LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

October 2011

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS October 2011

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Flash plugin
From:	Dag Wieers <[log in to unmask]>
Reply To:	Dag Wieers <[log in to unmask]>
Date:	Fri, 7 Oct 2011 11:11:54 +0200
Content-Type:	TEXT/PLAIN
Parts/Attachments:	TEXT/PLAIN (63 lines)

On Fri, 7 Oct 2011, Robert E. Blair wrote:

> Dag Wieers wrote:
>
> |  Again, without any information it is hard to determine whether the
> |  plugincheck is mainly checking the version against the latest (known)
> |  available, or whether it actually knows about vulnerabilities.
> | 
> |  I bet the first option is what is implemented (because the second adds
> |  complexity without any real gain). Their aim is to have people running
> |  the latest.
> | 
> |  ALso, if we look at TUV, they still offer
> |  flash-plugin-10.3.183.10-1.el6, which is most likely not vulnerable (and
> |  which was the version offered by Repoforge until this morning too). In
> |  other words, we are now disconnected from the RHSA information.
>
> The 64 bit version I installed an hour or so ago from the Adobe yum repo is:
> flash-plugin-11.0.1.152-release.x86_64

Ok, let's hope I can kill this thread with actual vendor information 
instead.

On the Adobe website, there's even no mention of flash-plugin v11.

     http://www.adobe.com/support/security/#flashplayer

So as I suspected, the new v11 release is just the first official release 
announcement, which is *NOT* security-related. At least there is not 
information to support such claims, and no proof that the v10 offering is 
vulnerable.

Wrt. to Red Hat not tracking flash-plugin security updates.

As far as I can tell, TUV has the latest flash-plugin v10, so there is no
security impact. TUV provides flash-plugin-10.3.183.10-1.el6, which is
newer than the latest Adobe security bulletin from the Adobe page above.

Executive summary:

  - Do not mix 32bit and 64bit flash-plugin packages. Decide which to use
    and stick to it.

  - New Adobe releases do not imply new security vulnerabilities.

  - Red Hat is offering a secure flash-plugin offering (even newer than
    the latest Adobe security bulletin), even when it is not the latest and
    greatest (just-released) v11.

Please only reply to this thread if you have new information and some 
references to back it up.

Thanks :-)
-- 
-- dag wieers, [log in to unmask], http://dag.wieers.com/
-- dagit linux solutions, [log in to unmask], http://dagit.net/

[Any errors in spelling, tact or fact are transmission errors]

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV