retitle 752277 vulnerable to downgrade attack on get-upstream-version.pl severity 752277 critical tags 752277 security fixed 752277 1:3.5 found 752277 1:2.8.2+squeeze1 found 752277 1:3.2 found 752277 1:3.4 summary 752277 0 stop
The scope of this bug report is the fact that the package is vulnerable to a downgrade attack on get-upstream-version.pl. As Jakub clearly described : | anyone who grabbed an old version of | get-upstream-version.pl and its signature, and is capable of MITM, can | still exploit bugs of this old version. For example, this bug: | https://lists.debian.org/20121212191044.gd29...@seestieto.com This vulnerability is an incompleteness of this change in 1:3.2 : | * get-upstream-version.pl: Added validation of link to flash. | Thanks to Henrik Ahlgren for reporting the security issue (on | debian-security on 12 Dec 2012). A solution with minor changes is to replace the keypair used for signing get-upstream-version.pl. A fix for oldstable will not be provided. I agreed with the security team to request the removal of the package from oldstable instead. A fix for unstable has already been uploaded, see version 1:3.5. A fix for stable has been prepared and made available here for review by the security team : http://people.debian.org/~bartm/flashplugin-nonfree/D5C0FC14/flashplugin-nonfree_3.2+wheezy1_amd64.changes -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
