Debian Bug report logs - #814316
New Flash player is available -- fixes a security issue

version graph

Package: flashplugin-nonfree; Maintainer for flashplugin-nonfree is (unknown);

Reported by: Julien Wajsberg <felash@gmail.com>

Date: Wed, 10 Feb 2016 09:48:01 UTC

Severity: grave

Found in version flashplugin-nonfree/1:3.6.1

Done: Bart Martens <bartm@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Bart Martens <bartm@debian.org>:
Bug#814316; Package flashplugin-nonfree. (Wed, 10 Feb 2016 09:48:05 GMT) (full text, mbox, link).

Acknowledgement sent to Julien Wajsberg <felash@gmail.com>:
New Bug report received and forwarded. Copy sent to Bart Martens <bartm@debian.org>. (Wed, 10 Feb 2016 09:48:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Julien Wajsberg <felash@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: New Flash player is available -- fixes a security issue
Date: Wed, 10 Feb 2016 10:44:17 +0100
[Message part 1 (text/plain, inline)]
Package: flashplugin-nonfree
Version: 1:3.6.1
Severity: grave

Adobe released a new version of the Flash plugin to fix a security issue,
see [1].

[1] https://helpx.adobe.com/security/products/flash-player/apsb16-04.html

  $ update-flashplugin-nonfree --status
  Flash Player version installed on this system  : 11.2.202.559
  Flash Player version available on upstream site: 11.2.202.569

But "update-flashplugin-nonfree --install" doesn't install it, likely
because [2] is not updated yet.

[2]
https://people.debian.org/~bartm/flashplugin-nonfree/D5C0FC14/fp10.sha512.amd64.pgp.asc

Thanks !
-- 
Julien

[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Bart Martens <bartm@debian.org>:
Bug#814316; Package flashplugin-nonfree. (Sun, 13 Mar 2016 15:30:03 GMT) (full text, mbox, link).

Acknowledgement sent to eric.valette@free.fr:
Extra info received and forwarded to list. Copy sent to Bart Martens <bartm@debian.org>. (Sun, 13 Mar 2016 15:30:03 GMT) (full text, mbox, link).

Message #10 received at 814316@bugs.debian.org (full text, mbox, reply):

From: Eric Valette <eric.valette@free.fr>
To: 814316@bugs.debian.org
Subject: Why does it always takes multiples days when 0-day exploits are in the wild
Date: Sun, 13 Mar 2016 16:27:03 +0100
This progams brings nothing if it is continuously lagging several days 
for critical bugs...



update-flashplugin-nonfree --status
Flash Player version installed on this system  : 11.2.202.569
Flash Player version available on upstream site: 11.2.202.577
flash-mozilla.so - auto mode
  link best version is /usr/lib/flashplugin-nonfree/libflashplayer.so
  link currently points to /usr/lib/flashplugin-nonfree/libflashplayer.so
  link flash-mozilla.so is /usr/lib/mozilla/plugins/flash-mozilla.so
/usr/lib/flashplugin-nonfree/libflashplayer.so - priority 50

-- eric

Reply sent to Bart Martens <bartm@debian.org>:
You have taken responsibility. (Mon, 14 Mar 2016 06:09:08 GMT) (full text, mbox, link).

Notification sent to Julien Wajsberg <felash@gmail.com>:
Bug acknowledged by developer. (Mon, 14 Mar 2016 06:09:08 GMT) (full text, mbox, link).

Message #15 received at 814316-done@bugs.debian.org (full text, mbox, reply):

From: Bart Martens <bartm@debian.org>
To: 814316-done@bugs.debian.org
Subject: New Flash player is available -- fixes a security issue
Date: Mon, 14 Mar 2016 06:06:21 +0000
Updated checksums.

Information forwarded to debian-bugs-dist@lists.debian.org, Bart Martens <bartm@debian.org>:
Bug#814316; Package flashplugin-nonfree. (Sat, 09 Apr 2016 10:27:05 GMT) (full text, mbox, link).

Acknowledgement sent to Thomas Renard <cybaer42@web.de>:
Extra info received and forwarded to list. Copy sent to Bart Martens <bartm@debian.org>. (Sat, 09 Apr 2016 10:27:05 GMT) (full text, mbox, link).

Message #20 received at 814316@bugs.debian.org (full text, mbox, reply):

From: Thomas Renard <cybaer42@web.de>
To: 814316@bugs.debian.org
Subject: New Flash player is available -- fixes a security issue
Date: Sat, 9 Apr 2016 12:22:54 +0200
... again:


sudo update-flashplugin-nonfree --status                       1
Flash Player version installed on this system  : 11.2.202.577
Flash Player version available on upstream site: 11.2.202.616
flash-mozilla.so - auto mode
  link best version is /usr/lib/flashplugin-nonfree/libflashplayer.so
  link currently points to /usr/lib/flashplugin-nonfree/libflashplayer.so
  link flash-mozilla.so is /usr/lib/mozilla/plugins/flash-mozilla.so
/usr/lib/flashplugin-nonfree/libflashplayer.so - priority 50

fixes ancountable CVEs, Zeordays...

https://helpx.adobe.com/security/products/flash-player/apsb16-10.html

Information forwarded to debian-bugs-dist@lists.debian.org, Bart Martens <bartm@debian.org>:
Bug#814316; Package flashplugin-nonfree. (Thu, 14 Apr 2016 10:45:04 GMT) (full text, mbox, link).

Acknowledgement sent to Matteo Contini <matteo.contini1689@gmail.com>:
Extra info received and forwarded to list. Copy sent to Bart Martens <bartm@debian.org>. (Thu, 14 Apr 2016 10:45:04 GMT) (full text, mbox, link).

Message #25 received at 814316@bugs.debian.org (full text, mbox, reply):

From: Matteo Contini <matteo.contini1689@gmail.com>
To: 814316@bugs.debian.org
Subject: New Flash player is available -- fixes a security issue
Date: Thu, 14 Apr 2016 12:43:41 +0200
It still unsolved...

sudo update-flashplugin-nonfree --status
Flash Player version installed on this system  : 11.2.202.577
Flash Player version available on upstream site: 11.2.202.616
flash-mozilla.so - auto mode
  link currently points to /usr/lib/flashplugin-nonfree/libflashplayer.so
    /usr/lib/flashplugin-nonfree/libflashplayer.so - priority 50
    Current 'best' version is
'/usr/lib/flashplugin-nonfree/libflashplayer.so'.

Matteo

Bug reopened Request was from Stephen Kitt <skitt@debian.org> to control@bugs.debian.org. (Thu, 14 Apr 2016 12:30:10 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Bart Martens <bartm@debian.org>:
Bug#814316; Package flashplugin-nonfree. (Fri, 15 Apr 2016 13:12:03 GMT) (full text, mbox, link).

Acknowledgement sent to äxl <aexlfowley@web.de>:
Extra info received and forwarded to list. Copy sent to Bart Martens <bartm@debian.org>. (Fri, 15 Apr 2016 13:12:04 GMT) (full text, mbox, link).

Message #32 received at 814316@bugs.debian.org (full text, mbox, reply):

From: äxl <aexlfowley@web.de>
To: 814316@bugs.debian.org
Subject: New Flash player is available -- fixes a security issue
Date: Fri, 15 Apr 2016 15:09:15 +0200
Solved. Thank you! (For now;)

Flash Player version installed on this system  : 11.2.202.616
Flash Player version available on upstream site: 11.2.202.616
flash-mozilla.so - auto mode
  link currently points to /usr/lib/flashplugin-nonfree/libflashplayer.so
/usr/lib/flashplugin-nonfree/libflashplayer.so - priority 50
Current 'best' version is '/usr/lib/flashplugin-nonfree/libflashplayer.so'.

Information forwarded to debian-bugs-dist@lists.debian.org, Bart Martens <bartm@debian.org>:
Bug#814316; Package flashplugin-nonfree. (Tue, 17 May 2016 14:18:05 GMT) (full text, mbox, link).

Acknowledgement sent to Bastian Triller <bastian.triller@gmail.com>:
Extra info received and forwarded to list. Copy sent to Bart Martens <bartm@debian.org>. (Tue, 17 May 2016 14:18:05 GMT) (full text, mbox, link).

Message #37 received at 814316@bugs.debian.org (full text, mbox, reply):

From: Bastian Triller <bastian.triller@gmail.com>
To: Debian Bug Tracking System <814316@bugs.debian.org>
Subject: Re: New Flash player is available -- fixes a security issue
Date: Tue, 17 May 2016 16:14:42 +0200
Package: flashplugin-nonfree
Version: 1:3.6.1+b1
Followup-For: Bug #814316

Dear Maintainer,

please update to new upstream version, which fixes CVE-2016-4117 [1].

Thank you.


[1] https://helpx.adobe.com/security/products/flash-player/apsa16-02.html



-- Package-specific info:
Debian version: stretch/sid
Architecture: amd64
Package version: 1:3.6.1+b1
Adobe Flash Player version: LNX 11,2,202,616
MD5 checksums:
	160a01dd00527304e5291e65eb0c65e2  /var/cache/flashplugin-nonfree/get-upstream-version.pl
	18271ef4389464f5236e415a8f140872  /var/cache/flashplugin-nonfree/install_flash_player_11_linux.x86_64.tar.gz
	cb4968ab3f52b73a05590ecd87a83bd5  /usr/lib/flashplugin-nonfree/libflashplayer.so
Alternatives:
	flash-mozilla.so - auto mode
	  link best version is /usr/lib/flashplugin-nonfree/libflashplayer.so
	  link currently points to /usr/lib/flashplugin-nonfree/libflashplayer.so
	  link flash-mozilla.so is /usr/lib/mozilla/plugins/flash-mozilla.so
	/usr/lib/flashplugin-nonfree/libflashplayer.so - priority 50
	lrwxrwxrwx 1 root root 34 Aug 18  2015 /usr/lib/mozilla/plugins/flash-mozilla.so -> /etc/alternatives/flash-mozilla.so
	/usr/lib/mozilla/plugins/flash-mozilla.so: symbolic link to /etc/alternatives/flash-mozilla.so

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.6.0-rc7-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages flashplugin-nonfree depends on:
ii  binutils               2.26-9
ii  ca-certificates        20160104
ii  debconf [debconf-2.0]  1.5.59
ii  gnupg                  1.4.20-6
ii  libatk1.0-0            2.20.0-1
ii  libcairo2              1.14.6-1+b1
ii  libcurl3-gnutls        7.47.0-1
ii  libfontconfig1         2.11.0-6.4
ii  libfreetype6           2.6.3-3+b1
ii  libgcc1                1:6.1.1-3
ii  libglib2.0-0           2.48.1-1
ii  libgtk2.0-0            2.24.30-1.1
ii  libnspr4               2:4.12-2
ii  libnss3                2:3.23-2
ii  libpango1.0-0          1.40.1-1
ii  libstdc++6             6.1.1-3
ii  libx11-6               2:1.6.3-1
ii  libxext6               2:1.3.3-1
ii  libxt6                 1:1.1.5-1
ii  wget                   1.17.1-2

flashplugin-nonfree recommends no packages.

Versions of packages flashplugin-nonfree suggests:
ii  fonts-dejavu               2.35-1
pn  hal                        <none>
pn  iceweasel                  <none>
pn  konqueror-nsplugins        <none>
ii  ttf-mscorefonts-installer  3.6
pn  ttf-xfree86-nonfree        <none>

-- no debconf information

Information forwarded to debian-bugs-dist@lists.debian.org, Bart Martens <bartm@debian.org>:
Bug#814316; Package flashplugin-nonfree. (Tue, 17 May 2016 14:21:10 GMT) (full text, mbox, link).

Acknowledgement sent to Bastian Triller <bastian.triller@gmail.com>:
Extra info received and forwarded to list. Copy sent to Bart Martens <bartm@debian.org>. (Tue, 17 May 2016 14:21:10 GMT) (full text, mbox, link).

Message #42 received at 814316@bugs.debian.org (full text, mbox, reply):

From: Bastian Triller <bastian.triller@gmail.com>
To: Debian Bug Tracking System <814316@bugs.debian.org>
Subject: Re: New Flash player is available -- fixes a security issue
Date: Tue, 17 May 2016 16:17:02 +0200
Package: flashplugin-nonfree
Version: 1:3.6.1+b1
Followup-For: Bug #814316

Dear Maintainer,

Flash Player version installed on this system  : 11.2.202.616
Flash Player version available on upstream site: 11.2.202.621
flash-mozilla.so - auto mode
  link best version is /usr/lib/flashplugin-nonfree/libflashplayer.so
  link currently points to /usr/lib/flashplugin-nonfree/libflashplayer.so
  link flash-mozilla.so is /usr/lib/mozilla/plugins/flash-mozilla.so
/usr/lib/flashplugin-nonfree/libflashplayer.so - priority 50



-- Package-specific info:
Debian version: stretch/sid
Architecture: amd64
Package version: 1:3.6.1+b1
Adobe Flash Player version: LNX 11,2,202,616
MD5 checksums:
	160a01dd00527304e5291e65eb0c65e2  /var/cache/flashplugin-nonfree/get-upstream-version.pl
	18271ef4389464f5236e415a8f140872  /var/cache/flashplugin-nonfree/install_flash_player_11_linux.x86_64.tar.gz
	cb4968ab3f52b73a05590ecd87a83bd5  /usr/lib/flashplugin-nonfree/libflashplayer.so
Alternatives:
	flash-mozilla.so - auto mode
	  link best version is /usr/lib/flashplugin-nonfree/libflashplayer.so
	  link currently points to /usr/lib/flashplugin-nonfree/libflashplayer.so
	  link flash-mozilla.so is /usr/lib/mozilla/plugins/flash-mozilla.so
	/usr/lib/flashplugin-nonfree/libflashplayer.so - priority 50
	lrwxrwxrwx 1 root root 34 Aug 18  2015 /usr/lib/mozilla/plugins/flash-mozilla.so -> /etc/alternatives/flash-mozilla.so
	/usr/lib/mozilla/plugins/flash-mozilla.so: symbolic link to /etc/alternatives/flash-mozilla.so

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.6.0-rc7-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages flashplugin-nonfree depends on:
ii  binutils               2.26-9
ii  ca-certificates        20160104
ii  debconf [debconf-2.0]  1.5.59
ii  gnupg                  1.4.20-6
ii  libatk1.0-0            2.20.0-1
ii  libcairo2              1.14.6-1+b1
ii  libcurl3-gnutls        7.47.0-1
ii  libfontconfig1         2.11.0-6.4
ii  libfreetype6           2.6.3-3+b1
ii  libgcc1                1:6.1.1-3
ii  libglib2.0-0           2.48.1-1
ii  libgtk2.0-0            2.24.30-1.1
ii  libnspr4               2:4.12-2
ii  libnss3                2:3.23-2
ii  libpango1.0-0          1.40.1-1
ii  libstdc++6             6.1.1-3
ii  libx11-6               2:1.6.3-1
ii  libxext6               2:1.3.3-1
ii  libxt6                 1:1.1.5-1
ii  wget                   1.17.1-2

flashplugin-nonfree recommends no packages.

Versions of packages flashplugin-nonfree suggests:
ii  fonts-dejavu               2.35-1
pn  hal                        <none>
pn  iceweasel                  <none>
pn  konqueror-nsplugins        <none>
ii  ttf-mscorefonts-installer  3.6
pn  ttf-xfree86-nonfree        <none>

-- no debconf information

Information forwarded to debian-bugs-dist@lists.debian.org, Bart Martens <bartm@debian.org>:
Bug#814316; Package flashplugin-nonfree. (Wed, 01 Jun 2016 08:36:04 GMT) (full text, mbox, link).

Acknowledgement sent to äxl <aexlfowley@web.de>:
Extra info received and forwarded to list. Copy sent to Bart Martens <bartm@debian.org>. (Wed, 01 Jun 2016 08:36:04 GMT) (full text, mbox, link).

Message #47 received at 814316@bugs.debian.org (full text, mbox, reply):

From: äxl <aexlfowley@web.de>
To: 814316@bugs.debian.org
Subject: Re: New Flash player is available -- fixes a security issue
Date: Wed, 1 Jun 2016 10:32:45 +0200
Still unsolved.

sudo update-flashplugin-nonfree --status
Flash Player version installed on this system  : 11.2.202.616
Flash Player version available on upstream site: 11.2.202.621
flash-mozilla.so - auto mode
  link currently points to /usr/lib/flashplugin-nonfree/libflashplayer.so
/usr/lib/flashplugin-nonfree/libflashplayer.so - priority 50
Current 'best' version is '/usr/lib/flashplugin-nonfree/libflashplayer.so'.

äxl

Information forwarded to debian-bugs-dist@lists.debian.org, Bart Martens <bartm@debian.org>:
Bug#814316; Package flashplugin-nonfree. (Wed, 01 Jun 2016 15:00:04 GMT) (full text, mbox, link).

Acknowledgement sent to Kernc <kerncece@gmail.com>:
Extra info received and forwarded to list. Copy sent to Bart Martens <bartm@debian.org>. (Wed, 01 Jun 2016 15:00:04 GMT) (full text, mbox, link).

Message #52 received at 814316@bugs.debian.org (full text, mbox, reply):

From: Kernc <kerncece@gmail.com>
To: 814316@bugs.debian.org
Cc: Bart Martens <bartm@debian.org>
Subject: Fetch flashplugin-nonfree archive from Macromedia directly?
Date: Wed, 1 Jun 2016 16:56:20 +0200
[Message part 1 (text/plain, inline)]
Bart,

Thank you for maintaining this package for so long. Possibly hundreds of
thousands depend on in to maintain a working Flash player. Thanks!

Given how this bug really pops up a lot [1], and given how its severity is
always grave (because it's mostly a huge security issue), have you or would
you consider patches that adapted the update script to fetch the tar.gz
from the upstream site directly? The upstream download site _is_ available
over HTTPS [2]. Could this be acceptable?

[1]:
https://bugs.debian.org/cgi-bin/pkgreport.cgi?dist=unstable;package=flashplugin-nonfree
[2]:
https://www.ssllabs.com/ssltest/analyze.html?d=fpdownload.macromedia.com

[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Bart Martens <bartm@debian.org>:
Bug#814316; Package flashplugin-nonfree. (Thu, 02 Jun 2016 07:06:04 GMT) (full text, mbox, link).

Acknowledgement sent to Ivan Jurišić <ivan@jurisic.org>:
Extra info received and forwarded to list. Copy sent to Bart Martens <bartm@debian.org>. (Thu, 02 Jun 2016 07:06:04 GMT) (full text, mbox, link).

Message #57 received at 814316@bugs.debian.org (full text, mbox, reply):

From: Ivan Jurišić <ivan@jurisic.org>
To: 814316@bugs.debian.org
Subject: flash plugin
Date: Thu, 2 Jun 2016 08:34:09 +0200
--- console ---
update-flashplugin-nonfree --status
Flash Player version installed on this system  : 11.2.202.616
Flash Player version available on upstream site: 11.2.202.621
flash-mozilla.so - auto mode
  link currently points to /usr/lib/flashplugin-nonfree/libflashplayer.so
/usr/lib/flashplugin-nonfree/libflashplayer.so - priority 50
Current 'best' version is '/usr/lib/flashplugin-nonfree/libflashplayer.so'.

update-flashplugin-nonfree --install

---
Trying to update from 11.2.202.616 to 11.2.202.621 but not work, please
fix. Thanks

Information forwarded to debian-bugs-dist@lists.debian.org, Bart Martens <bartm@debian.org>:
Bug#814316; Package flashplugin-nonfree. (Thu, 02 Jun 2016 08:09:04 GMT) (full text, mbox, link).

Acknowledgement sent to Tycho Lürsen <tycholursen@gmail.com>:
Extra info received and forwarded to list. Copy sent to Bart Martens <bartm@debian.org>. (Thu, 02 Jun 2016 08:09:04 GMT) (full text, mbox, link).

Message #62 received at 814316@bugs.debian.org (full text, mbox, reply):

From: Tycho Lürsen <tycholursen@gmail.com>
To: 814316@bugs.debian.org
Subject: Re: Fetch flashplugin-nonfree archive from Macromedia directly?
Date: Thu, 2 Jun 2016 10:05:35 +0200
On Wed, 1 Jun 2016 16:56:20 +0200 Kernc <kerncece@gmail.com> wrote:
> Bart,
>
> Thank you for maintaining this package for so long. Possibly hundreds of
> thousands depend on in to maintain a working Flash player. Thanks!
>
> Given how this bug really pops up a lot [1], and given how its 
severity is
> always grave (because it's mostly a huge security issue), have you or 
would
> you consider patches that adapted the update script to fetch the tar.gz
> from the upstream site directly? The upstream download site _is_ 
available
> over HTTPS [2]. Could this be acceptable?
>
> [1]:
> 
https://bugs.debian.org/cgi-bin/pkgreport.cgi?dist=unstable;package=flashplugin-nonfree
> [2]:
> https://www.ssllabs.com/ssltest/analyze.html?d=fpdownload.macromedia.com

@Kernc
What are the exact changes to the update script you are proposing?

Mind uploading a diff, so we can review and test it?
Thanks in advance,
Tycho.

Information forwarded to debian-bugs-dist@lists.debian.org, Bart Martens <bartm@debian.org>:
Bug#814316; Package flashplugin-nonfree. (Sat, 04 Jun 2016 22:06:13 GMT) (full text, mbox, link).

Acknowledgement sent to pioruns <pioruns@o2.pl>:
Extra info received and forwarded to list. Copy sent to Bart Martens <bartm@debian.org>. (Sat, 04 Jun 2016 22:06:13 GMT) (full text, mbox, link).

Message #67 received at 814316@bugs.debian.org (full text, mbox, reply):

From: pioruns <pioruns@o2.pl>
To: 814316@bugs.debian.org
Subject: Confirming bug
Date: Sat, 4 Jun 2016 23:56:53 +0100
Confirming bug on my system, firefox in complaining about Flash being
out of date, result:

update-flashplugin-nonfree --status
Flash Player version installed on this system  : 11.2.202.616
Flash Player version available on upstream site: 11.2.202.621
flash-mozilla.so - auto mode
  link currently points to /usr/lib/flashplugin-nonfree/libflashplayer.so
/usr/lib/flashplugin-nonfree/libflashplayer.so - priority 50
Current 'best' version is '/usr/lib/flashplugin-nonfree/libflashplayer.so'.

I cannot update it. Any solutions?

Information forwarded to debian-bugs-dist@lists.debian.org, Bart Martens <bartm@debian.org>:
Bug#814316; Package flashplugin-nonfree. (Thu, 09 Jun 2016 04:54:04 GMT) (full text, mbox, link).

Acknowledgement sent to Chris Dellin <cdellin@gmail.com>:
Extra info received and forwarded to list. Copy sent to Bart Martens <bartm@debian.org>. (Thu, 09 Jun 2016 04:54:04 GMT) (full text, mbox, link).

Message #72 received at 814316@bugs.debian.org (full text, mbox, reply):

From: Chris Dellin <cdellin@gmail.com>
To: 814316@bugs.debian.org
Subject: Confirming bug
Date: Wed, 8 Jun 2016 21:49:58 -0700
[Message part 1 (text/plain, inline)]
I'm still having this issue on my system.

As a summary, the security update to version 11.2.202.621 published by
Adobe on May 12 [0] fixes the following 31 CVEs:

CVE-2016-1096, CVE-2016-1097, CVE-2016-1098, CVE-2016-1099, CVE-2016-1100,
CVE-2016-1101, CVE-2016-1102, CVE-2016-1103, CVE-2016-1104, CVE-2016-1105,
CVE-2016-1106, CVE-2016-1107, CVE-2016-1108, CVE-2016-1109, CVE-2016-1110,
CVE-2016-4108, CVE-2016-4109, CVE-2016-4110, CVE-2016-4111, CVE-2016-4112,
CVE-2016-4113, CVE-2016-4114, CVE-2016-4115, CVE-2016-4116, CVE-2016-4117,
CVE-2016-4120, CVE-2016-4121, CVE-2016-4160, CVE-2016-4161, CVE-2016-4162,
CVE-2016-4163

Each of the 31 vulnerabilities is reported to possibly lead to code
execution, including via buffer overflow, use-after-free, and memory
corruption bugs.  The update is given the highest severity by Adobe:

Critical - A vulnerability, which, if exploited would allow malicious
native-code to execute, potentially without a user being aware. [1]

If anyone knows a functional workaround, please let me know!  (My
understanding is that Debian 7 should have security support until May 2018
[2].)

Cheers,
- Chris

[0] https://helpx.adobe.com/security/products/flash-player/apsb16-15.html
[1] https://helpx.adobe.com/security/severity-ratings.html
[2] https://wiki.debian.org/LTS/

[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Bart Martens <bartm@debian.org>:
Bug#814316; Package flashplugin-nonfree. (Thu, 09 Jun 2016 05:42:06 GMT) (full text, mbox, link).

Acknowledgement sent to Christopher Schramm <debian@cschramm.eu>:
Extra info received and forwarded to list. Copy sent to Bart Martens <bartm@debian.org>. (Thu, 09 Jun 2016 05:42:06 GMT) (full text, mbox, link).

Message #77 received at 814316@bugs.debian.org (full text, mbox, reply):

From: Christopher Schramm <debian@cschramm.eu>
To: Chris Dellin <cdellin@gmail.com>, 814316@bugs.debian.org
Subject: Re: Bug#814316: Confirming bug
Date: Thu, 9 Jun 2016 07:37:52 +0200
09.06.2016 06:49 Chris Dellin:
> If anyone knows a functional workaround, please let me know!  (My
> understanding is that Debian 7 should have security support until May
> 2018 [2].)

Put the libflashplayer.so file contained in the .tar.gz from
https://get.adobe.com/de/flashplayer/ at
/usr/lib/flashplugin-nonfree/libflashplayer.so.

Information forwarded to debian-bugs-dist@lists.debian.org, Bart Martens <bartm@debian.org>:
Bug#814316; Package flashplugin-nonfree. (Fri, 10 Jun 2016 02:39:03 GMT) (full text, mbox, link).

Acknowledgement sent to Elliott Mitchell <ehem+debian@m5p.com>:
Extra info received and forwarded to list. Copy sent to Bart Martens <bartm@debian.org>. (Fri, 10 Jun 2016 02:39:03 GMT) (full text, mbox, link).

Message #82 received at 814316@bugs.debian.org (full text, mbox, reply):

From: Elliott Mitchell <ehem+debian@m5p.com>
To: 814316@bugs.debian.org
Subject: Re: Fetch flashplugin-nonfree archive from Macromedia directly?
Date: Thu, 9 Jun 2016 19:36:35 -0700
The problem for flashplugin-nonfree is verifying the tarball that is
downloaded.  Adobe isn't making this easy since they don't provide any
form of conventional signature (PGP).  Thus Bart Martens had been doing
the rather unenviable job of having to approve Flash Player somehow.  The
approach had been from signatures downloaded from people.debian.org.

Problem is this only works as long as Bart Martens is able to check and
sign the releases promptly.  This is now breaking down since Bart Martens
is either having difficulty verifying the current release, is unavailable
(I hope Bart hasn't met an unfortunate end!), or is otherwise indisposed.


The only thing approximating an alternative I'm aware of is the one that
has been pointed out earlier on this bug (#814316).  Adobe now has HTTPS
available on the webserver where Flash Player gets downloaded from.
Problem is SSL/TLS isn't really meant as a strong verifier for the source
of downloads and I doubt they're using sufficiently long keys to provide
good verification anyway.

Net result, we've got a bunch of Truly Bad(tm) "alternatives" that are
all horrendously insecure.  I suppose HTML5 may provide something that
is less Bad(tm), but that merely means different forms of Bad(tm).


Thank you Bart Martens for your long reasonably sane handling of this
stupidly insecure insanity, I hope you merely needed a break and haven't
met your end.

Now we need to do something about this Bad(tm) situation that isn't
absolutely horrible.

Looks like we've currently got eight bugs that duplicate #814316 (820583,
820975, 820993, 824367, 826301, 826369, 826618, 826777) and I'm
suspecting there will be more new bugs before this is solved.  :-(


-- 
(\___(\___(\______          --=> 8-) EHM <=--          ______/)___/)___/)
 \BS (    |         EHeM+sigmsg@m5p.com  PGP 87145445         |    )   /
  \_CS\   |  _____  -O #include <stddisclaimer.h> O-   _____  |   /  _/
8A19\___\_|_/58D2 7E3D DDF4 7BA6 <-PGP-> 41D1 B375 37D0 8714\_|_/___/5445

Reply sent to Bart Martens <bartm@debian.org>:
You have taken responsibility. (Fri, 10 Jun 2016 04:29:10 GMT) (full text, mbox, link).

Notification sent to Julien Wajsberg <felash@gmail.com>:
Bug acknowledged by developer. (Fri, 10 Jun 2016 04:29:10 GMT) (full text, mbox, link).

Message #87 received at 814316-done@bugs.debian.org (full text, mbox, reply):

From: Bart Martens <bartm@debian.org>
To: 814316-done@bugs.debian.org
Subject: flashplugin-nonfree: newer Adobe Flash Player available
Date: Fri, 10 Jun 2016 04:28:31 +0000
The checksums are updated now. Apologies for the delay.

Message #88 received at 814316-done@bugs.debian.org (full text, mbox, reply):

From: Bart Martens <bartm@debian.org>
To: 814316-done@bugs.debian.org
Subject: flashplugin-nonfree: newer Adobe Flash Player available
Date: Fri, 10 Jun 2016 04:29:37 +0000
The checksums are now updated. Apologies for the delay.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 08 Jul 2016 07:35:57 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Jun 5 01:16:16 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.