Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock flashplugin-nonfree 1:3.2. It fixes two security bugs. Debdiff attached.
diff -ruN ../orig/flashplugin-nonfree-2.8.2/debian/changelog ./debian/changelog --- ../orig/flashplugin-nonfree-2.8.2/debian/changelog 2010-09-17 21:04:37.000000000 +0200 +++ ./debian/changelog 2012-12-14 19:05:13.000000000 +0100 @@ -1,3 +1,11 @@ +flashplugin-nonfree (1:2.8.2+squeeze1) stable; urgency=low + + * update-flashplugin-nonfree: Added use of "gpg --verify" to notice files + without signature. Thanks to Ansgar Burchardt for reporting the security + issue (via private e-mail on 13 Dec 2012). + + -- Bart Martens <ba...@debian.org> Fri, 14 Dec 2012 19:03:40 +0100 + flashplugin-nonfree (1:2.8.2) unstable; urgency=low * Removed "64 bit player temporarily not supported". Closes: #586273. diff -ruN ../orig/flashplugin-nonfree-2.8.2/update-flashplugin-nonfree ./update-flashplugin-nonfree --- ../orig/flashplugin-nonfree-2.8.2/update-flashplugin-nonfree 2010-09-17 20:42:15.000000000 +0200 +++ ./update-flashplugin-nonfree 2012-12-14 19:06:17.000000000 +0100 @@ -164,6 +164,8 @@ gpg -q --homedir "." --import /usr/lib/flashplugin-nonfree/pubkey.asc > /dev/null 2>&1 \ || die_hard_with_a_cleanup "gpg failed to import /usr/lib/flashplugin-nonfree/pubkey.asc" [ "$verbose" != "yes" ] || echo "verifying PGP $downloadfile ..." + gpg -q --homedir "." --verify $downloadfile 2> /dev/null \ + || die_hard_with_a_cleanup "gpg rejected signature of $downloadurl" gpg -q --homedir "." < $downloadfile > checksums.txt 2> /dev/null \ || die_hard_with_a_cleanup "gpg rejected signature of $downloadurl"
