RE: flashplugin-nonfree and latest Flash security updates

To: "debian-security@lists.debian.org" <debian-security@lists.debian.org>
Subject: RE: flashplugin-nonfree and latest Flash security updates
From: Nick Boyce <nick@glimmer.demon.co.uk>
Date: Wed, 3 Aug 2016 00:29:39 +0000
Message-id: <[🔎] FF8270991BB08B49BC6295AFD1E0E44AB8E0AA@EXMBX13.thus.corp>
In-reply-to: <[🔎] CAKVSOJX0tJ3=1Uy6YyQbf+QR=8kav302iCRP2Kixz_HOue_2Aw@mail.gmail.com>
References: <[🔎] CAKVSOJX0tJ3=1Uy6YyQbf+QR=8kav302iCRP2Kixz_HOue_2Aw@mail.gmail.com>

On Mon, 1 Aug 2016 08:25:01 -0700
Darren S. <phatbuckett@gmail.com> wrote:

> There are aspects of the flashplugin-nonfree package I am hoping to
> understand better in respect to installing the latest security updates
> for the Adobe Flash plugin on a Debian host.
[snip]
> It appears that the updated Flash plugin version fails to be
> fetched/verified because of a 404 on the Debian server. This updated
> version doesn't appear to be the one that would work with Firefox on
> Linux anyway, as that would be 11.2.202.632. However when
> update-flashplugin-nonfree fetches and installs an 11.x version, it
> drops in the slightly older 11.2.202.626 version which is still
> considered vulnerable in the browser.
> 
> Is there a way for this to be corrected?

+1

The update-flashplugin-nonfree facility has been broken for several
days now.  It reports the upstream plugin version is 22.0.0.209, but
that is not true - the latest plugin version for Linux systems is
11.2.202.632, as shown at
https://www.adobe.com/products/flashplayer/distribution3.html

The 22.0.0.209 version is for Windows, Mac and potentially also
for Google Chrome on Linux.  IIRC, the Google Chrome version is the new
style PPAPI plugin, whereas Firefox/Iceweasel needs the older NPAPI
technology, so I have not actually run the update cos the last thing I
would want is a plugin which won't work at all.

I have emailed the maintainer (Bart Martens, at his debian.org address)
twice about this (30th.July and 1st.Aug), but there has been no reply as
yet. Do I need to post to the bug report Francesco mentioned:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820583
rather than emailing Bart directly ?

I realise the nonfree plugin is not really supported, but given the
serious (!!!) security implications of running a known-vulnerable Flash
player for a significant time after a fixed version has been released,
and assuming Bart is MIA for some reason, is it possible for the
Security Team to either fix the update, or to make an announcement that
all Debian users should stop using the Adobe player immediately ?

Thanks,
Nick
-- 
"Always code as if the person who ends up maintaining your code 
is a violent psychopath who knows where you live."
-- John Woods

Reply to:

Follow-Ups:
- Re: flashplugin-nonfree and latest Flash security updates
  - From: Paul Wise <pabs@debian.org>
- Re: flashplugin-nonfree and latest Flash security updates
  - From: Moritz Mühlenhoff <jmm@inutil.org>

References:
- flashplugin-nonfree and latest Flash security updates
  - From: "Darren S." <phatbuckett@gmail.com>

Prev by Date: Unsuscribe
Next by Date: Re: flashplugin-nonfree and latest Flash security updates
Previous by thread: Re: flashplugin-nonfree and latest Flash security updates
Next by thread: Re: flashplugin-nonfree and latest Flash security updates
Index(es):
- Date
- Thread