Ubuntu
flashplugin-nonfree package

Why does the changelog contain only useless CVE numbers?

Asked by Uwe Geuder

Today my Hardy system offered me a new security update for flashplugin-nonfree. I checked the change information in update manager and it contained 5 CVE links

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-0114
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-0519
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-0520
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-0522
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-0521

However, when following the links, the CVE database just tells that the numbers have been reserved and details will be published later.

So where is the information?

Details of the update i question:

$ apt-cache policy flashplugin-nonfree
flashplugin-nonfree:
  Installed: 9.0.152.0ubuntu1~hardy1
  Candidate: 9.0.159.0ubuntu1~hardy1
  Version table:
     9.0.159.0ubuntu1~hardy1 0
        500 http://fi.archive.ubuntu.com hardy-updates/multiverse Packages
        500 http://security.ubuntu.com hardy-security/multiverse Packages
 *** 9.0.152.0ubuntu1~hardy1 0
        100 /var/lib/dpkg/status
     9.0.124.0ubuntu2 0
        500 http://fi.archive.ubuntu.com hardy/multiverse Packages

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu flashplugin-nonfree Edit question
Assignee:
No assignee Edit question
Solved by:
Uwe Geuder
Solved:
Last query:
Last reply:
Revision history for this message
Bhavani Shankar (bhavi) said : 		#1

Numbers will be reserved as cve gives unique number for each cve and details will not be made available public as soon as it is found because the bad guys can have a lurk around and which means disaster .. Its made public only after confirming the cve through testing and coming out with a solution (CVE stands for critical vulnerabilities and expositions) and its a kind of security loophole in a software package

Regards

Revision history for this message
Bhavani Shankar (bhavi) said : 		#2

To view the changelog type

aptitude changelog <packagename>

and the same functionality is available within Synaptic as well. Go to:

    “System > Administration > Synaptic Package Manager”

Find the package you’re interested in using the “Search” button and then select “Package > Download Changelog” from the Synaptic File menu.

Regards

Revision history for this message
Uwe Geuder (ubuntulp-ugeuder) said : 		#3

> To view the changelog type...

Well, aptitude and Synaptic show exactly the same changelog as update-manager, which I was using (this is not really a surprise)

I could read 5 CVE numbers in that changelog already when I asked my original question, but my point was (and is) that these numbers are pretty useless as long the information about them is not public.

> Its made public only after confirming the cve through testing

My point was that I wanted to check what I install to my system. At that time the changelog contained CVE numbers, but their contents was still unpublished. So the changelog was pretty useless to me.

Well, I guess I understand the problem now. My thinking was based on open source. If the fix is published, also the details need to be available.

However, thebv explanation is really the "-nonfree" in the name. Because flashplugin is not open source, we have to live with the information that Adobe reveals. If they reveal only unpublished CVE numbers, there's not much we can do besides waiting until the details become public. Which in fact they never really do. Although information appears on the CVE website by now, it just says "unspecified vulnerabilitity". Just the braindead closed source thinking, security by obscurity...