On Fri, 7 Oct 2011, Robert E. Blair wrote:
Dag Wieers wrote:
| Again, without any information it is hard to determine whether the
| plugincheck is mainly checking the version against the latest (known)
| available, or whether it actually knows about vulnerabilities.
|
| I bet the first option is what is implemented (because the second adds
| complexity without any real gain). Their aim is to have people running
| the latest.
|
| ALso, if we look at TUV, they still offer
| flash-plugin-10.3.183.10-1.el6, which is most likely not vulnerable (and
| which was the version offered by Repoforge until this morning too). In
| other words, we are now disconnected from the RHSA information.
The 64 bit version I installed an hour or so ago from the Adobe yum repo is:
flash-plugin-11.0.1.152-release.x86_64
Ok, let's hope I can kill this thread with actual vendor information
instead.
On the Adobe website, there's even no mention of flash-plugin v11.
http://www.adobe.com/support/security/#flashplayer
So as I suspected, the new v11 release is just the first official release
announcement, which is *NOT* security-related. At least there is not
information to support such claims, and no proof that the v10 offering is
vulnerable.
Wrt. to Red Hat not tracking flash-plugin security updates.
As far as I can tell, TUV has the latest flash-plugin v10, so there is no
security impact. TUV provides flash-plugin-10.3.183.10-1.el6, which is
newer than the latest Adobe security bulletin from the Adobe page above.
Executive summary:
- Do not mix 32bit and 64bit flash-plugin packages. Decide which to use
and stick to it.
- New Adobe releases do not imply new security vulnerabilities.
- Red Hat is offering a secure flash-plugin offering (even newer than
the latest Adobe security bulletin), even when it is not the latest and
greatest (just-released) v11.
Please only reply to this thread if you have new information and some
references to back it up.
Thanks :-)
--
-- dag wieers, [email protected], http://dag.wieers.com/
-- dagit linux solutions, [email protected], http://dagit.net/
[Any errors in spelling, tact or fact are transmission errors]
