On Thu, 6 Oct 2011, Yasha Karant wrote:
> On 10/06/2011 04:37 PM, Dag Wieers wrote:
>> On Thu, 6 Oct 2011, Yasha Karant wrote:
>>
>> > I realise that except for the Fermilab/CERN staff persons, almost all
>> > of the rest of those maintaining material for SL are unpaid
>> > volunteers. With that stated, what is the
>> > typical/average/median/whatever delay from the Adobe release until the
>> > SL compatible port for the flash plugin?
>> >
>> > In some cases, Adobe adds functionality -- but in most cases it is a
>> > matter of bug and security-hole fixes -- and the sooner one installs a
>> > valid security fix, the better.
>>
>> Do you have proof that this is a security fix. Because I track the RHEL
>> packages and no such update has come through their channels. It seems as
>> if the release was simply their official Flash Player 11 release, rather
>> than a security fix.
>>
>> If it is a security fix, even Red Hat is behind. Somehow I don't believe
>> that, but for you to provide proof of what you state. Thanks.
>
> I use the direct Mozilla (and OpenOffice) distributions and updates. For
> Firefox 7.x (that the Firefox update on Help --> About Firefox reports as up
> to date), I ran an update check on the addons, including plugins using Tools
> --> Add ons and URL https://www.mozilla.org/en-US/plugincheck/ and the
> following was displayed:
>
> Vulnerable plugins:
> Plugin Icon
> Shockwave Flash
> Shockwave Flash 11.0 r1 Vulnerable (more info)
>
> (11.0.1.129 is what actually is installed)
Again, without any information it is hard to determine whether the
plugincheck is mainly checking the version against the latest (known)
available, or whether it actually knows about vulnerabilities.
I bet the first option is what is implemented (because the second adds
complexity without any real gain). Their aim is to have people running the
latest.
ALso, if we look at TUV, they still offer flash-plugin-10.3.183.10-1.el6,
which is most likely not vulnerable (and which was the version offered by
Repoforge until this morning too). In other words, we are now disconnected
from the RHSA information.
If you noticed a flash-plugin update from Adobe, feel free to let us know
so we can update our flash-plugin package too.
Thanks in advance,
--
-- dag wieers, [log in to unmask], http://dag.wieers.com/
-- dagit linux solutions, [log in to unmask], http://dagit.net/
[Any errors in spelling, tact or fact are transmission errors]
|