According to Adobe's bulletin, the following versions are vulnerable: Flash Player 9.0.20.0 and earlier Flash Professional 8 [prior to 8.0.34.0] Flash Player 7.0.68.0 and earlier
Therefore, although Adobe recommends upgrading to 9.0.28.0, I believe only sarge needs to be updated. The advisory at <http://www.rapid7.com/advisories/R7-0026.jsp> is more explicit about the vulnerability: a Flash script can specify values for Content-Type or custom (non-standard) headers in HTTP requests it makes and these are not restricted from including CR and LF characters. This means that the 'header values' can include additional header lines and even (if the server supports pipelining) entire requests. The advisory includes a script fragment that demonstrates the exploit. A complete example file would be helpful in verifying that etch and sid are not vulnerable. Ben. -- Ben Hutchings Computers are not intelligent. They only think they are.
signature.asc
Description: This is a digitally signed message part
