severity 585408 grave found 1:2.8 thanks Bret, please include bug submitters in your replies to their bugs in future. I did not see your reply until I thought to check on the status of my bug.
I do not see how you can justify closing and downgrading this bug without fixing the problem! I am aware that 'flashplugin-nonfree' is not Flash itself; however, running 'update-flashplugin-nonfree --install' on an amd64 system does result in the installation of an insecure version of the Flash plugin that exposes users to the arbitrary code execution vulnerability that I referenced in my original bug report. Furthermore, there is no automatic update mechanism, or mechanism to notify users of the installation of an obsolete and dangerous version of flash; as a result, users who do not closely follow the Flash situation will not even realise that they are exposed to this serious problem. Without such an update and notification system, I do not see how update-flashplugin is suitable for release, as the package "introduces a security hole allowing access to the accounts of users who user the package" which, according to [0] warrants grave severity. [0] http://www.debian.org/Bugs/Developer#severities -- Sam Morris <[email protected]> -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
