Created attachment 8503731 [details] Untitled 3.png User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.101 Safari/537.36 Actual results: Firefox is supporting old version of Real player plug-in which allows remote code execution. Please find the security vulnerability details:- http://service.real.com/realplayer/security/12202013_player/en/ http://service.real.com/realplayer/security/06272014_player/en/ Thanks Chandra Mohan Expected results: Firefox should not support old versions of Real player plug-in.
Group: core-security → websites-security
Component: Untriaged → General
Product: Firefox → Plugin Check
Version: 35 Branch → unspecified
Assignee: nobody → schalk.neethling.bugs
Component: General → Whistler
Priority: -- → P1
So, in the database we currently have: (2) RealJukebox NS Plugin (1) RealNetworks(tm) Chrome Background Extension Plug-In (32-bit) (3) RealPlayer (2) RealPlayer Version Plugin (1) RealPlayer(tm) HTML5VideoShim Plug-In (32-bit) Looking at each though, they all have the same version set as the latest aka 188.8.131.52 so, I am not sure why we need to track 5 different 'forms' of the plugin. Carsten? I assume historic reasons. I will update all 5 with the information provided above but, I will need to figure out if there is any reason to track all those individually. Thanks for reporting this.
The production database has been updated. Now I just need to figure out whether we actually need those five different product entries but, that is a separate bug.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
(In reply to Schalk Neethling [:espressive] from comment #1) Carsten? I assume historic reasons. yep exactly but i guess we can drop outdated/old stuff now
Do we have Firefox plugin blocks for these versions of realplayer? This got moved to plugincheck, but since plugincheck and the AMO blocklist are separate we need to make sure that we update both of them. Also, Schalk since this shipped can we remove the security flag?
:bsmedberg, I reckon we can. I do not seem to have the needed rights to remove the flag though, so feel free to remove it if you are able. Thanks!
There are no blocks for the Real Player plugin. To create a blocklist bug I'll need version and platform details.
Jorge, do you need more details than the realplayer security bulletins from comment 0?
Sorry for the delay, I filed bug 1222130 to deal with the block.
You need to log in before you can comment on or make changes to this bug.