CVE-2006-5330

NameCVE-2006-5330
DescriptionCRLF injection vulnerability in Adobe Flash Player plugin 9.0.16 and earlier for Windows, 7.0.63 and earlier for Linux, 7.x before 7.0 r67 for Solaris, and before 9.0.28.0 for Mac OS X, allows remote attackers to modify HTTP headers of client requests and conduct HTTP Request Splitting attacks via CRLF sequences in arguments to the ActionScript functions (1) XML.addRequestHeader and (2) XML.contentType. NOTE: the flexibility of the attack varies depending on the type of web browser being used.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs402822

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
flashplugin-nonfree (PTS)jessie/contrib1:3.6.1+deb8u1fixed
sid/contrib1:3.7fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
flashplugin-nonfreesource(unstable)9.0.31.0.1medium402822

Notes

It is not clear if this is already fix in 9.0.21.78.X (previous version)
or not but it's fix in 9.0.31.0.1 for sure.
[sarge] - flashplugin-nonfree <no-dsa> (Contrib not supported, only installer package)
[etch] - flashplugin-nonfree <no-dsa> (Contrib not supported, only installer package)

Search for package or bug name: Reporting problems