On Fri, 7 Oct 2011, Robert E. Blair wrote:
> Dag Wieers wrote:
>
> | Again, without any information it is hard to determine whether the
> | plugincheck is mainly checking the version against the latest (known)
> | available, or whether it actually knows about vulnerabilities.
> |
> | I bet the first option is what is implemented (because the second adds
> | complexity without any real gain). Their aim is to have people running
> | the latest.
> |
> | ALso, if we look at TUV, they still offer
> | flash-plugin-10.3.183.10-1.el6, which is most likely not vulnerable (and
> | which was the version offered by Repoforge until this morning too). In
> | other words, we are now disconnected from the RHSA information.
>
> The 64 bit version I installed an hour or so ago from the Adobe yum repo is:
> flash-plugin-11.0.1.152-release.x86_64
Ok, let's hope I can kill this thread with actual vendor information
instead.
On the Adobe website, there's even no mention of flash-plugin v11.
http://www.adobe.com/support/security/#flashplayer
So as I suspected, the new v11 release is just the first official release
announcement, which is *NOT* security-related. At least there is not
information to support such claims, and no proof that the v10 offering is
vulnerable.
Wrt. to Red Hat not tracking flash-plugin security updates.
As far as I can tell, TUV has the latest flash-plugin v10, so there is no
security impact. TUV provides flash-plugin-10.3.183.10-1.el6, which is
newer than the latest Adobe security bulletin from the Adobe page above.
Executive summary:
- Do not mix 32bit and 64bit flash-plugin packages. Decide which to use
and stick to it.
- New Adobe releases do not imply new security vulnerabilities.
- Red Hat is offering a secure flash-plugin offering (even newer than
the latest Adobe security bulletin), even when it is not the latest and
greatest (just-released) v11.
Please only reply to this thread if you have new information and some
references to back it up.
Thanks :-)
--
-- dag wieers, [log in to unmask], http://dag.wieers.com/
-- dagit linux solutions, [log in to unmask], http://dagit.net/
[Any errors in spelling, tact or fact are transmission errors]
|