prod Adobe Shockwave version update outdated should be vulnerable for



8 years ago
8 years ago


(Reporter: ozten, Unassigned)




(2 attachments)



8 years ago
Email from dveditz

"The Register[1] article notes the Adobe Shockwave version is out of
date. Of all days, Adobe released the new one today![2] When I
checked on Sunday was still the latest offered from

Maybe Goodin got a beta copy? Seems like he would have noticed or
mentioned updating if it was just released today. Given the data in
the directory I don't know how the Opera/Safari versions would have
told him 11.5.7 was the latest unless he already had that installed.
Non-Firefox plugin checks use the same database, right?

I've updated the plugin db with the new release. When I re-check it
now tells me my plugin is outdated, but it's not telling me I'm
vulnerable nor linking to the vulnerability url I added. Did I do it
wrong, or do we just not yet make a distinction between vulnerable
and outdated versions even though the database supports it?"

Comment 1

8 years ago
(In reply to comment #0)
1) What browser and OS?

2) Can you verify that your data is in prod? It's possible you hit "save" and it said "saving" and then "failed save". This would explain the issue. I do see 2 releases for 11.5.7, is that your successful update?
On the live plugin site it does tell me that my 11.5.6 is "outdated", so it's seeing the version update from 11.5.6 to 11.5.7  (earlier it said 11.5.6 was up to date).

Mystery perhaps solved: in a Shiretoko build (without a .version field) the 11.5.6 version is listed as "vulnerable". My more recent build has a version string that says "11.5.6r606" -- it must be trying to match that rather than the description field it uses in earlier versions. It has to match exactly to trigger the "vulnerable" status? If so does that mean we need both an 11.5.6 version to match older Firefoxes and a 11.5.6r606 (or would that be to match newer Firefoxes? or is the problem simply that is > 11.5.6 and therefore not known to be vulnerable?
Is the vulnerability URL supposed to show up anywhere? Could we make the word "vulnerable" into a link using that URL?

Comment 4

8 years ago
(In reply to comment #2)
Sorry, can you look at;edit and comment on if your edits were saved?

I will setup my dev env for
What browser and OS versions?

(In reply to comment #3)
For vulnerable, only the color changes. I think the call to action on the right is the update url.

Showing the vulnerable URL... this would be the security disclosure site? Is that something that would be valuable to our users? We hide a lot of technical info, as it isn't a good user experience.

Comment 5

8 years ago
(In reply to comment #4)
I've added an release onto stage.
There is a bug in my code that isn't letting "other" releases show up as vulnerable.

I'll work on a fix to this. (Basing repro on Windows 7, Fx 3.6.3, Director

Comment 6

8 years ago
The issue I was seeing was if the latest release that is matched is older than the vulnerable version number, we would mark the plugin as current.

I've fixed this bug on www-trunk.
Sending        js/plugincheck.js
Sending        js/plugincheck_badge.j
Transmitting file data ..
Committed revision 67111.

(In reply to comment #2)
Please see for how I setup the vulnerable release, which fixes Fx 3.6+.

Please give me more OS and Browser combos that have an issue.
Created attachment 444931 [details]
Post-fix screenshot, on Windows

Comment 8

8 years ago
on stage and in prod now.


8 years ago
Last Resolved: 8 years ago
Resolution: --- → FIXED

Comment 9

8 years ago
Updating prod plugins.m.o

New Release
    * status: "latest"
    * vulnerability_url:
    * version: ""
    * detected_version: ""
    * detection_type: "*"
    * os_name: "*"
      platform: {
          o app_id: "*"
          o app_release: "*"
          o app_version: "*"
          o locale: "*"
Created attachment 445162 [details]
Post-fix screenshot, on production
Verified FIXED!
OS: Mac OS X → All
Hardware: x86 → All
You need to log in before you can comment on or make changes to this bug.