Closed Bug 1110578 Opened 5 years ago Closed 5 years ago

flash 11.2.202.418 on Linux is blocked

Categories

(Websites :: plugins.mozilla.org, defect)

x86_64
Linux
defect
Not set

Tracking

(Not tracked)

RESOLVED INVALID

People

(Reporter: illumilor.e, Unassigned)

References

Details

Attachments

(1 obsolete file)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:34.0) Gecko/20100101 Firefox/34.0
Build ID: 2014112600

Steps to reproduce:

When going to a flash site, I get a flash is blocked by firefox because it is out of date message. If I click on the update now button the tab it opens says flash is up to date.
Component: Untriaged → Plug-ins
Product: Firefox → Core
The version of Flash you have is in fact vulnerable and actively being exploited on the web.

We deployed the Firefox client block, but Mozilla plugincheck has not yet been updated. I'm going to morph this bug into a request to update Mozilla plugincheck, but in the meantime you should visit https://get.adobe.com/flashplayer/ to install an updated version ASAP.
Status: UNCONFIRMED → NEW
Component: Plug-ins → plugins.mozilla.org
Ever confirmed: true
Product: Core → Websites
Version: 34 Branch → Trunk
Summary: flash is blocked → flash is blocked version 15.0.0.246 shown as up to date when 16 should be
if we are blocklisting a plugin on such a wide scale we should at the same time also update the mozilla plugin check at https://www.mozilla.org/plugincheck - in about:addons this is provided as resource to check and update your plugins.

in the last day this issue has become the most trending topic in sumo - it leaves many users irritated and confused that old vulnerable versions are blocklisted but are still shown as current on the plugin check page an there is no link to any source to update to a secure version...
  
so please fix the website as soon as possible.
Version 15.0.0.246 is, in fact, up to date. Version 15.0.0.242 and below had the vulnerability, and 15.0.0.246 was an automatic update that contained a fix.

Adobe's advisory recommended upgrading to their latest, 16.0.0.235
https://helpx.adobe.com/security/products/flash-player/apsb14-27.html

Their support pages say 15.0.0.246 was also a fix for that advisory.
https://forums.adobe.com/thread/1654544?start=0&tstart=0

Versions 16.0.0.0 through 16.0.0.234 (was there one? I've seen a .219) were beta versions and we shouldn't see too many users on them. According to bug 1109795 comment 14 .219 was the first public beta and contained the fix so I wouldn't worry about blocking any possibly-vulnerable non-public betas.

Yesterday the plugincheck was incorrectly saying 15.0.0.246 was "Up to Date" instead of "Update Available". Today plugincheck is incorrectly saying 15.0.0.246 is "Vulnerable", but we shouldn't be blocklisting 15.0.0.246 users anyway so they likely won't see it. And the update won't hurt them.

I don't know why illumilor.e hit a plugincheck page saying a blocklisted version was Up to Date. I verified that the pluginscheck database was updated the day before I requested the blocklisting.

illumilor.e: what version of Flash did you actually have?

Schalk: is there a manual "push" step to get the database info live that didn't happen? (but has obviously happened now.)
Flags: needinfo?(schalk.neethling.bugs)
Flags: needinfo?(illumilor.e)
Assuming illumilor.e had 15.0.0.246 as in the title then the site was working correctly and this bug can be closed worksforme. And even if not since that version is now marked vulnerable then I guess this bug can be closed FIXED.
ok, i've just checked with another affected device (flash 15.0.0.239) and the plugin check page is now showing the correct results (vulnerable & update available). however during much of the (european) day, it didn't while the plugin was already blocklisted, which caused a lot of confusion...
see https://support.mozilla.org/en-US/questions/1035859 & https://support.mozilla.org/en-US/questions/1035953 for example. 

so i guess it's a workforme now, but maybe with a potential to make this process better for future similar situations.
apparently still not correct for linux users and flash 11.2.202.424:
https://support.mozilla.org/en-US/questions/1035807#answer-664154
I have flash version 11.2.202.418
Flags: needinfo?(illumilor.e)
See also bug 1084537
"Flash sometimes displayed as up to date whilst vulnerable, on Windows 7"
There have been issues, with reporting of the Flash plugin, since 2014-10-17. 

Others, on Windows,
have seen Flash "15.0.0.239" (and "15.0.0.246") being reported as "Up to Date",
on 2014-12-11 and 2014-12-12, IN ERROR.

The 'Plugincheck Database' was updated,
by Schalk Neethling [:espressive] on 2014-12-10 at 01:13:58 PST.
(see bug 1109488).


For Background to the 'Plugincheck Service', see bug 956905 comment # 148 onwards. 

DJ-Leith
Attached image screenshot.png (obsolete) —
it's not working on win7/firefox 31 esr
Comment on attachment 8536427 [details]
screenshot.png

sorry, please ignore - it was meant for a different bug #
Attachment #8536427 - Attachment is obsolete: true
(In reply to Daniel Veditz [:dveditz] from comment #3)
> 
> Schalk: is there a manual "push" step to get the database info live that
> didn't happen? (but has obviously happened now.)

Updating the information for the plugincheck page involves updating the database at plugins.m.o [this is independent of any changes to plugin statuses anywhere else, such as blocklists etc.] but, after the update happened there, there is also a cache period that needs to expire on mozilla.org but, the length of time mentioned here is much longer than the cache TTL.
Flags: needinfo?(schalk.neethling.bugs)
As the database update happened I am closing this bug as resolved fixed. There are other bugs related to problems being experienced by users of ESR version of Fx and also release versions on Windows and Linux but those are tracked in separate bugs.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Duplicate of this bug: 1111356
This bug is still a problem, so is clearly not fixed. As of 2014-12-16T20:06:21Z Flash version 11.2.202.424 is shown as vulnerable on web pages, but is apparently "up to date" on the plugin check webpage.
Why are you changing my summary to something that has nothing to do with the bug I reported? I never had flash version 15, why are you putting that in the title?
Status: RESOLVED → REOPENED
Flags: needinfo?(rmcguigan)
Resolution: FIXED → ---
Summary: flash is blocked version 15.0.0.246 shown as up to date when 16 should be → flash is blocked
FAO Daniel Veditz [:dveditz]

(In reply to Schalk Neethling [:espressive] from bug 1110578 comment # 11)
> (In reply to Daniel Veditz [:dveditz] from bug 1110578 comment # 3)
> > 
> > Schalk: is there a manual "push" step to get the database info live that
> > didn't happen? (but has obviously happened now.)
> 
> Updating the information for the plugincheck page involves updating the database
> at plugins.m.o [this is independent of any changes to plugin statuses anywhere
> else, such as blocklists etc.] but, after the update happened there, there is
> also a cache period that needs to expire on mozilla.org but, the length of time
> mentioned here is much longer than the cache TTL.

I have deliberately kept a Flash "15.0.0.246" for testing.

The 'Plugincheck Database', for Flash "16.0.0.235" was updated
on 2014-12-10 at 01:13:58 PST (see bug 1109488).

Like others, I still see Flash "15.0.0.246" reported, at the 'Plugincheck Website',
as "Up to Date" in ERROR.

So, 6 days after the Flash "16.0.0.235" was added to the 'Plugincheck Database'
we STILL have the 'wrong result for Release': a false sense of Security.
We did have on, 2012-12-12 the correct result, "vulnerable", using the 'JSON List',
two days after the 'Plugincheck Database' was updated.

I still think there is some 'infrastructure' cause to WHY we do NOT
get 'fresh data about recently added versions of vulnerable Plugins
in the Plugincheck Database', via the dynamic URLs, sent to the
'Plugincheck Website'.

More information in
bug 1084537 "Flash sometimes displayed as up to date whilst vulnerable, on Windows 7"

DJ-Leith
(In reply to illumilor.e from comment #15)
> Why are you changing my summary to something that has nothing to do with the
> bug I reported? I never had flash version 15, why are you putting that in
> the title?

Because you didn't say what version and "flash is blocked" is not very useful: some versions are SUPPOSED to be blocked. Barring anything useful rmcguigan either guessed or put his own information in.
(In reply to DJ-Leith from comment #16)
> I have deliberately kept a Flash "15.0.0.246" for testing.
> 
> Like others, I still see Flash "15.0.0.246" reported, at the 'Plugincheck
> Website', as "Up to Date" in ERROR.

I don't see that. For me 15.0.0.246 has shown as Vulnerable for days now, both when accessed from Mozilla and from my home ISP (Comcast).

This is actually incorrect: as far as Adobe has said 15.0.0.246 is not, in fact, vulnerable. It contains the same fix as 16.0.0.235. In the database it's listed correctly as "Outdated" rather than "Vulnerable" but apparently the site no longer makes that distinction (a bug? intentionally?).

So the real problem you (DJ-Leith) are seeing is that some people get the right message on plugincheck, and some people (like yourself) don't. We should track that down, but that's not this bug. Please don't confuse the issue by talking about two different things in one bug.

> I still think there is some 'infrastructure' cause to WHY we do NOT
> get 'fresh data about recently added versions of vulnerable Plugins
> in the Plugincheck Database', via the dynamic URLs, sent to the
> 'Plugincheck Website'.

Yes, likely. Is there something caching old scripts or data requests on your (and other's, judging by SUMO threads) network paths? It does not appear to be a problem on the Mozilla server itself (unless maybe we're sending incorrect cache headers).

> More information in
> bug 1084537 "Flash sometimes displayed as up to date whilst vulnerable, on Windows 7"

That looks like a more appropriate place to discuss the symptoms you're seeing
Summary: flash is blocked → flash 11.2.202.418 on Linux is blocked
Given illumilor.e's request to bring this issue back to the bug actually reported and not incorrect guesses about similar symptoms, and the version given in comment 7 (added to the summary to keep the bug on track) then this bug is WORKSFORME: 11.2.202.418 on Linux is being blocked intentionally because it is vulnerable and Adobe has announced that there are exploits in the wild. Please upgrade to 11.2.202.245 

If your bug report was actually about seeing wrong information on plugincheck then bug 1084537 is probably the right place for it.
Status: REOPENED → RESOLVED
Closed: 5 years ago5 years ago
Resolution: --- → INVALID
Blocks: 1109795
Flags: needinfo?(rmcguigan)
You need to log in before you can comment on or make changes to this bug.