Gentoo Bug 175230 - kde-base/{kdebase|nsplugins} critical bug in flash 9.x

Description:

Opened: 2007-04-19 15:16 0000

Quoting Dirk Müller from the KDE packager list:

>There is a critical issue in flash player 9.x that is currently (for the last 
>3 months already) embargoed awaiting a bugfix update. According to Adobe they 
>currently plan to do that on July 10th. Only Opera and Konqueror is affected.

Patch for KDE is available as well.

------- Comment #1 From Carsten Lohrke 2007-04-19 16:26:31 0000 -------

The following ebuilds should go stable:

nsplugins-3.5.5-r2
kdebase-3.5.5-r4

kde.org will release an announcement on the 10th of July as well. Don't know if
Opera has anything in the pipeline to work around the flash player
vulnerability, but if not the flash package should probably be hard masked
given that it is roundabout six weeks to an update.

------- Comment #2 From Carsten Lohrke 2007-04-25 17:01:02 0000 -------

Opera apparently dealt with it with the 9.20 release. Security, patches are in
cvs, how about cc'ing the arch security liasons?

------- Comment #3 From Sune Kloppenborg Jeppesen 2007-04-30 09:18:56 0000 -------

Carlo, sorry for the delay I've been away on vacation for the last 10 days.

Arch security liaisons please test and mark stable.

Target keywords are:
nsplugins-3.5.5-r2.ebuild:KEYWORDS="alpha amd64 ia64 ppc ppc64 sparc x86
~x86-fbsd"
kdebase-3.5.5-r4.ebuild:KEYWORDS="alpha amd64 hppa ia64 mips ppc ppc64 sparc
x86"

------- Comment #4 From Markus Rothe 2007-05-01 17:36:55 0000 -------

ppc64 stable

------- Comment #5 From Gustavo Zacarias (RETIRED) 2007-05-02 13:52:05 0000 -------

sparc stable.

------- Comment #6 From Carsten Lohrke 2007-05-06 12:16:11 0000 -------

x86 stable

------- Comment #7 From Carsten Lohrke 2007-05-09 18:18:16 0000 -------

cc'ing kugelfang for amd64

------- Comment #8 From Steve Dibb 2007-05-11 18:49:49 0000 -------

amd64 stable

------- Comment #9 From Jeroen Roovers 2007-05-25 00:34:51 0000 -------

kde-base/kdebase-3.5.5-r4: hppa stable. That leaves just ia64 and ppc wrt
kdebase.

Sorry for the delay btw - I had other bugs to work through.

------- Comment #10 From Sune Kloppenborg Jeppesen 2007-06-03 15:27:07 0000 -------

CC'ing ferdy for alpha.

------- Comment #11 From Fernando J. Pereda (RETIRED) 2007-06-04 20:17:15 0000 -------

armin76 will do alpha

------- Comment #12 From Raúl Porcel 2007-06-04 21:26:50 0000 -------

alpha stable

I'll try to do ia64 too, but will take some time first since i need to test
both nsplugins and kdebase.

------- Comment #13 From Raúl Porcel 2007-06-05 10:59:18 0000 -------

ia64 stable :)

------- Comment #14 From Tobias Scherbaum 2007-06-05 16:22:01 0000 -------

ppc stable

------- Comment #15 From Sune Kloppenborg Jeppesen 2007-06-06 19:56:50 0000 -------

I'm not sure what the "critical issue" but I guess it would be at least get a
severity rating of 3 making a GLSA needed.

------- Comment #16 From Sune Kloppenborg Jeppesen 2007-06-14 18:40:11 0000 -------

This seems public already at above URL but nothing on the kde site.

------- Comment #17 From Sune Kloppenborg Jeppesen 2007-06-16 06:53:38 0000 -------

kde/security please advise.

------- Comment #18 From Sune Kloppenborg Jeppesen 2007-06-25 08:59:25 0000 -------

It appears that KDE will not issue an advisory about this. I think we should
move this one to noglsa status and open it to the public once we reach the
disclosure date and then close it.

Comments?

------- Comment #19 From Sune Kloppenborg Jeppesen 2007-07-01 02:16:09 0000 -------

Setting status to noglsa and keeping the bug open undtil the disclosure date.
Feel free to change status if you disagree.

------- Comment #20 From Pierre-Yves Rofes 2007-08-06 08:18:01 0000 -------

this is public now, sorry for the delay. 
cc'ing mips so they can stable kdebase-3.5.5-r4, and closing.

Bug 175230 depends on:			Show dependency tree
Bug 175230 blocks:			Show dependency tree

Bugzilla Bug 175230

kde-base/{kdebase|nsplugins} critical bug in flash 9.x

Last modified: 2007-08-06 08:18:01 0000