[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

flashplugin-nonfree and latest Flash security updates



Greetings,

There are aspects of the flashplugin-nonfree package I am hoping to
understand better in respect to installing the latest security updates
for the Adobe Flash plugin on a Debian host.

Debian GNU/Linux 8.5 (jessie)
firefox-esr 45.2.0esr-1~deb8u1 amd64
flashplugin-nonfree 1:3.6.1 amd64

'update-flashplugin-nonfree --status` shows a newer release of the
plugin upstream.


options :  --verbose --status --
temporary directory: /tmp/flashplugin-nonfree.65hpQUuxtV
importing public key ...
selected action = --status
Flash Player version installed on this system  : 11.2.202.626
Flash Player version available on upstream site: 22.0.0.209
flash-mozilla.so - auto mode
  link currently points to /usr/lib/flashplugin-nonfree/libflashplayer.so
/usr/lib/flashplugin-nonfree/libflashplayer.so - priority 50
Current 'best' version is '/usr/lib/flashplugin-nonfree/libflashplayer.so'.
end of action --status
cleaning up temporary directory /tmp/flashplugin-nonfree.65hpQUuxtV ...
end of update-flashplugin-nonfree


http://www.adobe.com/software/flash/about/ confirms that this
11.2.202.626 version is installed and shows the latest supported
package for this system (Linux, Firefox - NPAPI (Extended Support
Release) 11.2.202.632 (slightly newer, 632 > 626). Flash objects in
Firefox are also replaced with the warning dialog noting that the
Flash plugin is outdated.


'update-flashplugin-nonfree --install' however does not result in the
most recent update being installed:


options :  --verbose --install --
temporary directory: /tmp/flashplugin-nonfree.1LM79N9U0I
importing public key ...
selected action = --install
installed version = 11.2.202.626
upstream version = 22.0.0.209
wgetoptions= -nd -P .   -v --progress=dot:default
downloading http://people.debian.org/~bartm/flashplugin-nonfree/D5C0FC14/fp.22.0.0.209.sha512.amd64.pgp.asc
...
--2016-08-01 07:53:23--
http://people.debian.org/~bartm/flashplugin-nonfree/D5C0FC14/fp.22.0.0.209.sha512.amd64.pgp.asc
Resolving people.debian.org (people.debian.org)... 5.153.231.30,
2001:41c8:1000:21::21:30
Connecting to people.debian.org
(people.debian.org)|5.153.231.30|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://people.debian.org/~bartm/flashplugin-nonfree/D5C0FC14/fp.22.0.0.209.sha512.amd64.pgp.asc
[following]
--2016-08-01 07:53:24--
https://people.debian.org/~bartm/flashplugin-nonfree/D5C0FC14/fp.22.0.0.209.sha512.amd64.pgp.asc
Connecting to people.debian.org
(people.debian.org)|5.153.231.30|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2016-08-01 07:53:24 ERROR 404: Not Found.

wget failed to download
http://people.debian.org/~bartm/flashplugin-nonfree/D5C0FC14/fp.22.0.0.209.sha512.amd64.pgp.asc
downloading http://people.debian.org/~bartm/flashplugin-nonfree/D5C0FC14/fp10.sha512.amd64.pgp.asc
...
--2016-08-01 07:53:24--
http://people.debian.org/~bartm/flashplugin-nonfree/D5C0FC14/fp10.sha512.amd64.pgp.asc
Resolving people.debian.org (people.debian.org)... 5.153.231.30,
2001:41c8:1000:21::21:30
Connecting to people.debian.org
(people.debian.org)|5.153.231.30|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://people.debian.org/~bartm/flashplugin-nonfree/D5C0FC14/fp10.sha512.amd64.pgp.asc
[following]
--2016-08-01 07:53:25--
https://people.debian.org/~bartm/flashplugin-nonfree/D5C0FC14/fp10.sha512.amd64.pgp.asc
Connecting to people.debian.org
(people.debian.org)|5.153.231.30|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1250 (1.2K) [text/plain]
Saving to: ‘./fp10.sha512.amd64.pgp.asc’

     0K .                                                     100%  254K=0.005s

2016-08-01 07:53:25 (254 KB/s) - ‘./fp10.sha512.amd64.pgp.asc’ saved [1250/1250]

verifying PGP fp10.sha512.amd64.pgp.asc ...
copying /var/cache/flashplugin-nonfree/install_flash_player_11_linux.x86_64.tar.gz
...
verifying checksum install_flash_player_11_linux.x86_64.tar.gz ...
wgetoptions= -nd -P .   -v --progress=dot:default  -O
/tmp/flashplugin-nonfree.1LM79N9U0I/install_flash_player_11_linux.x86_64.tar.gz
downloading https://fpdownload.adobe.com/get/flashplayer/pdc/11.2.202.626/install_flash_player_11_linux.x86_64.tar.gz
...
verifying checksum install_flash_player_11_linux.x86_64.tar.gz ...
unpacking install_flash_player_11_linux.x86_64.tar.gz ...
verifying checksum contents of install_flash_player_11_linux.x86_64.tar.gz ...
moving libflashplayer.so to /usr/lib/flashplugin-nonfree ...
setting permissions and ownership of
/usr/lib/flashplugin-nonfree/libflashplayer.so ...
Flash Player version: 11.2.202.626
moving install_flash_player_11_linux.x86_64.tar.gz to
/var/cache/flashplugin-nonfree ...
flash-mozilla.so - auto mode
  link currently points to /usr/lib/flashplugin-nonfree/libflashplayer.so
/usr/lib/flashplugin-nonfree/libflashplayer.so - priority 50
Current 'best' version is '/usr/lib/flashplugin-nonfree/libflashplayer.so'.
calling update-alternatives ...
flash-mozilla.so - auto mode
  link currently points to /usr/lib/flashplugin-nonfree/libflashplayer.so
/usr/lib/flashplugin-nonfree/libflashplayer.so - priority 50
Current 'best' version is '/usr/lib/flashplugin-nonfree/libflashplayer.so'.
removing /usr/bin/flash-player-properties
removing /usr/share/applications/flash-player-properties.desktop
removing /usr/share/icons/hicolor/16x16/apps/flash-player-properties.png
removing /usr/share/icons/hicolor/22x22/apps/flash-player-properties.png
removing /usr/share/icons/hicolor/24x24/apps/flash-player-properties.png
removing /usr/share/icons/hicolor/32x32/apps/flash-player-properties.png
removing /usr/share/icons/hicolor/48x48/apps/flash-player-properties.png
removing /usr/share/pixmaps/flash-player-properties.png
installing /usr/bin/flash-player-properties
installing /usr/share/applications/flash-player-properties.desktop
installing /usr/share/icons/hicolor/16x16/apps/flash-player-properties.png
installing /usr/share/icons/hicolor/22x22/apps/flash-player-properties.png
installing /usr/share/icons/hicolor/24x24/apps/flash-player-properties.png
installing /usr/share/icons/hicolor/32x32/apps/flash-player-properties.png
installing /usr/share/icons/hicolor/48x48/apps/flash-player-properties.png
installing /usr/share/pixmaps/flash-player-properties.png
end of action --install
cleaning up temporary directory /tmp/flashplugin-nonfree.1LM79N9U0I ...
end of update-flashplugin-nonfree


It appears that the updated Flash plugin version fails to be
fetched/verified because of a 404 on the Debian server. This updated
version doesn't appear to be the one that would work with Firefox on
Linux anyway, as that would be 11.2.202.632. However when
update-flashplugin-nonfree fetches and installs an 11.x version, it
drops in the slightly older 11.2.202.626 version which is still
considered vulnerable in the browser.

Is there a way for this to be corrected?

-- 
Darren Spruell
phatbuckett@gmail.com


Reply to: