prod Adobe Shockwave version update outdated should be vulnerable for 11.5.6.606

VERIFIED FIXED

Status

Websites
plugins.mozilla.org
VERIFIED FIXED
8 years ago
8 years ago

People

(Reporter: ozten, Unassigned)

Tracking

Details

Attachments

(2 attachments)

(Reporter)

Description

8 years ago
Email from dveditz

"The Register[1] article notes the Adobe Shockwave version is out of
date. Of all days, Adobe released the new one today![2] When I
checked on Sunday 11.5.6.606 was still the latest offered from
adobe.com.

Maybe Goodin got a beta copy? Seems like he would have noticed or
mentioned updating if it was just released today. Given the data in
the directory I don't know how the Opera/Safari versions would have
told him 11.5.7 was the latest unless he already had that installed.
Non-Firefox plugin checks use the same database, right?

I've updated the plugin db with the new release. When I re-check it
now tells me my plugin is outdated, but it's not telling me I'm
vulnerable nor linking to the vulnerability url I added. Did I do it
wrong, or do we just not yet make a distinction between vulnerable
and outdated versions even though the database supports it?"
(Reporter)

Comment 1

8 years ago
(In reply to comment #0)
1) What browser and OS?

2) Can you verify that your data is in prod? It's possible you hit "save" and it said "saving" and then "failed save". This would explain the issue. I do see 2 releases for 11.5.7, is that your successful update?
On the live plugin site it does tell me that my 11.5.6 is "outdated", so it's seeing the version update from 11.5.6 to 11.5.7  (earlier it said 11.5.6 was up to date).

Mystery perhaps solved: in a Shiretoko build (without a .version field) the 11.5.6 version is listed as "vulnerable". My more recent build has a version string that says "11.5.6r606" -- it must be trying to match that rather than the description field it uses in earlier versions. It has to match exactly to trigger the "vulnerable" status? If so does that mean we need both an 11.5.6 version to match older Firefoxes and a 11.5.6r606 (or would that be 11.5.6.606?) to match newer Firefoxes? or is the problem simply that 11.5.6.606 is > 11.5.6 and therefore not known to be vulnerable?
Is the vulnerability URL supposed to show up anywhere? Could we make the word "vulnerable" into a link using that URL?
(Reporter)

Comment 4

8 years ago
(In reply to comment #2)
Sorry, can you look at https://plugins.mozilla.org/en-us/plugins/detail/shockwave-director;edit and comment on if your edits were saved?

I will setup my dev env for 11.5.6.606.
What browser and OS versions?

(In reply to comment #3)
For vulnerable, only the color changes. I think the call to action on the right is the update url.

Showing the vulnerable URL... this would be the security disclosure site? Is that something that would be valuable to our users? We hide a lot of technical info, as it isn't a good user experience.
(Reporter)

Comment 5

8 years ago
(In reply to comment #4)
I've added an 11.5.6.606 release onto stage.
There is a bug in my code that isn't letting "other" releases show up as vulnerable.

I'll work on a fix to this. (Basing repro on Windows 7, Fx 3.6.3, Director 11.5.6.606).
(Reporter)

Comment 6

8 years ago
The issue I was seeing was if the latest release that is matched is older than the vulnerable version number, we would mark the plugin as current.

I've fixed this bug on www-trunk.
Sending        js/plugincheck.js
Sending        js/plugincheck_badge.j
Transmitting file data ..
Committed revision 67111.

(In reply to comment #2)
Please see plugins.stage.mozilla.com for how I setup the vulnerable release, which fixes Fx 3.6+.

Please give me more OS and Browser combos that have an issue.
Created attachment 444931 [details]
Post-fix screenshot, on Windows
(Reporter)

Comment 8

8 years ago
on stage and in prod now.
(Reporter)

Updated

8 years ago
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
(Reporter)

Comment 9

8 years ago
Updating prod plugins.m.o

New Release
    * status: "latest"
    * vulnerability_url: http://www.adobe.com/support/security/bulletins/apsb10-12.html
    * version: "11.5.6.606"
    * detected_version: "11.5.6.606"
    * detection_type: "*"
    * os_name: "*"
    *
      -
      platform: {
          o app_id: "*"
          o app_release: "*"
          o app_version: "*"
          o locale: "*"
      }
Created attachment 445162 [details]
Post-fix screenshot, on production
Verified FIXED!
Status: RESOLVED → VERIFIED
OS: Mac OS X → All
Hardware: x86 → All
You need to log in before you can comment on or make changes to this bug.