Adobe has released security updates for Adobe Flash Player. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. https://helpx.adobe.com/security/products/flash-player/apsb16-32.html Ports for flashplugin should be updated to 11.2r202.637 or later to avoid these vulnerabilities.
Proposed update to VuXML to document these vulnerabilities: https://reviews.freebsd.org/D8266
A commit references this bug: Author: tijl Date: Sat Oct 22 12:21:25 UTC 2016 New revision: 424469 URL: https://svnweb.freebsd.org/changeset/ports/424469 Log: Update flash plugin to 11.2r202.637. PR: 213698 MFH: 2016Q4 Security: https://helpx.adobe.com/security/products/flash-player/apsb16-32.html Changes: head/www/linux-c6-flashplugin11/Makefile head/www/linux-c6-flashplugin11/distinfo head/www/linux-c6-flashplugin11/pkg-plist
About the vuxml entry, the 64 bit linux packages used to be prefixed with linux-c6_64- and now just linux-c6-. You should keep the c6_64 entry because I think this is the first vulnerability after the rename. Also please add a c7 entry.
(In reply to Tijl Coosemans from comment #3) Thanks Tijl - linux-c7-flashplugin11 added to the list of affected ports mentioned in the VuXML entry awaiting approval here: https://reviews.freebsd.org/D8266 Assume you are planning to MFH this to the quarterly branch?
(In reply to Tijl Coosemans from comment #3) Wait, wouldn't we need both the old and the new package names? People who still have the old package name installed will be affected by these vulns as well and they won't get this entry in the pkg audit.
A commit references this bug: Author: tijl Date: Mon Oct 24 16:55:53 UTC 2016 New revision: 424578 URL: https://svnweb.freebsd.org/changeset/ports/424578 Log: MFH: r424469 Update flash plugin to 11.2r202.637. PR: 213698 Security: https://helpx.adobe.com/security/products/flash-player/apsb16-32.html Approved by: ports-secteam (feld) Changes: _U branches/2016Q4/ branches/2016Q4/www/linux-c6-flashplugin11/Makefile branches/2016Q4/www/linux-c6-flashplugin11/distinfo branches/2016Q4/www/linux-c6-flashplugin11/pkg-plist
(In reply to Mark Felder from comment #5) The only old name is linux-c6_64-flashplugin, and I asked to keep that. Now that I look into it again though, this c6_64 name was never used. It was only used by ports that set USE_LINUX_RPM and this port doesn't do that. It sets PKGNAMEPREFIX=linux-c6- on its own. So the affected packages are: linux-f10-flashplugin linux-c6-flashplugin linux-c7-flashplugin And linux-c6_64-flashplugin can be removed from old vulnerabilities.
(In reply to Tijl Coosemans from comment #7) Err, no, old versions of the port used PKGNAMEPREFIX=linux-${USE_LINUX}- so they did use c6_64. Just keep linux-c6_64-flashplugin for now.
Committed, thanks for the prompt response everyone. Note that the VuXML entry was committed by feld in r424574: https://svnweb.freebsd.org/changeset/ports/424574