Closed Bug 1323300 Opened 6 years ago Closed 6 years ago

Plugin block request: Adobe Flash Player 23.0.0.207 and earlier

Categories

(Toolkit :: Blocklist Policy Requests, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: guigs, Unassigned)

References

Details

(Whiteboard: [plugin])

Plugin name: Flash Player.plugin
Plugin versions to block: 23.0.0.207 and earlier
Applications, versions, and platforms affected: Mac and Windows (Linux is a p3)
Block severity: (hard)

How does this plugin appear in about:plugins?
    File: /Library/Internet Plug-Ins/Flash Player.plugin
    Version: 23.0.0.207
    Description: Shockwave Flash 24.0 r0

Homepage and other references and contact info: https://helpx.adobe.com/security/products/flash-player/apsb16-39.html#table

Reasons:P1 in Adobe release
Summary: Plugin block request: <plugin name> → Plugin block request: Adobe Flash Player 23.0.0.207 and earlier
Depends on: 1323294
Blocks staged:

Flash Player Plugin on Linux 11.2.202.643 to 23.0.0.207 (click-to-play)
https://addons-dev.allizom.org/en-US/firefox/blocked/p952

Flash Player Plugin 23.0.0.205 to 23.0.0.207 (click-to-play)
https://addons-dev.allizom.org/en-US/firefox/blocked/p951

It's nice that they aligned the version numbers. However, we'll have to still add two different blocks because the Linux one needs the OS attribute in order to not apply on Android.
Flags: needinfo?(kjozwiak)
Jorge, I'm getting certificate errors whenever I attempt to ping the staged server. Did the process change or is this a legitimate problem with the staging server? It seems like the certificate that's being used on the staging server has expired on 12/06/2016 07:00 AM...

Errors under the browser console:
==================================

Ubuntu 16.04 x64:

Blocklist::notify: Requesting https://blocklist-dev.allizom.org/blocklist/3/%7Bec8030f7-c20a-464f-9b0e-13a3a9e97384%7D/53.0a1/Firefox/20161215061212/Linux_x86_64-gcc3/en-US/nightly/Linux%204.4.0-45-generic%20(GTK%203.18.9%2Clibpulse%208.0.0)/default/default/invalid/invalid/0/
blocklist-dev.allizom.org:443 uses an invalid security certificate.

The certificate expired on 12/06/2016 07:00 AM. The current time is 12/15/2016 02:40 PM.

Error code: <a id="errorCode" title="SEC_ERROR_EXPIRED_CERTIFICATE">SEC_ERROR_EXPIRED_CERTIFICATE</a>
Blocklist:onError: There was an error loading the blocklist file nsIXMLHttpRequest channel unavailable

Windows 10 x64:

Blocklist::notify: Requesting https://blocklist-dev.allizom.org/blocklist/3/%7Bec8030f7-c20a-464f-9b0e-13a3a9e97384%7D/53.0a1/Firefox/20161215061212/WINNT_x86-msvc/en-US/nightly/Windows_NT%2010.0/default/default/1/1/new/
blocklist-dev.allizom.org:443 uses an invalid security certificate.

The certificate expired on Tuesday, December 6, 2016 7:00 AM. The current time is Thursday, December 15, 2016 2:46 PM.

Error code: <a id="errorCode" title="SEC_ERROR_EXPIRED_CERTIFICATE">SEC_ERROR_EXPIRED_CERTIFICATE</a>
Blocklist:onError: There was an error loading the blocklist file nsIXMLHttpRequest channel unavailable
Flags: needinfo?(kjozwiak) → needinfo?(jorge)
Stuart, do you know what that's about?
Flags: needinfo?(jorge) → needinfo?(scolville)
(In reply to Jorge Villalobos [:jorgev] from comment #3)
> Stuart, do you know what that's about?

That's going to be an ops question. I think there was a problem with cert expiry last week, since we had a problem that impacted the mobile pages statics. It sounds similar.
Flags: needinfo?(scolville) → needinfo?(jthomas)
Fixed on -dev and stage.
Flags: needinfo?(jthomas)
Kamil, please try again.
Flags: needinfo?(kjozwiak)
(In reply to Jorge Villalobos [:jorgev] from comment #6)
> Kamil, please try again.

Looks good!

Windows 10 x64 VM: PASSED
=========================

File: NPSWF32_23_0_0_207.dll
Path: C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_23_0_0_207.dll
Version: 23.0.0.207
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 23.0 r0

* build used: https://archive.mozilla.org/pub/firefox/nightly/2016/12/2016-12-16-03-02-07-mozilla-central/
* browser console log: Blocklist state for Shockwave Flash changed from 0 to 4
* ensured that "Update Now" pointed too firefox/blocked/p951
* ensured that "Always Active" is disabled
* ensured flash is correctly being blocked

File: NPSWF32_24_0_0_186.dll
Path: C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_24_0_0_186.dll
Version: 24.0.0.186
State: Enabled
Shockwave Flash 24.0 r0

* build used: https://archive.mozilla.org/pub/firefox/releases/50.1.0/win32/en-US/
* browser console log: Blocklist state for Shockwave Flash changed from 0 to 0
* ensured that "Always Active" enabled

OSX 10.12.2 x64: PASSED
=======================

File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 23.0.0.207
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 23.0 r0

* build used: https://archive.mozilla.org/pub/firefox/candidates/51.0b8-candidates/build1/mac/en-US/
* browser console log: Blocklist state for Shockwave Flash changed from 0 to 4
* ensured that "Update Now" pointed too firefox/blocked/p941
* ensured that "Always Active" is disabled
* ensured flash is correctly being blocked

File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 24.0.0.186
State: Enabled
Shockwave Flash 24.0 r0

* build used: https://archive.mozilla.org/pub/firefox/nightly/2016/12/2016-12-16-10-17-50-mozilla-aurora/
* browser console log: Blocklist state for Shockwave Flash changed from 0 to 0
* ensured that "Always Active" enabled

Ubuntu 16.04.1 LTS VM x64: PASSED
=================================

File: libflashplayer.so
Path: /usr/lib/mozilla/plugins/libflashplayer.so
Version: 11.2.202.644
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 11.2 r202

* build used: https://archive.mozilla.org/pub/firefox/releases/50.1.0/linux-x86_64/en-US/
* browser console log: Blocklist state for Shockwave Flash changed from 0 to 4
* ensured that "Update Now" pointed too firefox/blocked/p952
* ensured that "Always Active" is disabled
* ensured flash is correctly being blocked

File: libflashplayer.so
Path: /usr/lib/mozilla/plugins/libflashplayer.so
Version: 24.0.0.186
State: Enabled
Shockwave Flash 24.0 r0

* build used: https://archive.mozilla.org/pub/firefox/candidates/51.0b8-candidates/build1/linux-x86_64/en-US/
* browser console log: Blocklist state for Shockwave Flash changed from 0 to 0
* ensured that "Always Active" enabled
Flags: needinfo?(kjozwiak)
The blocks are now live:

Flash Player Plugin 23.0.0.205 to 23.0.0.207 (click-to-play)
https://addons.mozilla.org/firefox/blocked/p1422

Flash Player Plugin on Linux 11.2.202.643 to 23.0.0.207 (click-to-play) 
https://addons.mozilla.org/firefox/blocked/p1421
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Due to the issue that was reported in comment#2 and fixed in comment#5, I quickly checked and made sure that the staged server is serving the blocks without any issues/cert errors.

Windows 10 x64: PASSED
======================

File: NPSWF32_23_0_0_207.dll
Path: C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_23_0_0_207.dll
Version: 23.0.0.207
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 23.0 r0

* pinging server --> https://blocklist.addons.mozilla.org/
* build: https://archive.mozilla.org/pub/firefox/nightly/2016/12/2016-12-20-03-02-15-mozilla-central/

macOS 10.12.2 x64: PASSED
=========================

File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 23.0.0.207
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 23.0 r0

* pinging server --> https://blocklist.addons.mozilla.org/
* build: https://archive.mozilla.org/pub/firefox/releases/50.0.2/mac/en-US/

Ubuntu 16.04.1 LTS: PASSED
==========================

File: libflashplayer.so
Path: /usr/lib/mozilla/plugins/libflashplayer.so
Version: 11.2.202.644
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 11.2 r202

* pinging server --> https://blocklist.addons.mozilla.org/
* build: https://archive.mozilla.org/pub/firefox/candidates/51.0b9-candidates/build1/linux-x86_64/en-US/
You need to log in before you can comment on or make changes to this bug.