Closed
Bug 1339975
Opened 8 years ago
Closed 8 years ago
Plugin block request: Adobe Flash player version 24.0.0.194 and earlier
Categories
(Toolkit :: Blocklist Policy Requests, defect, P1)
Toolkit
Blocklist Policy Requests
Tracking
()
RESOLVED
FIXED
People
(Reporter: jorgev, Assigned: jorgev)
References
()
Details
Just the usual monthly Flash plugin update. It was done a week later than usual due to Microsoft also delaying Patch Tuesday.
Comment 1•8 years ago
|
||
Should we close bug#1339533? I just found the bug when I noticed there's a newer version of flash out while going through bug#1339500.
Comment 2•8 years ago
|
||
Scratch the above. I think bug#1339533 is specific to updating the plugin database.
Assignee | ||
Comment 3•8 years ago
|
||
The blocks are staged. Kamil, please give them a look. The plan is to deploy them on Monday, Feb 20th.
Flags: needinfo?(kjozwiak)
Comment 4•8 years ago
|
||
Is this staged on blocklist-dev.allizom.org? I keep trying to ping the staging server while I have fp24.0.0.194 installed but I keep getting the following:
* Blocklist state for Shockwave Flash changed from 0 to 0
** indicates that the item does not appear in the blocklist.
If I'm not mistaken, I should be getting the following:
* Blocklist state for Shockwave Flash changed from 0 to 3
** considered outdated, and there is a known update available.
Flags: needinfo?(kjozwiak) → needinfo?(jorge)
Assignee | ||
Comment 5•8 years ago
|
||
Looks like all you need to do is point extensions.blocklist.url to https://firefox.settings.services.mozilla.com/v1/preview/3/%APP_ID%/%APP_VERSION%/%PRODUCT%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/%PING_COUNT%/%TOTAL_PING_COUNT%/%DAYS_SINCE_LAST_PING%/
However, the staging blocklist is currently not working due to bug 1341012.
Depends on: 1341012
Flags: needinfo?(jorge)
Assignee | ||
Comment 6•8 years ago
|
||
Kamil, please give it another try. It should be working now.
Flags: needinfo?(kjozwiak)
Comment 8•8 years ago
|
||
(In reply to Jorge Villalobos [:jorgev] from comment #6)
> Kamil, please give it another try. It should be working now.
I'm still getting the same results as in comment#4 even though I've pointed "extensions.blocklist.url" to the link mentioned in comment#5 using both m-c and m-r. Once "extensions.blocklist.url" has been changed, I use the following snippet to force the blocklist ping:
Components.classes["@mozilla.org/extensions/blocklist;1"].getService(Components.interfaces.nsITimerCallback).notify(null);
I looked under the URL [1] that I received in the browser console when I forced the blocklist ping, but I didn't see 24.0.0.194 listed anywhere in the XML file. Perhaps we're using the wrong link, or maybe I'm just doing something wrong?. Is there a different method that I should be used to ping the blocklist now that we're using kinto?
[1] https://firefox.settings.services.mozilla.com/v1/preview/3/%7Bec8030f7-c20a-464f-9b0e-13a3a9e97384%7D/51.0.1/Firefox/20170125094131/Darwin_x86_64-gcc3-u-i386-x86_64/en-US/release/
Flags: needinfo?(kjozwiak) → needinfo?(jorge)
Assignee | ||
Comment 9•8 years ago
|
||
It looks like I forgot to move the staged blocks to preview (I thought I did?). Please try again.
Flags: needinfo?(jorge) → needinfo?(kjozwiak)
Comment 10•8 years ago
|
||
It looks like m-c is the only channel that's currently using the new kinto server for blocklisting [1]. Right now, pinging blocklist-dev.allizom.org will result in the following (comment#4):
* Blocklist state for Shockwave Flash changed from 0 to 0
Should we be adding the "24.0.0.194" block under the blocklist-dev.allizom.org staging server so the block can be tested on the other channels that currently not using kinto?
[1] Results:
* fx51.0.1, buildid: 20170125094131 -> extensions.blocklist.url using https://blocklist.addons.mozilla.org/
* fx52.0b8, buildid: 20170220070057 -> extensions.blocklist.url using https://blocklist.addons.mozilla.org/
* fx53.0a2, buildid: 20170223004018 -> extensions.blocklist.url using https://blocklist.addons.mozilla.org/
* fx54.0a1, buildid: 20170223030204 -> extensions.blocklist.url using https://firefox.settings.services.mozilla.com/
Flags: needinfo?(kjozwiak) → needinfo?(jorge)
Assignee | ||
Comment 11•8 years ago
|
||
After some IRC conversation, it looks like the staged changes on Kinto aren't propagated to the AMO XML on stage. This limits testing because the kinto settings are only the defaults on Nightly at the moment and we should test these blocks on release. For now, I think we can live with this, but I'd like us to be able to test this better in the future.
Flags: needinfo?(jorge)
Comment 12•8 years ago
|
||
So, Firefox isn't going to block vulnerable plugins anymore?
Comment 13•8 years ago
|
||
(In reply to blud from comment #12)
> So, Firefox isn't going to block vulnerable plugins anymore?
We're still going to be blocking vulnerable plugins. The above conversation is about the staging server which houses the blocks for testing/QA purposes before it lands into the production servers.
Comment 14•8 years ago
|
||
> This limits testing because the kinto settings are only the defaults on Nightly at the moment and we should test these blocks on release.
This is not accurate, all Firefox version previous and future are using the same XML file served by Kinto.
If you want to try the changes you change the proper blocklist collection in the kinto-admin and then you ask for a review.
firefox.settings is behind a CDN so it can take a while before seeing an update. If you want a result not cached you can access it from there:
https://settings.prod.mozaws.net/v1/preview/3/%7Bec8030f7-c20a-464f-9b0e-13a3a9e97384%7D/51.0.1/Firefox/20170125094131/Darwin_x86_64-gcc3-u-i386-x86_64/en-US/release/
And I can see "24.0.0.194" in that file.
You can also access your changes directy by looking at the JSON collections:
- https://settings.prod.mozaws.net/v1/buckets/blocklists-preview/collections/addons/records
- https://settings.prod.mozaws.net/v1/buckets/blocklists-preview/collections/plugins/records
> The above conversation is about the staging server which houses the blocks for testing/QA purposes before it lands into the production servers.
The current flow is not to test with the staging environment anymore.
Now you file your change in production and use the review workflow there with the preview bucket to try your change before approving them.
Comment 15•8 years ago
|
||
> The current flow is not to test with the staging environment anymore.
However you can still do that if you want.
The kinto-admin in stage is there: https://kinto-writer.stage.mozaws.net/v1/admin/
The public collections are there:
- http://kinto.stage.mozaws.net/v1/buckets/blocklists/collections/addons/records
- http://kinto.stage.mozaws.net/v1/buckets/blocklists/collections/addons/records
The XML are there:
- https://kinto.stage.mozaws.net/v1/preview/3/%7Bec8030f7-c20a-464f-9b0e-13a3a9e97384%7D/51.0.1/Firefox/20170125094131/Darwin_x86_64-gcc3-u-i386-x86_64/en-US/release/
Comment 16•8 years ago
|
||
The block has just been pushed to prod.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Comment 17•8 years ago
|
||
I double checked and ensured that the blocklist is working correctly under Win/macOS. However, Linux is still broken due to bug#1331489.
======================
Win 10 Pro x64: PASSED
======================
Clean installation of 24.0.0.194:
---------------------------------
File: NPSWF32_24_0_0_194.dll
Path: C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_24_0_0_194.dll
Version: 24.0.0.194
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 24.0 r0
* build used: https://archive.mozilla.org/pub/firefox/nightly/2017/02/2017-02-27-03-02-03-mozilla-central/
* browser console log: Blocklist state for Shockwave Flash changed from 0 to 4
* ensured that "Update Now" pointed to the following location:
** https://blocked.cdn.mozilla.net/f77960ca-28f3-4664-994d-2b713d2a1434.html
* ensured that "Always Active" is being disabled
* ensured flash is correctly being blocked when visiting several websites
* ensured that the "Version Information" under http://www.adobe.com/software/flash/about/ is listing 24.0.0.194 as vulnerable
Upgrading 24.0.0.194 to 24.0.0.221:
-----------------------------------
File: NPSWF32_24_0_0_221.dll
Path: C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_24_0_0_221.dll
Version: 24.0.0.221
State: Enabled
Shockwave Flash 24.0 r0
* build used: https://archive.mozilla.org/pub/firefox/nightly/2017/02/2017-02-27-03-02-03-mozilla-central/
* ensured that "Always Active" can be enabled
* ensured that the flash plugin doesn't appeare blocked under about:addons
* ensured that the "Version Information" under http://www.adobe.com/software/flash/about/ is listing 24.0.0.221 as the latest version
Clean installation of 24.0.0.221:
---------------------------------
File: NPSWF32_24_0_0_221.dll
Path: C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_24_0_0_221.dll
Version: 24.0.0.221
State: Enabled
Shockwave Flash 24.0 r0
* build used: https://archive.mozilla.org/pub/firefox/nightly/2017/02/2017-02-27-00-40-04-mozilla-aurora/
* * browser console log: Blocklist state for Shockwave Flash changed from 0 to 0
* ensured that "Always Active" can be enabled
* ensured that the flash plugin doesn't appeare blocked under about:addons
* ensured that the "Version Information" under http://www.adobe.com/software/flash/about/ is listing 24.0.0.221 as the latest version
=========================
macOS 10.12.2 x64: PASSED
=========================
Clean installation of 24.0.0.194:
---------------------------------
File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 24.0.0.194
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 24.0 r0
* build used: https://archive.mozilla.org/pub/firefox/releases/51.0.1/
* browser console log: Blocklist state for Shockwave Flash changed from 0 to 4
* ensured that "Update Now" pointed to the following location:
** https://blocked.cdn.mozilla.net/f77960ca-28f3-4664-994d-2b713d2a1434.html
* ensured that "Always Active" is being disabled
* ensured flash is correctly being blocked when visiting several websites
* ensured that the "Version Information" under http://www.adobe.com/software/flash/about/ is listing 24.0.0.194 as vulnerable
Upgrading 24.0.0.194 to 24.0.0.221:
-----------------------------------
File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 24.0.0.221
State: Enabled
Shockwave Flash 24.0 r0
* build used: https://archive.mozilla.org/pub/firefox/releases/51.0.1/
* ensured that "Always Active" can be enabled
* ensured that the flash plugin doesn't appeare blocked under about:addons
* ensured that the "Version Information" under http://www.adobe.com/software/flash/about/ is listing 24.0.0.221 as the latest version
Clean installation of 24.0.0.221:
---------------------------------
File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 24.0.0.221
State: Enabled
Shockwave Flash 24.0 r0
* build used: https://archive.mozilla.org/pub/firefox/nightly/2017/02/2017-02-27-03-02-03-mozilla-central/
* * browser console log: Blocklist state for Shockwave Flash changed from 0 to 0
* ensured that "Always Active" can be enabled
* ensured that the flash plugin doesn't appeare blocked under about:addons
* ensured that the "Version Information" under http://www.adobe.com/software/flash/about/ is listing 24.0.0.221 as the latest version
Comment 18•8 years ago
|
||
I don't understand. Flash 24.0.0.221 now reports a version field (and that shows up in about:plugins), so it should be possible to block any Flash without a version field and use the new one properly.
Linux (x86-64):
Shockwave Flash
File: libflashplayer.so
Path: /usr/lib64/flash-plugin/libflashplayer.so
Version: 24.0.0.221
State: Enabled
Shockwave Flash 24.0 r0
MIME Type Description Suffixes
application/x-shockwave-flash Shockwave Flash swf
application/futuresplash FutureSplash Player spl
Assignee | ||
Comment 19•8 years ago
|
||
Blocking by "no version field" could possibly block future versions if this problem reappears, either by Adobe's fault or our own. We've also never blocked filtering by missing fields, which could lend itself to unexpected bugs.
Assuming users stay mostly up to date, the next block coming up in a couple of weeks should bring them back on track because they'll be using blockable versions. Does that sound reasonable?
Comment 20•8 years ago
|
||
Adobe must have fixed the issue with 24.0.0.221. It looks like the version is appearing correctly under about:plugins:
File: libflashplayer.so
Path: /usr/lib/mozilla/plugins/libflashplayer.so
Version: 24.0.0.221
State: Enabled
Shockwave Flash 24.0 r0
However with 24.0.0.186 and 24.0.0.194, the version numbers are still missing under about:plugins.
You need to log in
before you can comment on or make changes to this bug.
Description
•