Closed Bug 1154397 Opened 9 years ago Closed 9 years ago

Plugincheck Database - Review and correct Adobe Flash Player 17.0.0.169 (win & mac) and 11.2.202.457 (lin) version vs 17.0.0.134(win & mac) and 11.2.202.451(lin)

Categories

(Plugin Check Graveyard :: Database, defect)

Product:
Plugin Check Graveyard
Component:
Database
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: guigs, Unassigned)

Details

Attachments

(1 file)

Plugincheck-JSON-List-with-line-numbers-2015-05-11.txt
155.76 KB, text/plain
Details 
Summary:
As the 'Plugincheck Database' has an entry for 
Until this is corrected the inaccurate report will continue.

Security Update: "Adobe is aware of a report that an exploit for CVE-2015-3043 exists in the wild, and recommends users update their product installations to the latest versions: "

Background:
Security bulletin url: https://helpx.adobe.com/security/products/flash-player/apsb15-06.html
Flagging web ops
Summary: Plugincheck Database - Review and correct Adobe Flash Player 17.0.0.169 (win) and 11.2.202.457 (lin) version vs 17.0.0.134(win) and 11.2.202.451(lin) → Plugincheck Database - Review and correct Adobe Flash Player 17.0.0.169 (win & mac) and 11.2.202.457 (lin) version vs 17.0.0.134(win & mac) and 11.2.202.451(lin)
Changes have been made to mark the older version: 
Vulnerable -> Adobe Flash Player 17.0.0.169 (win & mac) 
Vulnerable -> 11.2.202.457 (lin)

Latest-> 17.0.0.134(win & mac)
Latest-> 11.2.202.451(lin) (edit)

May I confirm another admin to test the changes?
Correction:
Latest -> Adobe Flash Player 17.0.0.169 (win & mac) 
Latest-> 11.2.202.457 (lin)

Vulnerable-> 17.0.0.134(win & mac)
Vulnerable-> 11.2.202.451(lin) (edit)
Updated in the new backend of plugins as well
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Thanks for updating the Plugincheck Database.

I can confirm that Plugincheck
https://www.mozilla.org/en-US/plugincheck/

is correctly showing

"Adobe Flash Player" "17.0.0.134" as "vulnerable", with the red "Update Now" button.

Tested with Windows 7 64bit OS,
Firefox (32bit) Developer Edition 39.0a2 (2015-04-14).

Are you also going to alter the Plugincheck Database for Adobe Flash ESR?

https://helpx.adobe.com/security/products/flash-player/apsb15-06.html
> Users of the Adobe Flash Player Extended Support Release
> should update to Adobe Flash Player 13.0.0.281

DJ-Leith
Flags: needinfo?(rmcguigan)
-> Added the latest 13.0.0.281 entries for Extended Version As Well however the previous version 13.0.0.277 for Extended Release Version, is it shown as vulnerable?
Flags: needinfo?(rmcguigan) → needinfo?(dj.4bug)
"Plugincheck-JSON-List-with-line-numbers-2015-05-11.txt"

In bug 1154410 comment # 5 Mark Schmidt (:marksc) on 2015-05-01 at 11:04:22 PDT wrote: 

> Note: That page is updated much more frequently than bugzilla would suggest.
> The current change process for that page is very informal. This will likely change
> for the better in the near future.

I think "That page", in the above comment, is 'the Plugincheck Database'.

I think a more formal record, of changes to the Plugincheck Database,
would be a good idea.

(In reply to rmcguigan from comment #6)
> -> Added the latest 13.0.0.281 entries for Extended Version As Well 
> however the previous version 13.0.0.277 for Extended Release Version, 
> is it shown as vulnerable?

Thanks for adding the record, rmcguigan.

I think you are asking me: 'DJ-Leith please can you test this to confirm
that the Flash ESR is tested at the Plugincheck Website correctly'.

I am sorry I can't do that because I don't have 'Flash ESR'.

However, I can look at the 'JSON List' and I can make the following
observations.

1. I can see the 'Flash ESR' that you added:

> 0008  */
>            *** Thirty lines added here
>            ***
>            ***  URL: https://plugins.mozilla.org/en-us/plugins_list.json
>            ***    Date: 2015-05-11  Time: approx 12:30 BST, (2015-05-11 04:30:00 PDT)
>            ***  Browser: Fx Aurora (AKA Firefox Development Edition) 39.0a2 (2015-05-10)

> 0562               'status': 'latest',
> 0563               'version': '13.0.0.281',
> 0564               'detected_version': '13.0.0.281',
> 0565               'detection_type': 'original',
> 0566               'os_name': 'win',
> 0567               'platform': {
> 0568                 'app_id': '*',
> 0569                 'app_release': 'Extended Release Version',
> 0570                 'app_version': '*',
> 0571                 'locale': '*'

However, in my opinion, it should be called "Extended Support Release",
in line 0569, which is the 'way Adobe name it' [1] (and ESR is a common abbreviation).

2. The 'previous Flash ESR version', if it were in the Plugincheck Database,
would be Flash 13.0.0.277.

I can NOT find it in the 'JSON List' today.

I think the best thing would be to add a record for
Flash 13.0.0.277 "Extended Support Release"
and then mark it "vulnerable".

However, before you do that it would be wise to check with both Mark Schmidt
and Schalk Neethling.

FAO Schalk Neethling, three questions:

1. Is the 'generate the JSON List' part of the 'Plugincheck Service' able to
generate data for Flash ESR as well as Flash for normal release?

2. Can the 'Plugincheck Website' correctly detect and distinguish between
'Flash ESR' vs 'Flash for normal release'?

3. How would you (Mozilla) test this / have tests been done in the past?

FAO Mark Schmidt
I am 'just making suggestions', you should be making the decisions.


References:
[1] https://helpx.adobe.com/security/products/flash-player/apsb15-06.html


In bug 1124654 comment # 24
"(CVE-2015-0311) Blocklist request for flash 0days affecting
version 16.0.0.287, 13.0.0.262, and 11.2.202.438"

juan becerra [:juanb]
did some 'Flash tests including Flash ESR' prior to the 'blocklist going live'.

In bug 1128534 comment # 13
"(CVE-2015-0313) Blocklist flash 16.0.0.296 and earlier versions"

Kamil Jozwiak [:kjozwiak]
did some 'Flash tests', and found a bug using e10s, prior to the 'blocklist going live'.

Perhaps someone could ask one of them to help with tests?

DJ-Leith
Flags: needinfo?(schalk.neethling.bugs)
Flags: needinfo?(mschmidt)
Flags: needinfo?(dj.4bug)
FAO Schalk Neethling, three questions:

1. Is the 'generate the JSON List' part of the 'Plugincheck Service' able to
generate data for Flash ESR as well as Flash for normal release?

They are bundled together.

2. Can the 'Plugincheck Website' correctly detect and distinguish between
'Flash ESR' vs 'Flash for normal release'?

It does not distinguish at the moment but, just checks whether the installed version is in either the list of vulnerable, latest or outdated versions. If not found in any of these, it then checks whether the version is greater than the known absolutely latest, in which case it is newer or whether it is older, in which case it is probably  not in the database and just outdated.

3. How would you (Mozilla) test this / have tests been done in the past?

I do have some VMs where I run older versions of Firefox on Windows that I use to test, as well as installing older version of plugins, where possible.
Flags: needinfo?(schalk.neethling.bugs)
Flags: needinfo?(mschmidt)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: