Bug 22192

Summary: flash-player-plugin security update 28.0.0.126
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: dglent, jim, lewyssmith, marja11, sysadmin-bugs, tarazed25
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5TOO MGA5-64-OK MGA5-32-OK MGA6-64-OK
Source RPM: flash-player-plugin CVE: CVE-2017-11305
Status comment:

Description Nicolas Salguero 2017-12-14 09:57:22 CET 
Hi,

Version 28.0.0.126 fixes:

A regression affecting Adobe Flash Player version 27.0.0.187 (and earlier versions) causes the unintended reset of the global settings preference file when a user clears browser data. (CVE-2017-11305)

Reference:
https://helpx.adobe.com/security/products/flash-player/apsb17-42.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11305

Best regards,

Nico.
Nicolas Salguero 2017-12-14 09:58:21 CET

Whiteboard: (none) => MGA6TOO, MGA5TOO
Source RPM: (none) => flash-player-plugin
CVE: (none) => CVE-2017-11305

Comment 1 Marja Van Waes 2017-12-14 10:02:25 CET 
Thanks for the report.
Assigning to the maintainer.

CC: (none) => marja11
Assignee: bugsquad => anssi.hannula

Comment 2 Manuel Hiebel 2017-12-19 21:54:41 CET 
current version of flash isn't working anymore
Downloading from http://linuxdownload.adobe.com/linux/x86_64/flash-player-ppapi-27.0.0.187-release.x86_64.rpm:                                                          
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current                                                                                         
                                 Dload  Upload   Total   Spent    Left  Speed                                                                                           
100   259  100   259    0     0    786      0 --:--:-- --:--:-- --:--:--  1282
Error: Unable to download Flash Player. This is likely due to this package
Comment 3 Nicolas Salguero 2017-12-20 14:01:41 CET 
Suggested advisory:
========================

Updated packages fix a security vulnerability:

A regression affecting Adobe Flash Player version 27.0.0.187 (and earlier versions) causes the unintended reset of the global settings preference file when a user clears browser data. (CVE-2017-11305)

References:
https://helpx.adobe.com/security/products/flash-player/apsb17-42.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11305
========================

Updated packages in 5/core/updates_testing:
========================
flash-player-plugin-28.0.0.126-1.mga5.nonfree
flash-player-plugin-kde-28.0.0.126-1.mga5.nonfree

from SRPMS:
flash-player-plugin-28.0.0.126-1.mga5.nonfree.src.rpm

Updated packages in 6/core/updates_testing:
========================
flash-player-plugin-28.0.0.126-1.mga6.nonfree

from SRPMS:
flash-player-plugin-28.0.0.126-1.mga6.nonfree.src.rpm

Version: Cauldron => 6
Assignee: anssi.hannula => qa-bugs
Status: NEW => ASSIGNED
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO

Comment 4 Len Lawrence 2017-12-20 23:25:51 CET 
Installed the plugin and checked the version via about:plugins in firefox.
It is very difficult to find flash videos online, or rather to be certain that a video is flash.  The Adobe customer showcase does not seem to be there any more.  However there are test sites such as these:

https://www.adobe.com/shockwave/welcome/
https://adobe-flash-player.en.softonic.com/video/adobe-flash-player-what-flash-player-version-do-i-have-installed-20443
https://www.flashtester.org/

These showed that the plugin is working.  Take heart from the announcement that Adobe are killing it off in 2020.

OK for Mageia 5, 64-bit.

Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK
CC: (none) => tarazed25

Comment 5 James Kerr 2017-12-21 11:58:43 CET 
on mga5-32 (in a vbox VM)

package installed cleanly:
- flash-player-plugin-28.0.0.126-1.mga5.nonfree.i586

Confirmed latest version installed at
https://helpx.adobe.com/flash-player.html

OK for mga5-32

CC: (none) => jim
Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA5-32-OK

Comment 6 James Kerr 2017-12-21 12:19:48 CET 
on mga6-64

package installed cleanly
- flash-player-plugin-28.0.0.126-1.mga6.nonfree.x86_64

Confirmed latest version installed at
https://helpx.adobe.com/flash-player.html

OK for mga6-64

Whiteboard: MGA5TOO MGA5-64-OK MGA5-32-OK => MGA5TOO MGA5-64-OK MGA5-32-OK MGA6-64-OK

Comment 7 Lewis Smith 2017-12-21 13:17:50 CET 
Also testing M6/64, post update: flash-player-plugin-28.0.0.126-1.mga6.nonfree

Tried the URLs shown in comment 4, which led to a useful couple more:-
 https://helpx.adobe.com/flash-player.html
 https://www.adobe.com/swf/software/flash/about/flashAbout_info_small.swf

The folowing URL was *not* convincing, showing the previous version:
 https://adobe-flash-player.en.softonic.com/video/adobe-flash-player-what-flash-player-version-do-i-have-installed-20443

Otherwise everything showed the correct version & that it seems to work.
Oking & validating, + advisory.

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 8 Dimitrios Glentadakis 2017-12-21 18:54:43 CET 
I tested in mga6 64bits with success

CC: (none) => dglent

Comment 9 Mageia Robot 2017-12-21 19:19:06 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0462.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED