.goscomb.net   500 oldstable
      security.debian.org   500 oldstable
mirror.sov.uk.goscomb.net   100 wheezy-backports
mirror.sov.uk.goscomb.net   100 wheezy-backports ftp.debian.org
--- Package information. ---
Depends              (Version) | Installed
==============================-+-===========
debconf                        | 1.5.49
 OR debconf-2.0                | wget                           |
1.13.4-3+deb7u3
gnupg                          | 1.4.12-7+deb7u8
libatk1.0-0                    | 2.4.0-2
libcairo2                      | 1.12.2-3
libfontconfig1                 | 2.9.0-7.1+deb7u1
libfreetype6                   | 2.4.9-1.1+deb7u3
libgcc1                        | 1:4.7.2-5
libglib2.0-0                   | 2.33.12+really2.32.4-5
libgtk2.0-0          (>= 2.14) | 2.24.10-2
libnspr4                       | 2:4.9.2-1+deb7u4
libnss3                        | 2:3.14.5-1+deb7u8
libpango1.0-0                  | 1.30.0-1
libstdc++6                     | 4.7.2-5
libx11-6                       | 2:1.5.0-1+deb7u2
libxext6                       | 2:1.3.1-2+deb7u1
libxt6                         | 1:1.1.3-1+deb7u1
libcurl3-gnutls                | 7.26.0-1+wheezy14
binutils                       | 2.22-8+deb7u3
ca-certificates                | 20130119+deb7u1


Package's Recommends field is empty.

Suggests                       (Version) | Installed
========================================-+-===========
iceweasel                                | konqueror-nsplugins
           | 4:4.8.4-2
ttf-mscorefonts-installer                | 3.4+nmu1
ttf-dejavu                               | 2.33-3
ttf-xfree86-nonfree                      | 4.2.1-3.1
hal                                      | 0.5.14-8



--- Output from package bug script ---
Debian version: 7.11
Architecture: amd64
Package version: 1:3.2+wheezy1
Adobe Flash Player version: LNX 11,2,202,632
MD5 checksums:
	29c85bc8504422120cf89702986ff8e1
/var/cache/flashplugin-nonfree/get-upstream-version.pl
	160a01dd00527304e5291e65eb0c65e2
/var/cache/flashplugin-nonfree/get-upstream-version.pl.orig
	ace1a0801f00a25fd90172f63e98e101
/var/cache/flashplugin-nonfree/install_flash_player_11_linux.x86_64.tar.gz
	e3a1280f91b278b8832500f362d0546b
/var/cache/flashplugin-nonfree/libflashplayer-11.2.202.632.so
	e3a1280f91b278b8832500f362d0546b
/var/cache/flashplugin-nonfree/libflashplayer.so
	md5sum: /var/cache/flashplugin-nonfree/temp: Is a directory
	e3a1280f91b278b8832500f362d0546b
/usr/lib/flashplugin-nonfree/libflashplayer.so
Alternatives:
	flash-mozilla.so - auto mode
	  link currently points to /usr/lib/flashplugin-nonfree/libflashplayer.so
	/usr/lib/flashplugin-nonfree/libflashplayer-11.2.202.632.so - priority 20
	/usr/lib/flashplugin-nonfree/libflashplayer.so - priority 50
	Current 'best' version is '/usr/lib/flashplugin-nonfree/libflashplayer.so'.
	lrwxrwxrwx 1 root root 34 Jul 30 14:52
/usr/lib/mozilla/plugins/flash-mozilla.so ->
/etc/alternatives/flash-mozilla.so
	/usr/lib/mozilla/plugins/flash-mozilla.so: symbolic link to
/etc/alternatives/flash-mozilla.so

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20160827/59df7f88/attachment.sig>

More information about the Secure-testing-team mailing list