Quoting Dirk Müller from the KDE packager list: >There is a critical issue in flash player 9.x that is currently (for the last >3 months already) embargoed awaiting a bugfix update. According to Adobe they >currently plan to do that on July 10th. Only Opera and Konqueror is affected. Patch for KDE is available as well.
The following ebuilds should go stable: nsplugins-3.5.5-r2 kdebase-3.5.5-r4 kde.org will release an announcement on the 10th of July as well. Don't know if Opera has anything in the pipeline to work around the flash player vulnerability, but if not the flash package should probably be hard masked given that it is roundabout six weeks to an update.
Opera apparently dealt with it with the 9.20 release. Security, patches are in cvs, how about cc'ing the arch security liasons?
Carlo, sorry for the delay I've been away on vacation for the last 10 days. Arch security liaisons please test and mark stable. Target keywords are: nsplugins-3.5.5-r2.ebuild:KEYWORDS="alpha amd64 ia64 ppc ppc64 sparc x86 ~x86-fbsd" kdebase-3.5.5-r4.ebuild:KEYWORDS="alpha amd64 hppa ia64 mips ppc ppc64 sparc x86"
ppc64 stable
sparc stable.
x86 stable
cc'ing kugelfang for amd64
amd64 stable
kde-base/kdebase-3.5.5-r4: hppa stable. That leaves just ia64 and ppc wrt kdebase. Sorry for the delay btw - I had other bugs to work through.
CC'ing ferdy for alpha.
armin76 will do alpha
alpha stable I'll try to do ia64 too, but will take some time first since i need to test both nsplugins and kdebase.
ia64 stable :)
ppc stable
I'm not sure what the "critical issue" but I guess it would be at least get a severity rating of 3 making a GLSA needed.
This seems public already at above URL but nothing on the kde site.
kde/security please advise.
It appears that KDE will not issue an advisory about this. I think we should move this one to noglsa status and open it to the public once we reach the disclosure date and then close it. Comments?
Setting status to noglsa and keeping the bug open undtil the disclosure date. Feel free to change status if you disagree.
this is public now, sorry for the delay. cc'ing mips so they can stable kdebase-3.5.5-r4, and closing.