This update upgrades Flash Player to version 26.0.0.151. Security Fix(es): * This update fixes multiple vulnerabilities in Adobe Flash Player. These vulnerabilities, detailed in the Adobe Security Bulletin listed in the References section, could allow an attacker to create a specially crafted SWF file that would cause flash-plugin to crash, execute arbitrary code, or disclose sensitive information when the victim loaded a page containing the malicious SWF content. (CVE-2017-3085, CVE-2017-3106)
CVE: (none) => CVE-2017-3085, CVE-2017-3106
Whiteboard: (none) => MGA5TOOAssignee: bugsquad => anssi.hannula
pushed in updates_testing src.rpm: flash-player-plugin-26.0.0.151-1.mga6 flash-player-plugin-26.0.0.151-1.mga5
Assignee: anssi.hannula => qa-bugsCC: (none) => mageia
We still need an advisory for this one. Anssi always does these.
CC: (none) => anssi.hannula
The packaged FAILED to install. The urpmi output is below. The downloads were successful, so this is probably a pre-install script issue. Note that by downloading the Adobe Flash Player you indicate your acceptance of the EULA, available at http://www.adobe.com/products/eulas/players/flash/ Downloading from http://fpdownload.adobe.com/get/flashplayer/pdc/26.0.0.151/flash-player-npapi-26.0.0.151-release.x86_64.rpm: % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 8773k 100 8773k 0 0 2796k 0 0:00:03 0:00:03 --:--:-- 2816k Downloading from http://linuxdownload.adobe.com/linux/x86_64/flash-player-npapi-26.0.0.151-release.x86_64.rpm: % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 8773k 100 8773k 0 0 2982k 0 0:00:02 0:00:02 --:--:-- 3110k Error: Unable to download Flash Player. This is likely due to this package being too old. Please file a bug report at https://bugs.mageia.org so that the package gets updated. Thank you. In the meantime, you can download Flash Player manually from http://get.adobe.com/flashplayer/ error: %prein(flash-player-plugin-26.0.0.151-1.mga5.nonfree.x86_64) scriptlet failed, exit status 1 ERROR: 'script' failed for flash-player-plugin-26.0.0.151-1.mga5.nonfree error: flash-player-plugin-26.0.0.151-1.mga5.nonfree.x86_64: install failed
CC: (none) => mageia
The sha256sum values are wrong. For http://fpdownload.adobe.com/get/flashplayer/pdc/26.0.0.151/flash-player-npapi-26.0.0.151-release.x86_64.rpm it should be sha256sum ./flash-player-npapi-26.0.0.151-release.x86_64.rpm 0d29d22f596e11140bb0d924f24d05fce8aa33b0941e7de9c0421b3534ddf0ed ./flash-player-npapi-26.0.0.151-release.x86_64.rpm with a file size of 8983724 bytes. For http://linuxdownload.adobe.com/linux/x86_64/flash-player-npapi-26.0.0.151-release.x86_64.rpm it should be 2374a07d66f6e13e9d436aca85fd78d0894de0f54dcae7c91c09cd6bce5b7a59 with a file size of 8983900 bytes. I don't know where adobe publishes the values. The way I obtain them is to download the rpm files in a snapshotted vb guest, test that they work to ensure the download was ok, and then see what the values are.
CC: (none) => davidwhodgins
Instead of using the sha256sum values and the file size, it would make more sense to me to have a separate package that imports the adobe key used to sign the rpm package, and have that package required by the flash-player-plugin package. The gpg key to import can be obtained from http://pgp.mit.edu/pks/lookup?op=get&search=0x3A69BD24F6777C67 or any of the other working gpg key servers. The package for the adobe key should be similar to the gpg-pubkey-80420f66-4d4fe123 package that imports the key used to sign Mageia packages.
Created attachment 9615 [details] gpg key for adobe Attached is the gpg key for adobe which can be imported using rpm --import
Attachment 9615 filename: adobe.gpg => adobe.gpg.asc
Attachment 9615 mime type: text/plain => application/octet-stream
CC: (none) => qa-bugsAssignee: qa-bugs => anssi.hannula
Please test new rpms: src.rpm: flash-player-plugin-26.0.0.151-1.1.mga5 flash-player-plugin-26.0.0.151-1.1.mga6
Assignee: anssi.hannula => qa-bugs
# urpmi flash-player-plugin http://mirror.internode.on.net/pub/mageia/distrib/5/i586/media/nonfree/updates_testing/flash-player-plugin-26.0.0.151-1.mga5.nonfree.i586.rpm installing flash-player-plugin-26.0.0.151-1.mga5.nonfree.i586.rpm from /var/cache/urpmi/rpms Preparing... ########################################################### Note that by downloading the Adobe Flash Player you indicate your acceptance of the EULA, available at http://www.adobe.com/products/eulas/players/flash/ Downloading from http://fpdownload.adobe.com/get/flashplayer/pdc/26.0.0.151/flash-player-npapi-26.0.0.151-release.i386.rpm: % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 8269k 100 8269k 0 0 887k 0 0:00:09 0:00:09 --:--:-- 915k Downloading from http://linuxdownload.adobe.com/linux/i386/flash-player-npapi-26.0.0.151-release.i386.rpm: % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 8269k 100 8269k 0 0 292k 0 0:00:28 0:00:28 --:--:-- 444k Error: Unable to download Flash Player. This is likely due to this package being too old. Please file a bug report at https://bugs.mageia.org so that the package gets updated. Thank you. In the meantime, you can download Flash Player manually from http://get.adobe.com/flashplayer/ error: %prein(flash-player-plugin-26.0.0.151-1.mga5.nonfree.i586) scriptlet failed, exit status 1 ERROR: 'script' failed for flash-player-plugin-26.0.0.151-1.mga5.nonfree error: flash-player-plugin-26.0.0.151-1.mga5.nonfree.i586: install failed
CC: (none) => westel
It installed fine on mga6 (64-bits) after the import of the key provided by David in the attachment. # urpmi flash-player-plugin Unknown option: X To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Release (distrib1)") freshplayerplugin 0.3.6 8.mga6 x86_64 (medium "Nonfree Updates (distrib13)") flash-player-plugin 26.0.0.137 1.1.mga6.non> x86_64 1MB of additional disk space will be used. 374KB of packages will be retrieved. Proceed with the installation of the 2 packages? (Y/n) $MIRRORLIST: media/core/release/freshplayerplugin-0.3.6-8.mga6.x86_64.rpm $MIRRORLIST: media/nonfree/updates/flash-player-plugin-26.0.0.137-1.1.mga6.nonfree.x86_64.rpm installing flash-player-plugin-26.0.0.137-1.1.mga6.nonfree.x86_64.rpm freshplayerplugin-0.3.6-8.mga6.x86_64.rpm from /var/cache/urpmi/rpms Preparing... ############################################# 1/2: freshplayerplugin ############################################# Note that by downloading the Adobe Flash Player you indicate your acceptance of the EULA, available at http://www.adobe.com/products/eulas/players/flash/ Downloading from http://fpdownload.adobe.com/get/flashplayer/pdc/26.0.0.137/flash-player-ppapi-26.0.0.137-release.x86_64.rpm: % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 277 100 277 0 0 2097 0 --:--:-- --:--:-- --:--:-- 2387 Downloading from http://linuxdownload.adobe.com/linux/x86_64/flash-player-ppapi-26.0.0.137-release.x86_64.rpm: % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 9196k 100 9196k 0 0 3468k 0 0:00:02 0:00:02 --:--:-- 3545k 2/2: flash-player-plugin ############################################# Adobe Flash Player installation successful. Not tested in the wild yet.
CC: (none) => tarazed25
Following on from comment 9. Played showcase videos on Adobe home site. Sound and vision OK, fullscreen no problem.
Scrap all that. Just noticed that it was version 137 that installed. 151 did not appear in updates testing so tried again with search-media. # urpmi --search-media "Core Updates Testing" flash-player-plugin No package named flash-player-plugin Holding off until the mirrors catch up.
Installed and tested without issue. Tested several flash games, video and audio on Firefox 56.0b6 (64-bit, upstream) and Konqueror 4.14.3. System: Mageia 5, x86_64, Plasma, Intel CPU, nVidia GPU with proprietary driver nvidia340. $ uname -a Linux marte 4.4.82-desktop-1.mga5 #1 SMP Sun Aug 13 18:03:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q flash-player-plugin flash-player-plugin-26.0.0.151-1.1.mga5
Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK
Installed on mga6, played some showcase videos on the Adobe home site UK, tried a couple of browser games. Sound and video OK. $ rpm -qa | grep flash-player-plugin flash-player-plugin-26.0.0.151-1.1.mga6 Correct this time. Good for 64-bits.
Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK
Thanks to all testers for the tricky testing. Advisory uploaded from Comments 0 & 7.
Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK advisoryKeywords: (none) => validated_updateCC: (none) => lewyssmith, sysadmin-bugs
Update ID assignment failed Checking for QA validation keyword⦠â Checking dependent bugs⦠â (None found) Checking SRPMs⦠â (5/nonfree/flash-player-plugin-26.0.0.151-1.1.mga5.nonfree) â (6/nonfree/flash-player-plugin-26.0.0.151-1.1.mga6.nonfree) 'validated_update' keyword reset.
Keywords: validated_update => (none)
(In reply to Nicolas Lécureuil from comment #15) > Update ID assignment failed > > Checking SRPMs⦠â > (5/nonfree/flash-player-plugin-26.0.0.151-1.1.mga5.nonfree) â > (6/nonfree/flash-player-plugin-26.0.0.151-1.1.mga6.nonfree) Please tell me what is wrong. I thought that the SRPM names should end in nonfree|tainted if that applies.
It should. This is a mistake in the srpm name ... $ urpmq -i flash-player-plugin|grep ^Source|sort -uV|tail -n 5 Source RPM : flash-player-plugin-25.0.0.171-1.mga5.nonfree.src.rpm Source RPM : flash-player-plugin-26.0.0.126-1.mga5.nonfree.src.rpm Source RPM : flash-player-plugin-26.0.0.137-1.mga5.nonfree.src.rpm Source RPM : flash-player-plugin-26.0.0.151-1.mga5.nonfree.src.rpm Source RPM : flash-player-plugin-26.0.0.151-1.1.mga5.src.rpm
With the incorrect srpm name, it's also in the core updates testing repo instead of the nonfree updates testing repo.
In VirtualBox, M5.1, KDE, 32-bit Package(s) under test: flash-player-plugin default install of flash-player-plugin [root@localhost wilcal]# urpmi flash-player-plugin Package flash-player-plugin-26.0.0.137-1.mga5.nonfree.i586 is already installed https://www.adobe.com/software/flash/about/ works, reloads and works again. Shows I am using flash: 26,0,0,137 ( out of date ) Various sites indicate that flash is out of date. http://www.y8.com/tags/Flash games play install flash-player-plugin from updates_testing [root@localhost wilcal]# urpmi flash-player-plugin Package flash-player-plugin-26.0.0.151-1.1.mga5.i586 is already installed https://www.adobe.com/software/flash/about/ works, reloads and works again. Shows I am using flash: 26.0.0.151 ( up to date ) No indication of out of date flash player. http://www.y8.com/tags/Flash games play
CC: (none) => wilcal.intWhiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK advisory => MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-64-OK advisory
Disregard Comment #20 Redundent
(In reply to Dave Hodgins from comment #18) > With the incorrect srpm name, it's also in the core updates testing repo > instead > of the nonfree updates testing repo. my bad. I fix this
In VirtualBox, M6, KDE, 32-bit Package(s) under test: flash-player-plugin default install of flash-player-plugin [root@localhost wilcal]# urpmi flash-player-plugin Package flash-player-plugin-26.0.0.137-1.1.mga6.nonfree.i586 is already installed https://www.adobe.com/software/flash/about/ works, reloads and works again. Shows I am using flash: 26,0,0,137 ( out of date ) Various sites indicate that flash is out of date. http://www.y8.com/tags/Flash games play install flash-player-plugin from updates_testing [root@localhost wilcal]# urpmi flash-player-plugin Package flash-player-plugin-26.0.0.151-1.1.mga6.i586 is already installed https://www.adobe.com/software/flash/about/ works, reloads and works again. Shows I am using flash: 26.0.0.151 ( up to date ) No indication of out of date flash player. http://www.y8.com/tags/Flash games play
Whiteboard: MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-64-OK advisory => MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-32-OK MGA6-64-OK advisory
This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_update
Removing the OKs and validation till the srpm name is corrected and the update put in the nonfree updates testing repo instead of the core update testing repo.
Whiteboard: MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-32-OK MGA6-64-OK advisory => MGA5TOO advisoryKeywords: validated_update => (none)
Adding the feedback whiteboard entry to make it clear there is a problem.
Whiteboard: MGA5TOO advisory => MGA5TOO advisory feedback
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0314.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
Putting back the oks and validation. Sorry for the noise.
Keywords: (none) => validated_updateWhiteboard: MGA5TOO advisory feedback => MGA5TOO advisory MGA5-32-OK MGA5-64-OK MGA6-32-OK MGA6-64-OK