Advisory: ============ Adobe Flash Player 26.0.0.137 contains fixes to critical security vulnerabilities found in earlier versions that could potentially allow an attacker to take control of the affected system. This update resolves security bypass and memory corruption vulnerabilities that could lead to information disclosure or code execution (CVE-2017-3080, CVE-2017-3099, CVE-2017-3100). References: https://helpx.adobe.com/security/products/flash-player/apsb17-21.html ============ Updated Flash Player packages have been submitted to mga5 nonfree/updates_testing. Source packages: flash-player-plugin-26.0.0.137-1.mga5.nonfree Binary packages: flash-player-plugin flash-player-plugin-kde
Usual flash testing, including http://get.adobe.com/flashplayer/about/ and checking the player settings under the tools menu. Validating the update.
Whiteboard: (none) => advisory MGA5-64-OK MGA5-32-OKKeywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
It needs to be pushed and validated for Mageia 6 too before we can get it in Mageia 5, otherwise it will break the upgrade path.
Keywords: validated_update => (none)Version: 5 => 6Whiteboard: advisory MGA5-64-OK MGA5-32-OK => MGA5TOO MGA5-64-OK MGA5-32-OK
Note that as announced by Thomas on the dev@ ML, we can now use updates_testing for cauldron/mga6 to test and validate normal updates for the stable Mageia 6.
I've submitted updated Flash Player packages now into mga6/cauldron nonfree/updates_testing as well.
FWIW, OK for me on 32-bit install on real Intel motherboard, Core 2 Duo, and graphics.
CC: (none) => andrewsfarm
mga6 x86_64 Mate Installed flash-player-plugin-26.0.0.137-1.mga6.nonfree Restarted firefox Visited get.adobe.com and played some of the corporate videos. Checked bubbleshooter.com but it hung every time, so free play must be disabled now. The plugin is working anyway.
CC: (none) => tarazed25
On a new installation of mageia 6 flash-player-plugin was updated to version 26.0.0.137 (see comment 6) but in firefox -> tools -> plugins this is what is registered: Shockwave Flash 26.0.0.126 - last updated 2 May 2017 /usr/share/doc/flash-player-plugin/README.mageia says: This package does not contain the Flash Player itself. The software is automatically downloaded from Adobe during package installation. This package requires the freshplayerplugin wrapper in /usr/lib64/mozilla/plugins/libfreshwrapper-flashplayer.so which allows the PPAPI plugin to be used on NPAPI browsers (e.g. Firefox) as well. From `ls -l /usr/lib64/mozilla/plugins` -rwxr-xr-x 1 root root 1088312 May 2 11:29 libfreshwrapper-flashplayer.so /var/lib/flash-player-plugin/ contains flash-player-ppapi-26.0.0.137-release.x86_64.rpm flash-player-plugin]$ sudo urpmi --test flash-player-ppapi-26.0.0.137-release.x86_64.rpm The following package has to be removed for others to be upgraded: flash-player-plugin-26.0.0.137-1.mga6.nonfree.x86_64 (due to conflicts with flash-player-ppapi) (test only, removal will not be actually done) (y/N) This is all very confusing. What should we expect to see?
Whiteboard: MGA5TOO MGA5-64-OK MGA5-32-OK => MGA5TOO MGA5-64-OK MGA5-32-OK MGA6-64-OK
(In reply to Len Lawrence from comment #7) > On a new installation of mageia 6 flash-player-plugin was updated to version > 26.0.0.137 (see comment 6) but in firefox -> tools -> plugins this is what > is registered: > Shockwave Flash 26.0.0.126 - last updated 2 May 2017 Did you restart Firefox? --- Testing on Mageia 6 x86_64, works fine.
Hmm, I think a "touch" for libfreshwrapper*so is missing from %post of flash-player-plugin, to make Firefox detect the new version. This was discussed before and David had already added the prequisite %verify(not mtime) tag in freshplayerplugin. I'll submit a new flash-player-plugin for mga6 testing within a day.
Assignee: qa-bugs => anssi.hannula
Len, you shouldn't be trying to install the adobe package directly. Sometimes when you upgrade Flash you have to kill the plugin-container process (or restart Firefox) for it to use the new version.
Assignee: anssi.hannula => qa-bugs
@Rémi - re comment 8 - yes I remembered to restart the browser. @David - re comment 10 - I only tried that as a test to see what it would try to do - had no intention of running the command for real. Just curious about the different version numbers.
MGA6-32 on Asus A6000VM MATE Installation: I did not find flash-player-plugin-kde in the repo Checked with Adobe website, checked plugin in Firefox and run www.classiccomposers.org (press "Live" to play). OK for me.
Whiteboard: MGA5TOO MGA5-64-OK MGA5-32-OK MGA6-64-OK => MGA5TOO MGA5-64-OK MGA5-32-OK MGA6-64-OK MGA6-32-OKCC: (none) => herman.viaene
Updated Flash Player packages have been submitted to mga6 nonfree/updates_testing that should fix Len Lawrence's issue in comment #7. Specifically, Firefox should now see the new version number after upgrading from mga6 version 26.0.0.126. No change in advisory. Mageia 5 packages were not affected. Source packages: flash-player-plugin-26.0.0.137-1.1.mga6.nonfree Binary packages: flash-player-plugin
Whiteboard: MGA5TOO MGA5-64-OK MGA5-32-OK MGA6-64-OK MGA6-32-OK => MGA5TOO MGA5-64-OK MGA5-32-OK
Advisory updated.
Whiteboard: MGA5TOO MGA5-64-OK MGA5-32-OK => advisory MGA5TOO MGA5-64-OK MGA5-32-OK
x86_64 Yep, that has fixed it. And Adobe's own showcase videos run fine.
Whiteboard: advisory MGA5TOO MGA5-64-OK MGA5-32-OK => advisory MGA5TOO MGA5-64-OK MGA5-32-OK MGA6-64-OK
Works fine here too, validating.
Keywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0211.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED