Re: flashplugin-nonfree and latest Flash security updates
On Mon, Aug 01, 2016 at 08:25:01AM -0700, Darren S. wrote:
> Greetings,
>
> There are aspects of the flashplugin-nonfree package I am hoping to
> understand better in respect to installing the latest security updates
> for the Adobe Flash plugin on a Debian host.
>
> Debian GNU/Linux 8.5 (jessie)
> firefox-esr 45.2.0esr-1~deb8u1 amd64
> flashplugin-nonfree 1:3.6.1 amd64
>
> 'update-flashplugin-nonfree --status` shows a newer release of the
> plugin upstream.
>
>
> options : --verbose --status --
> temporary directory: /tmp/flashplugin-nonfree.65hpQUuxtV
> importing public key ...
> selected action = --status
> Flash Player version installed on this system : 11.2.202.626
> Flash Player version available on upstream site: 22.0.0.209
That is now 11.2.202.632. You may need to delete
/var/cache/flashplugin-nonfree/get-upstream-version.pl and try again. I'm
considering to do an upload of flashplugin-nonfree to delete that old
get-upstream-version.pl from the cache. The cause was that Adobe now suddenly
starts distributing 22.* as well, and that Adobe's website returns the 22.* or
11.* version as the newest available version depending on the user agent of the
browser. The fix was to modify get-upstream-version.pl to use the user agent
string of Firefox in stretch, so the 11.* version is returned.
> flash-mozilla.so - auto mode
> link currently points to /usr/lib/flashplugin-nonfree/libflashplayer.so
> /usr/lib/flashplugin-nonfree/libflashplayer.so - priority 50
> Current 'best' version is '/usr/lib/flashplugin-nonfree/libflashplayer.so'.
> end of action --status
> cleaning up temporary directory /tmp/flashplugin-nonfree.65hpQUuxtV ...
> end of update-flashplugin-nonfree
>
>
> http://www.adobe.com/software/flash/about/ confirms that this
> 11.2.202.626 version is installed and shows the latest supported
> package for this system (Linux, Firefox - NPAPI (Extended Support
> Release) 11.2.202.632 (slightly newer, 632 > 626). Flash objects in
> Firefox are also replaced with the warning dialog noting that the
> Flash plugin is outdated.
Well, if Firefox rejects 11.2.202.632, which is the newest version for Firefox,
then there is currently no Flash Player for Firefox.
>
>
> 'update-flashplugin-nonfree --install' however does not result in the
> most recent update being installed:
>
>
> options : --verbose --install --
> temporary directory: /tmp/flashplugin-nonfree.1LM79N9U0I
> importing public key ...
> selected action = --install
> installed version = 11.2.202.626
> upstream version = 22.0.0.209
> wgetoptions= -nd -P . -v --progress=dot:default
> downloading http://people.debian.org/~bartm/flashplugin-nonfree/D5C0FC14/fp.22.0.0.209.sha512.amd64.pgp.asc
It attempts to proceed for 22.0.0.209... See above about trying again.
> ...
> --2016-08-01 07:53:23--
> http://people.debian.org/~bartm/flashplugin-nonfree/D5C0FC14/fp.22.0.0.209.sha512.amd64.pgp.asc
> Resolving people.debian.org (people.debian.org)... 5.153.231.30,
> 2001:41c8:1000:21::21:30
> Connecting to people.debian.org
> (people.debian.org)|5.153.231.30|:80... connected.
> HTTP request sent, awaiting response... 301 Moved Permanently
> Location: https://people.debian.org/~bartm/flashplugin-nonfree/D5C0FC14/fp.22.0.0.209.sha512.amd64.pgp.asc
> [following]
> --2016-08-01 07:53:24--
> https://people.debian.org/~bartm/flashplugin-nonfree/D5C0FC14/fp.22.0.0.209.sha512.amd64.pgp.asc
> Connecting to people.debian.org
> (people.debian.org)|5.153.231.30|:443... connected.
> HTTP request sent, awaiting response... 404 Not Found
> 2016-08-01 07:53:24 ERROR 404: Not Found.
>
> wget failed to download
> http://people.debian.org/~bartm/flashplugin-nonfree/D5C0FC14/fp.22.0.0.209.sha512.amd64.pgp.asc
> downloading http://people.debian.org/~bartm/flashplugin-nonfree/D5C0FC14/fp10.sha512.amd64.pgp.asc
> ...
> --2016-08-01 07:53:24--
> http://people.debian.org/~bartm/flashplugin-nonfree/D5C0FC14/fp10.sha512.amd64.pgp.asc
Still falling back to the old fp10 files...
> Resolving people.debian.org (people.debian.org)... 5.153.231.30,
> 2001:41c8:1000:21::21:30
> Connecting to people.debian.org
> (people.debian.org)|5.153.231.30|:80... connected.
> HTTP request sent, awaiting response... 301 Moved Permanently
> Location: https://people.debian.org/~bartm/flashplugin-nonfree/D5C0FC14/fp10.sha512.amd64.pgp.asc
> [following]
> --2016-08-01 07:53:25--
> https://people.debian.org/~bartm/flashplugin-nonfree/D5C0FC14/fp10.sha512.amd64.pgp.asc
> Connecting to people.debian.org
> (people.debian.org)|5.153.231.30|:443... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 1250 (1.2K) [text/plain]
> Saving to: ‘./fp10.sha512.amd64.pgp.asc’
>
> 0K . 100% 254K=0.005s
>
> 2016-08-01 07:53:25 (254 KB/s) - ‘./fp10.sha512.amd64.pgp.asc’ saved [1250/1250]
>
> verifying PGP fp10.sha512.amd64.pgp.asc ...
> copying /var/cache/flashplugin-nonfree/install_flash_player_11_linux.x86_64.tar.gz
> ...
> verifying checksum install_flash_player_11_linux.x86_64.tar.gz ...
> wgetoptions= -nd -P . -v --progress=dot:default -O
> /tmp/flashplugin-nonfree.1LM79N9U0I/install_flash_player_11_linux.x86_64.tar.gz
> downloading https://fpdownload.adobe.com/get/flashplayer/pdc/11.2.202.626/install_flash_player_11_linux.x86_64.tar.gz
And that should be 11.2.202.632 now. I've updated the fp10 checksum files just
a minute ago.
> ...
> verifying checksum install_flash_player_11_linux.x86_64.tar.gz ...
> unpacking install_flash_player_11_linux.x86_64.tar.gz ...
> verifying checksum contents of install_flash_player_11_linux.x86_64.tar.gz ...
> moving libflashplayer.so to /usr/lib/flashplugin-nonfree ...
> setting permissions and ownership of
> /usr/lib/flashplugin-nonfree/libflashplayer.so ...
> Flash Player version: 11.2.202.626
> moving install_flash_player_11_linux.x86_64.tar.gz to
> /var/cache/flashplugin-nonfree ...
> flash-mozilla.so - auto mode
> link currently points to /usr/lib/flashplugin-nonfree/libflashplayer.so
> /usr/lib/flashplugin-nonfree/libflashplayer.so - priority 50
> Current 'best' version is '/usr/lib/flashplugin-nonfree/libflashplayer.so'.
> calling update-alternatives ...
> flash-mozilla.so - auto mode
> link currently points to /usr/lib/flashplugin-nonfree/libflashplayer.so
> /usr/lib/flashplugin-nonfree/libflashplayer.so - priority 50
> Current 'best' version is '/usr/lib/flashplugin-nonfree/libflashplayer.so'.
> removing /usr/bin/flash-player-properties
> removing /usr/share/applications/flash-player-properties.desktop
> removing /usr/share/icons/hicolor/16x16/apps/flash-player-properties.png
> removing /usr/share/icons/hicolor/22x22/apps/flash-player-properties.png
> removing /usr/share/icons/hicolor/24x24/apps/flash-player-properties.png
> removing /usr/share/icons/hicolor/32x32/apps/flash-player-properties.png
> removing /usr/share/icons/hicolor/48x48/apps/flash-player-properties.png
> removing /usr/share/pixmaps/flash-player-properties.png
> installing /usr/bin/flash-player-properties
> installing /usr/share/applications/flash-player-properties.desktop
> installing /usr/share/icons/hicolor/16x16/apps/flash-player-properties.png
> installing /usr/share/icons/hicolor/22x22/apps/flash-player-properties.png
> installing /usr/share/icons/hicolor/24x24/apps/flash-player-properties.png
> installing /usr/share/icons/hicolor/32x32/apps/flash-player-properties.png
> installing /usr/share/icons/hicolor/48x48/apps/flash-player-properties.png
> installing /usr/share/pixmaps/flash-player-properties.png
> end of action --install
> cleaning up temporary directory /tmp/flashplugin-nonfree.1LM79N9U0I ...
> end of update-flashplugin-nonfree
>
>
> It appears that the updated Flash plugin version fails to be
> fetched/verified because of a 404 on the Debian server. This updated
> version doesn't appear to be the one that would work with Firefox on
> Linux anyway, as that would be 11.2.202.632. However when
> update-flashplugin-nonfree fetches and installs an 11.x version, it
> drops in the slightly older 11.2.202.626 version which is still
> considered vulnerable in the browser.
>
> Is there a way for this to be corrected?
Yes, see above.
Regards,
Bart Martens
Reply to: