Closed Bug 1181285 Opened 9 years ago Closed 2 years ago

Plugincheck back-end does not allow defining version ranges for vulnerable plugins

Categories

(Plugin Check Graveyard :: General, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED INCOMPLETE

People

(Reporter: marksc, Unassigned)

Details

Summary:
Currently the plugincheck back-end requires each individual vulnerable version of a plugin to be defined. Most security advisories affect a range of versions for a plugin, meaning we must create a separate individual entry for each plugin version inside the range. This is basically impossible. Ultimately many versions are missed and users are shown incorrectly that their plugin is only "outdated" when it should be "vulnerable." Being able to define a range of vulnerable versions would fix this.



More information:
When a vendor releases an advisory saying v12x.a-v17.z.a of x-plugin is vulnerable, we must create a separate entry for each individual version between 12.x.y and v17.z.a. But it's effectively impossible for us to know all of the releases between these two versions.

Here's an example of an Adobe Security Bulletin:
https://helpx.adobe.com/security/products/flash-player/apsb15-14.html

Note that the advisory defines three ranges. One for Windows/Mac, one for the ESR release, and one for the Linux release. 
Adobe Flash Player 18.0.0.161 and earlier versions for Windows and Macintosh
Adobe Flash Player Extended Support Release version 13.0.0.292 and earlier 13.x versions for Windows and Macintosh
Adobe Flash Player 11.2.202.466 and earlier 11.x versions for Linux
For another example see
Bug 1184297 "Plugincheck - Java 10.79.2.15 (7.0.79) appearing as "outdated" even though it's vulnerable"

If you change the backend, please can you also consider including the
facility to have more than one 'family' or 'branch' of a plugin.

I recommend that each 'branch' is 'regarded by the Plugincheck Service'
(Database and Website) as if it was a 'separate plugin'.

Some examples:

Adobe Reader.

If you have the 'latest version 11' i.e. "11.0.12.18" it will be reported as "outdated".

In addition to Adobe Reader XI e.g. "11.0.12.18" there is
Adobe Reader DC Classic and Adobe Reader DC Continuous.

See Bug 1154431, in particular from bug 1154431 comment # 14 onwards. 

For a recent "Adobe Security Bulletin" which lists 'Reader families' see:
https://helpx.adobe.com/security/products/reader/apsb15-15.html

DJ-Leith

PluginCheck is no longer supported

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.