Flash Player 10.3.183.5 has been pushed to mga1 nonfree/updates_testing. Advisory: ============ Adobe Flash Player before 10.3.183.5 has multiple overflow vulnerabilities that could lead to foreign code execution (CVE-2011-2130, CVE-2011-2134, CVE-2011-2135, CVE-2011-2136, CVE-2011-2137, CVE-2011-2138, CVE-2011-2140, CVE-2011-2414, CVE-2011-2415, CVE-2011-2416, CVE-2011-2417, CVE-2011-2425). Additionally, it contains a cross-site information disclosure vulnerability (CVE-2011-2139). There is also a packaging issue which causes the Flash Player settings dialog to not work on all KDE systems. This update upgrades Flash Player to version 10.3.183.5 which fixes the above issues. The KDE configuration dialog is now included in a separate optional package flash-player-plugin-kde. If it is not installed, the regular GTK dialog is used instead. ============ Please test.
Testing complete on i586 using http://www.adobe.com/software/flash/about/ and youtube. Also installed the flash-player-plugin-kde, and used systemsettings to confirm the module can delete flash cookies etc.
CC: (none) => davidwhodgins
Confirmed OK both Gnome and KDE i586 I will also test on 64bit
CC: (none) => eeeemail
There doesn't appear to be any x86_64 build for flash-player-plugin or flash-player-plugin-kde
Yes, you need to use i586 flash-player-plugin on 64bit. Note that 32-bit flash-player-plugin-kde doesn't work on 64-bit, though.
MGA1 x86_64 does not install the 32 bit nonfree repo by default. There is a workaround for it on the errata I found though. Can't we do something to make installing flash more simple on 64 bit while we're at it? Even if it is just something like flash-player-plugin-workaround in the x86_64 nonfree to pull in the 32bit binary, or is it not so simple? Apologies if this has already been discussed to death elsewhere.
Actually, this was discussed on mageia-dev@ on "Providing 32-bit flash-player-plugin in x86_64 nonfree?" thread. I doublechecked the thread, and there wasn't really much opposition. This would involve having a flash-player-plugin package on x86_64 which installs the 32-bit version (with a note in summary and description). I guess that would be what you were looking for?
Yes, it seems to make sense that way. At some point a 64 bit will be available, I'm sure, which would replace it. The fact it is mentioned in the errata implies it is an error/omission. Anything that makes it easier for the end user has to be good for Mageia :o)
New update candidate submitted to nonfree/updates_testing: flash-player-plugin-10.3.181.34-0.2.mga1.nonfree Please test. Advisory is the same as before, with the added text: ============ Additionally, the flash-player-plugin package is now provided also in the x86_64 repository which will install the 32-bit Flash Player for now. When a 64-bit stable Flash Player becomes available, the package will be updated to that version. ============
Thankyou Anssi, I will try it out.
Is this the older version again or did you mean 10.3.183.5?
Indeed I meant 10.3.183.5-0.2.mga1.nonfree.
Testing of flash-player-plugin-10.3.183.5-0.2.mga1.nonfree.src.rpm complete on i586. Same tests as in Comment 1.
Why not packaged flash-player-plugin directly in 64-bit and with libraries in 64-bit? For those who use an internet browser x86_64 can not use the flash-player-plugin-10.3.183.5-0.2.mga1.nonfree-32-bit, there will be an incompatibility. no?
CC: (none) => geiger.david68210
(In reply to comment #13) Because 64-bit Flash Player 10.3.183.5 doesn't exist, it can't be provided yet. The fake-x86_64 package Suggests nspluginwrapper to enable it to function on 64-bit browsers.
Tested OK on x86_64 and i586. Thankyou for the extra package. flash-player-plugin-10.3.183.5-0.2.mga1.nonfree.i586.rpm flash-player-plugin-10.3.183.5-0.2.mga1.nonfree.x86_64.rpm flash-player-plugin-kde-10.3.183.5-0.2.mga1.nonfree.i586.rpm Advisory: ============ Adobe Flash Player before 10.3.183.5 has multiple overflow vulnerabilities that could lead to foreign code execution (CVE-2011-2130, CVE-2011-2134, CVE-2011-2135, CVE-2011-2136, CVE-2011-2137, CVE-2011-2138, CVE-2011-2140, CVE-2011-2414, CVE-2011-2415, CVE-2011-2416, CVE-2011-2417, CVE-2011-2425). Additionally, it contains a cross-site information disclosure vulnerability (CVE-2011-2139). There is also a packaging issue which causes the Flash Player settings dialog to not work on all KDE systems. This update upgrades Flash Player to version 10.3.183.5 which fixes the above issues. The KDE configuration dialog is now included in a separate optional package flash-player-plugin-kde. If it is not installed, the regular GTK dialog is used instead. Additionally, the flash-player-plugin package is now provided also in the x86_64 repository which will install the 32-bit Flash Player for now. When a 64-bit stable Flash Player becomes available, the package will be updated to that version. ============ Anssi could you please add the srpm's Update Validated, thankyou. This can be pushed from nonfree/updates_testing to nonfree/updates when passed by security. Assigned to security@groups.mageia.org (Hopefully, please let me know if I've done this wrong)
Keywords: (none) => validated_updateCC: eeeemail => qa-bugsHardware: i586 => AllAssignee: qa-bugs => security
Can someone from the sysadmin team push the srpm flash-player-plugin-10.3.183.5-0.2.mga1.nonfree.src.rpm from Core Updates Testing to Core Updates please. Advisory: Adobe Flash Player before 10.3.183.5 has multiple overflow vulnerabilities that could lead to foreign code execution (CVE-2011-2130, CVE-2011-2134, CVE-2011-2135, CVE-2011-2136, CVE-2011-2137, CVE-2011-2138, CVE-2011-2140, CVE-2011-2414, CVE-2011-2415, CVE-2011-2416, CVE-2011-2417, CVE-2011-2425). Additionally, it contains a cross-site information disclosure vulnerability (CVE-2011-2139). There is also a packaging issue which causes the Flash Player settings dialog to not work on all KDE systems. This update upgrades Flash Player to version 10.3.183.5 which fixes the above issues. The KDE configuration dialog is now included in a separate optional package flash-player-plugin-kde. If it is not installed, the regular GTK dialog is used instead. Additionally, the flash-player-plugin package is now provided also in the x86_64 repository which will install the 32-bit Flash Player for now. When a 64-bit stable Flash Player becomes available, the package will be updated to that version.
CC: (none) => mageia-sysadm
Thankyou Dave for adding the srmp. I don't wish to step on any toes but as this is a Security update it should be checked by the Security Team before it can be pushed and as such has been assigned to them. http://www.mageia.org/wiki/doku.php?id=qa_updates I have also removed mageia-sysadm@mageia.org which is incorrect and added sysadmin-bugs@ml.mageia.org in readiness.
CC: mageia-sysadm => eeeemail, sysadmin-bugs
There is 13 CVEs ( so that's 13 different security problem, thanks flash for being such a source of security problem ), most of them without public exploits to test and we do not have the source code of flash, so there is nothing to validate :/ . For example, take : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2137 "remote code execution via unspecified vector". We cannot learn anything except this is pretty serious. So I would push the update, provided it was found to be working.
CC: (none) => misc
Fixed ( and for the record, that's not pushing from core updates testing, but nonfree updates testing :p )
I really closes
Status: NEW => RESOLVEDResolution: (none) => FIXED