RE: flashplugin-nonfree and latest Flash security updates
On Mon, 1 Aug 2016 08:25:01 -0700 Darren S. wrote: > There are aspects of the flashplugin-nonfree package I am hoping to > understand better in respect to installing the latest security updates > for the Adobe Flash plugin on a Debian host. [snip] > It appears that the updated Flash plugin version fails to be > fetched/verified because of a 404 on the Debian server. This updated > version doesn't appear to be the one that would work with Firefox on > Linux anyway, as that would be 11.2.202.632. However when > update-flashplugin-nonfree fetches and installs an 11.x version, it > drops in the slightly older 11.2.202.626 version which is still > considered vulnerable in the browser. > > Is there a way for this to be corrected? +1 The update-flashplugin-nonfree facility has been broken for several days now. It reports the upstream plugin version is 22.0.0.209, but that is not true - the latest plugin version for Linux systems is 11.2.202.632, as shown at https://www.adobe.com/products/flashplayer/distribution3.html The 22.0.0.209 version is for Windows, Mac and potentially also for Google Chrome on Linux. IIRC, the Google Chrome version is the new style PPAPI plugin, whereas Firefox/Iceweasel needs the older NPAPI technology, so I have not actually run the update cos the last thing I would want is a plugin which won't work at all. I have emailed the maintainer (Bart Martens, at his debian.org address) twice about this (30th.July and 1st.Aug), but there has been no reply as yet. Do I need to post to the bug report Francesco mentioned: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820583 rather than emailing Bart directly ? I realise the nonfree plugin is not really supported, but given the serious (!!!) security implications of running a known-vulnerable Flash player for a significant time after a fixed version has been released, and assuming Bart is MIA for some reason, is it possible for the Security Team to either fix the update, or to make an announcement that all Debian users should stop using the Adobe player immediately ? Thanks, Nick -- "Always code as if the person who ends up maintaining your code is a violent psychopath who knows where you live." -- John Woods
Unsuscribe
Unsuscribe Enviado desde mi Huawei
Re: Call for testing: upcoming wordpress security update
On Tue, Aug 02, 2016 at 04:37:31PM +0200, Jakub Wilk wrote: > Wiki is world-writable. It's safe to assume that everything there is > nonsense unless proven otherwise. It's also safe to assume that we'll al die one day, though that's also not very helpful. A useful first step to assess the qualilty of the information on any given page on wiki.d.o is usually to look at the page history and see who edited it. -- cheers, Holger signature.asc Description: Digital signature
Re: Call for testing: upcoming wordpress security update
On Tue, Aug 2, 2016 at 11:27 PM, donoban wrote: > Not so world-writable: > "Account creation failed: Due to an ongoing spam attack, this wiki is > configured to not automatically create wiki accounts for some users. > Please contact w...@debian.org first if you wish to create an account, > and describe what you want to do in the wiki.." I've just whitelisted your email now so things should work OK if you try to register again. Please let us know if you have any problems. -- bye, pabs https://wiki.debian.org/PaulWise
Re: Call for testing: upcoming wordpress security update
On 08/02/2016 04:37 PM, Jakub Wilk wrote: > Wiki is world-writable. It's safe to assume that everything there is > nonsense unless proven otherwise. Not so world-writable: "Account creation failed: Due to an ongoing spam attack, this wiki is configured to not automatically create wiki accounts for some users. Please contact w...@debian.org first if you wish to create an account, and describe what you want to do in the wiki.." Well, the Wiki is wrong, as I've already supposed. What I did not imagine is that this does not worry anyone.
Re: Call for testing: upcoming wordpress security update
* donoban , 2016-08-02, 16:09: You spend a lot of time and effort backporting bugfixes for old versions of programs and then your Wiki says: "Ey dude, delete all this stuff an download it from upstream". Wiki is world-writable. It's safe to assume that everything there is nonsense unless proven otherwise. -- Jakub Wilk
Re: Call for testing: upcoming wordpress security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 08/01/2016 11:30 AM, donoban wrote: > On 08/01/2016 10:28 AM, Salvatore Bonaccorso wrote: >> Hi > >> We would like to expose the packages for the upcoming wordpress >> update a bit for additional testing. Please find them at > >> https://people.debian.org/~carnil/tmp/wordpress > >> and report any problem *introduced* by updating to these packages >> directly to t...@security.debian.org and including Craig Small >> . > >> Thanks in advance, > >> Regards, Salvatore > > > Hi, > > Pretty off-topic, time ago I read this on Debian wiki: > > wiki.debian.org/WordPress#Upgrading_the_installed_WordPress_version > > When I saw it I thought, "this breaks the Debian package upgrade > policy, but maybe this package is an exception". > > Now your email confirms WordPress packages respect Debian policy > and the Wiki is wrong. > > Regards. > You spend a lot of time and effort backporting bugfixes for old versions of programs and then your Wiki says: "Ey dude, delete all this stuff an download it from upstream". -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJXoKmDAAoJEBQTENjj7Qilz/UP/iGtpDZJ69JJByXMnxNa/7eS Axe+wbbrVtsrhVENOvF5QkS8O4oASEnonx3IuWT7ZDN2T4SuYTNwaKIPfYk0Hhlj pS3qh/7oyp2g/VPAWpU5u20NMIVTpMXlvJrqFgoyans5/f1N+YBKkYbAv11p9ok3 JDnYYzuWvZFUGdL4exvvmXJ9VZpngH5N6NE2k/8g1TSsKq4WI68El5f3QFgboZZv s3powMQQld1C4YeTxkw4UISBQ7GJPC8QRO+zDE0ekBGtkPvME4gVQBsRpgMCtAGC MBHbhWOwUTCAl7TSIBwEw3GxigVgnYEG6s4D9DA8iE5FB+oXt4Kmb2B0XHbiyLTN VYZ7js/f4WMqNncadfLCGKpJn4QfJHXhI6StZ0szqoJwspyXTshFHneaqZCXNCJ3 82qnNEVAkXhV5/95U3YJ1bYUSVv63P/ynV10/XuYPRU6h2Q8yzGHX1SNoWr/yfdl g59jEIGLMqjA0D/aA5fIgohP/MVgPFuGoNvxRR13fTgF3JtgnDw9eksgQCKY1GzG IoTygfa/l35ICcV5Cvbz7UugHx4hjnZvMSnlTpuel+t/EQPKf5B/mFeRdGDNGxGD /90oisr9Zp3QlIOiBRjOAkpm7tvA6bHBP3dNtVXWvav1Ob7IItVKTEwoT/ebEAez uRSucg2npQIVSdXaEwTT =ArAe -END PGP SIGNATURE-
