Closed
Bug 1110578
Opened 10 years ago
Closed 10 years ago
flash 11.2.202.418 on Linux is blocked
Categories
(Websites :: plugins.mozilla.org, defect)
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: illumilor.e, Unassigned)
References
Details
Attachments
(1 obsolete file)
screenshot.png
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:34.0) Gecko/20100101 Firefox/34.0 Build ID: 2014112600 Steps to reproduce: When going to a flash site, I get a flash is blocked by firefox because it is out of date message. If I click on the update now button the tab it opens says flash is up to date.
|
||
Updated•10 years ago
|
Component: Untriaged → Plug-ins
Product: Firefox → Core
|
||
Comment 1•10 years ago
|
||
The version of Flash you have is in fact vulnerable and actively being exploited on the web. We deployed the Firefox client block, but Mozilla plugincheck has not yet been updated. I'm going to morph this bug into a request to update Mozilla plugincheck, but in the meantime you should visit https://get.adobe.com/flashplayer/ to install an updated version ASAP.
Status: UNCONFIRMED → NEW
Component: Plug-ins → plugins.mozilla.org
Ever confirmed: true
Product: Core → Websites
Version: 34 Branch → Trunk
|
||
Updated•10 years ago
|
Summary: flash is blocked → flash is blocked version 15.0.0.246 shown as up to date when 16 should be
|
||
Comment 2•10 years ago
|
||
if we are blocklisting a plugin on such a wide scale we should at the same time also update the mozilla plugin check at https://www.mozilla.org/plugincheck - in about:addons this is provided as resource to check and update your plugins. in the last day this issue has become the most trending topic in sumo - it leaves many users irritated and confused that old vulnerable versions are blocklisted but are still shown as current on the plugin check page an there is no link to any source to update to a secure version... so please fix the website as soon as possible.
|
||
Comment 3•10 years ago
|
||
Version 15.0.0.246 is, in fact, up to date. Version 15.0.0.242 and below had the vulnerability, and 15.0.0.246 was an automatic update that contained a fix. Adobe's advisory recommended upgrading to their latest, 16.0.0.235 https://helpx.adobe.com/security/products/flash-player/apsb14-27.html Their support pages say 15.0.0.246 was also a fix for that advisory. https://forums.adobe.com/thread/1654544?start=0&tstart=0 Versions 16.0.0.0 through 16.0.0.234 (was there one? I've seen a .219) were beta versions and we shouldn't see too many users on them. According to bug 1109795 comment 14 .219 was the first public beta and contained the fix so I wouldn't worry about blocking any possibly-vulnerable non-public betas. Yesterday the plugincheck was incorrectly saying 15.0.0.246 was "Up to Date" instead of "Update Available". Today plugincheck is incorrectly saying 15.0.0.246 is "Vulnerable", but we shouldn't be blocklisting 15.0.0.246 users anyway so they likely won't see it. And the update won't hurt them. I don't know why illumilor.e hit a plugincheck page saying a blocklisted version was Up to Date. I verified that the pluginscheck database was updated the day before I requested the blocklisting. illumilor.e: what version of Flash did you actually have? Schalk: is there a manual "push" step to get the database info live that didn't happen? (but has obviously happened now.)
Flags: needinfo?(schalk.neethling.bugs)
Flags: needinfo?(illumilor.e)
|
|
||
Comment 4•10 years ago
|
||
Assuming illumilor.e had 15.0.0.246 as in the title then the site was working correctly and this bug can be closed worksforme. And even if not since that version is now marked vulnerable then I guess this bug can be closed FIXED.
|
|
||
Comment 5•10 years ago
|
||
ok, i've just checked with another affected device (flash 15.0.0.239) and the plugin check page is now showing the correct results (vulnerable & update available). however during much of the (european) day, it didn't while the plugin was already blocklisted, which caused a lot of confusion... see https://support.mozilla.org/en-US/questions/1035859 & https://support.mozilla.org/en-US/questions/1035953 for example. so i guess it's a workforme now, but maybe with a potential to make this process better for future similar situations.
|
|
||
Comment 6•10 years ago
|
||
apparently still not correct for linux users and flash 11.2.202.424: https://support.mozilla.org/en-US/questions/1035807#answer-664154
See also bug 1084537 "Flash sometimes displayed as up to date whilst vulnerable, on Windows 7" There have been issues, with reporting of the Flash plugin, since 2014-10-17. Others, on Windows, have seen Flash "15.0.0.239" (and "15.0.0.246") being reported as "Up to Date", on 2014-12-11 and 2014-12-12, IN ERROR. The 'Plugincheck Database' was updated, by Schalk Neethling [:espressive] on 2014-12-10 at 01:13:58 PST. (see bug 1109488). For Background to the 'Plugincheck Service', see bug 956905 comment # 148 onwards. DJ-Leith
|
|
||
Comment 9•10 years ago
|
||
it's not working on win7/firefox 31 esr
|
|
||
Comment 10•10 years ago
|
||
Comment on attachment 8536427 [details]
screenshot.png
sorry, please ignore - it was meant for a different bug #
Attachment #8536427 -
Attachment is obsolete: true
|
||
Comment 11•10 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #3) > > Schalk: is there a manual "push" step to get the database info live that > didn't happen? (but has obviously happened now.) Updating the information for the plugincheck page involves updating the database at plugins.m.o [this is independent of any changes to plugin statuses anywhere else, such as blocklists etc.] but, after the update happened there, there is also a cache period that needs to expire on mozilla.org but, the length of time mentioned here is much longer than the cache TTL.
Flags: needinfo?(schalk.neethling.bugs)
|
|
||
Comment 12•10 years ago
|
||
As the database update happened I am closing this bug as resolved fixed. There are other bugs related to problems being experienced by users of ESR version of Fx and also release versions on Windows and Linux but those are tracked in separate bugs.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
|
||
Comment 14•10 years ago
|
||
This bug is still a problem, so is clearly not fixed. As of 2014-12-16T20:06:21Z Flash version 11.2.202.424 is shown as vulnerable on web pages, but is apparently "up to date" on the plugin check webpage.
|
Reporter | |
Comment 15•10 years ago
|
||
Why are you changing my summary to something that has nothing to do with the bug I reported? I never had flash version 15, why are you putting that in the title?
Status: RESOLVED → REOPENED
Flags: needinfo?(rmcguigan)
Resolution: FIXED → ---
|
|
Reporter | |
Updated•10 years ago
|
Summary: flash is blocked version 15.0.0.246 shown as up to date when 16 should be → flash is blocked
|
||
Comment 16•10 years ago
|
||
FAO Daniel Veditz [:dveditz] (In reply to Schalk Neethling [:espressive] from bug 1110578 comment # 11) > (In reply to Daniel Veditz [:dveditz] from bug 1110578 comment # 3) > > > > Schalk: is there a manual "push" step to get the database info live that > > didn't happen? (but has obviously happened now.) > > Updating the information for the plugincheck page involves updating the database > at plugins.m.o [this is independent of any changes to plugin statuses anywhere > else, such as blocklists etc.] but, after the update happened there, there is > also a cache period that needs to expire on mozilla.org but, the length of time > mentioned here is much longer than the cache TTL. I have deliberately kept a Flash "15.0.0.246" for testing. The 'Plugincheck Database', for Flash "16.0.0.235" was updated on 2014-12-10 at 01:13:58 PST (see bug 1109488). Like others, I still see Flash "15.0.0.246" reported, at the 'Plugincheck Website', as "Up to Date" in ERROR. So, 6 days after the Flash "16.0.0.235" was added to the 'Plugincheck Database' we STILL have the 'wrong result for Release': a false sense of Security. We did have on, 2012-12-12 the correct result, "vulnerable", using the 'JSON List', two days after the 'Plugincheck Database' was updated. I still think there is some 'infrastructure' cause to WHY we do NOT get 'fresh data about recently added versions of vulnerable Plugins in the Plugincheck Database', via the dynamic URLs, sent to the 'Plugincheck Website'. More information in bug 1084537 "Flash sometimes displayed as up to date whilst vulnerable, on Windows 7" DJ-Leith
|
|
||
Comment 17•10 years ago
|
||
(In reply to illumilor.e from comment #15) > Why are you changing my summary to something that has nothing to do with the > bug I reported? I never had flash version 15, why are you putting that in > the title? Because you didn't say what version and "flash is blocked" is not very useful: some versions are SUPPOSED to be blocked. Barring anything useful rmcguigan either guessed or put his own information in.
|
|
||
Comment 18•10 years ago
|
||
(In reply to DJ-Leith from comment #16) > I have deliberately kept a Flash "15.0.0.246" for testing. > > Like others, I still see Flash "15.0.0.246" reported, at the 'Plugincheck > Website', as "Up to Date" in ERROR. I don't see that. For me 15.0.0.246 has shown as Vulnerable for days now, both when accessed from Mozilla and from my home ISP (Comcast). This is actually incorrect: as far as Adobe has said 15.0.0.246 is not, in fact, vulnerable. It contains the same fix as 16.0.0.235. In the database it's listed correctly as "Outdated" rather than "Vulnerable" but apparently the site no longer makes that distinction (a bug? intentionally?). So the real problem you (DJ-Leith) are seeing is that some people get the right message on plugincheck, and some people (like yourself) don't. We should track that down, but that's not this bug. Please don't confuse the issue by talking about two different things in one bug. > I still think there is some 'infrastructure' cause to WHY we do NOT > get 'fresh data about recently added versions of vulnerable Plugins > in the Plugincheck Database', via the dynamic URLs, sent to the > 'Plugincheck Website'. Yes, likely. Is there something caching old scripts or data requests on your (and other's, judging by SUMO threads) network paths? It does not appear to be a problem on the Mozilla server itself (unless maybe we're sending incorrect cache headers). > More information in > bug 1084537 "Flash sometimes displayed as up to date whilst vulnerable, on Windows 7" That looks like a more appropriate place to discuss the symptoms you're seeing
Summary: flash is blocked → flash 11.2.202.418 on Linux is blocked
|
|
||
Comment 19•10 years ago
|
||
Given illumilor.e's request to bring this issue back to the bug actually reported and not incorrect guesses about similar symptoms, and the version given in comment 7 (added to the summary to keep the bug on track) then this bug is WORKSFORME: 11.2.202.418 on Linux is being blocked intentionally because it is vulnerable and Adobe has announced that there are exploits in the wild. Please upgrade to 11.2.202.245 If your bug report was actually about seeing wrong information on plugincheck then bug 1084537 is probably the right place for it.
Status: REOPENED → RESOLVED
Closed: 10 years ago → 10 years ago
Resolution: --- → INVALID
|
|
||
Updated•10 years ago
|
Flags: needinfo?(rmcguigan)
You need to log in
before you can comment on or make changes to this bug.
Description
•