[opensuse-security] Older version of Adobe Flash Player was still installed after April upgrade :(
Hi all, As you probably know, SANS last week reported a vulnerability in Adobe Flash Player versions 9.0.124.0 and older. Reference: <http://isc.sans.org/diary.html?storyid=4465> Two days later in a follow-up report,they amended their analysis to versions ___ earlier than ___ "9.0.124.0." <http://isc.sans.org/diary.html?storyid=4474> ("9.0.124.0" was released in April by Adobe.) In the follow-up story, they included a link to Adobe's site to test what version of Flash Player (if any) you have installed. <http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_15507> (I use "no-script" -- and as a policy I try not to go to any flash sites -- but sometimes I need to :( I tested my machine using the Adobe test page, and first got "9.0.124.0" -- which is what I expected. I then re-ran the test from a copy of their page which I had downloaded and got Version: "9.0.115.0" !!!!! Which is not so good and not what i expected. It turns out last Fall when I installed openSUSE-10.3 I installed from the openSUSE DVD, the rpm labled "flash-plugin-9.0.115.0-release -Adobe Flash Player 9.0." When the new patch came out for Adobe Flash in April, I installed the rpm labled: "flash-player-9.0.124.0-0.1 -- Macromedia Flash Plug-In," but that install did not remove the old rpm -- it was still there. So after reading the SAN's story, I removed the old rpm tonight using kpackage (after testing if it was needed) and as far as I can tell my "flash player is still working" and the Adobe test page tells me I have Flash Player 9.0.124.0 installed -- so life is good. Since most of you probably don't use Flash, this is probably not worth knowing, but in case you do use Flash, using YaST2 or kpackage you might want to check if you still have "flash-plugin-9.0.115.0-release -Adobe Flash Player 9.0 installed if you are running openSUSE-10.3. (Sorry I wrote such a long email -- but I wanted it to be clear what the issue was in my mind.) Hope this helps, HAND. -- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Sun, Jun 01, 2008 at 05:29:41AM -0400, Gar Ulbricht wrote:
Hi all,
As you probably know, SANS last week reported a vulnerability in Adobe Flash Player versions 9.0.124.0 and older. Reference: <http://isc.sans.org/diary.html?storyid=4465>
Two days later in a follow-up report,they amended their analysis to versions ___ earlier than ___ "9.0.124.0." <http://isc.sans.org/diary.html?storyid=4474>
("9.0.124.0" was released in April by Adobe.)
In the follow-up story, they included a link to Adobe's site to test what version of Flash Player (if any) you have installed. <http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_15507>
(I use "no-script" -- and as a policy I try not to go to any flash sites -- but sometimes I need to :(
I tested my machine using the Adobe test page, and first got "9.0.124.0" -- which is what I expected.
I then re-ran the test from a copy of their page which I had downloaded and got Version: "9.0.115.0" !!!!! Which is not so good and not what i expected.
It turns out last Fall when I installed openSUSE-10.3 I installed from the openSUSE DVD, the rpm labled "flash-plugin-9.0.115.0-release -Adobe Flash Player 9.0."
When the new patch came out for Adobe Flash in April, I installed the rpm labled: "flash-player-9.0.124.0-0.1 -- Macromedia Flash Plug-In," but that install did not remove the old rpm -- it was still there.
How did it not remove the old RPM for you? How did you notice it was still installed? Ciao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Marcus Meissner wrote on 6/1 at 05:40 AM (EST):
On Sun, Jun 01, 2008 at 05:29:41AM -0400, Gar Ulbricht wrote:
Hi all,
[.....]
When the new patch came out for Adobe Flash in April, I installed the rpm labled: "flash-player-9.0.124.0-0.1 -- Macromedia Flash Plug-In," but that install did not remove the old rpm -- it was still there.
How did it not remove the old RPM for you? How did you notice it was still installed?
Ciao, Marcus
I had used YAST and searched under Flash Plug-In as well as several other things (Adobe), etc. That is how I found I had both flash-player-9.0.124.0-0.1--Macromedia Flash Plug-In, as well as flash-plugin-9.0.115.0-release-Adobe Flash Player 9.0 installed -- and when Adobe's test page returned "9.0.115.0" I used kpackage to verify that it was still installed but not needed to satisy aany depency issues ... Best Regards, Gar -- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Sun, Jun 01, 2008 at 09:55:46AM -0400, Gar Ulbricht wrote:
Marcus Meissner wrote on 6/1 at 05:40 AM (EST):
On Sun, Jun 01, 2008 at 05:29:41AM -0400, Gar Ulbricht wrote:
Hi all,
[.....]
When the new patch came out for Adobe Flash in April, I installed the rpm labled: "flash-player-9.0.124.0-0.1 -- Macromedia Flash Plug-In," but that install did not remove the old rpm -- it was still there.
How did it not remove the old RPM for you? How did you notice it was still installed?
Ciao, Marcus
I had used YAST and searched under Flash Plug-In as well as several other things (Adobe), etc. That is how I found I had both flash-player-9.0.124.0-0.1--Macromedia Flash Plug-In,
This is from SUSE.
as well as flash-plugin-9.0.115.0-release-Adobe Flash Player 9.0
This is from Adobe.
installed -- and when Adobe's test page returned "9.0.115.0" I used kpackage to verify that it was still installed but not needed to satisy aany depency issues ...
Likely the Adobe version overrode ours. We ship flash-player and its updates, no need for vendor downloads here. Ciao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2008-06-01 at 05:29 -0400, Gar Ulbricht wrote: ...
Since most of you probably don't use Flash, this is probably not worth knowing, but in case you do use Flash, using YaST2 or kpackage you might want to check if you still have "flash-plugin-9.0.115.0-release -Adobe Flash Player 9.0 installed if you are running openSUSE-10.3.
(Sorry I wrote such a long email -- but I wanted it to be clear what the issue was in my mind.)
No such problem here: cer@nimrodel:~> rpm -q flash-player acroread flash-player-9.0.124.0-0.1 acroread-8.1.2-1.4 I have no idea why it happened to you, but that is not normal. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIQnUFtTMYHG2NR9URAmpCAJ9DlGsBdy3GeHOe9ABaC81vtNL+cQCfelJW t+pPZhSXQ5EmbC8wkoacILw= =tnII -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On 06/01/2008 06:07 PM, Carlos E. R. wrote:
The Sunday 2008-06-01 at 05:29 -0400, Gar Ulbricht wrote:
...
Since most of you probably don't use Flash, this is probably not worth knowing, but in case you do use Flash, using YaST2 or kpackage you might want to check if you still have "flash-plugin-9.0.115.0-release -Adobe Flash Player 9.0 installed if you are running openSUSE-10.3.
No such problem here:
cer@nimrodel:~> rpm -q flash-player acroread flash-player-9.0.124.0-0.1 acroread-8.1.2-1.4
I have no idea why it happened to you, but that is not normal.
I suspect it is because openSUSE installs flash player, not flash-plugin. i.e. joe@jmorris:~> rpm -qa | grep flash flash-player-9.0.124.0-0.1 joe@jmorris:~> rpm -qa | grep acroread acroread-8.1.2-1.4 I just checked, and the rpm from adobe is flash-plugin-9.0.124.0-release.i386.rpm. So maybe by downloading and certainly by installing the version from adobe, which has a different name, the update would only have updated flash-player. -- Joe Morris Registered Linux user 231871 running openSUSE 10.3 x86_64 --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2008-06-01 at 18:31 +0800, Joe Morris wrote:
I suspect it is because openSUSE installs flash player, not flash-plugin. i.e. joe@jmorris:~> rpm -qa | grep flash flash-player-9.0.124.0-0.1 joe@jmorris:~> rpm -qa | grep acroread acroread-8.1.2-1.4 I just checked, and the rpm from adobe is flash-plugin-9.0.124.0-release.i386.rpm. So maybe by downloading and certainly by installing the version from adobe, which has a different name, the update would only have updated flash-player.
Yep, makes sense. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIQoMgtTMYHG2NR9URAorKAJ9B5PyXPqtnJ//li1xkIezWJm0UDQCfXEPu wAQwdlChRM2DvJrV1RsiUo0= =g2gA -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (5)
-
Carlos E. R. -
Carlos E. R. -
Gar Ulbricht -
Joe Morris -
Marcus Meissner