Re: Flash plugin 0-day vulnerability in the wild
On 26 January 2015 at 15:17, Martin Stransky stran...@redhat.com wrote: On 01/26/2015 02:03 PM, drago01 wrote: On Mon, Jan 26, 2015 at 2:01 PM, Ahmad Samir ahmadsamir3...@gmail.com wrote: On 26 January 2015 at 14:55, Martin Stransky stran...@redhat.com wrote: Where have you got that? Official Adobe site [1] says the latest is 11.2.202.438 and flash download page [2] gives me the same. I see the Ubuntu update with .440 package but what's that? ma. [1] http://www.adobe.com/software/flash/about/ [2] https://get.adobe.com/flashplayer/ flash-plugin-11.2.202.440 is available in the yum repo hosted by Adobe. But on[1] it doesn't say anything about the issue being fixed for Linux. Sure it does Adobe Flash Player 11.2.202.438 and earlier versions for Linux ... 440 438 ... There's no official confirmation of the fix of the CVE-2015-0311 in 440 yet, you can only assume that. They've finally updated[1], it's official now that flash 11.2.202.440 includes the fix for CVE-2015-0311. [1]http://helpx.adobe.com/security/products/flash-player/apsb15-03.html -- Ahmad Samir -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Flash plugin 0-day vulnerability in the wild
On 01/26/2015 01:48 PM, drago01 wrote: On Mon, Jan 26, 2015 at 1:40 PM, Martin Stransky stran...@redhat.com wrote: On 01/23/2015 10:51 AM, Martin Stransky wrote: Folk, There's a live 0-day flash vulnerability which is not fixed yet [1][2]. If you use flash plugin I recommend you to enable the click-to-play mode for it. There's also a Fedora Firefox update with such change [3]. ma. [1] https://isc.sans.edu/diary/Flash+0-Day+Exploit+Used+by+Angler+Exploit+Kit/19213 [2] http://malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html [3] https://bugzilla.redhat.com/show_bug.cgi?id=1185241 This vulnerability has got CVE-2015-0311 name [1]. Thx to drago01 to point that out. Unfortunately it's still unfixed by Adobe and latest flash for Linux/Firefox (11.2.202.438) is still vulnerable. The latest one is 11.2.202.440 ... which is supposed to have the fix. Where have you got that? Official Adobe site [1] says the latest is 11.2.202.438 and flash download page [2] gives me the same. I see the Ubuntu update with .440 package but what's that? ma. [1] http://www.adobe.com/software/flash/about/ [2] https://get.adobe.com/flashplayer/ -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Flash plugin 0-day vulnerability in the wild
On 01/26/2015 02:12 PM, Ahmad Samir wrote: On 26 January 2015 at 15:03, drago01 drag...@gmail.com wrote: On Mon, Jan 26, 2015 at 2:01 PM, Ahmad Samir ahmadsamir3...@gmail.com wrote: On 26 January 2015 at 14:55, Martin Stransky stran...@redhat.com wrote: Where have you got that? Official Adobe site [1] says the latest is 11.2.202.438 and flash download page [2] gives me the same. I see the Ubuntu update with .440 package but what's that? ma. [1] http://www.adobe.com/software/flash/about/ [2] https://get.adobe.com/flashplayer/ flash-plugin-11.2.202.440 is available in the yum repo hosted by Adobe. But on[1] it doesn't say anything about the issue being fixed for Linux. Sure it does Adobe Flash Player 11.2.202.438 and earlier versions for Linux ... 440 438 ... From https://helpx.adobe.com/security/products/flash-player/apsa15-01.html: UPDATE (January 24): Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.296 beginning on January 24. This version includes a fix for CVE-2015-0311 I was thinking of something along those lines for the Linux version too. Firefox does not use the 16.X line - that's the Pepper API plugin which runs with Chrome only. ma. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Flash plugin 0-day vulnerability in the wild
On 01/26/2015 02:03 PM, drago01 wrote: On Mon, Jan 26, 2015 at 2:01 PM, Ahmad Samir ahmadsamir3...@gmail.com wrote: On 26 January 2015 at 14:55, Martin Stransky stran...@redhat.com wrote: Where have you got that? Official Adobe site [1] says the latest is 11.2.202.438 and flash download page [2] gives me the same. I see the Ubuntu update with .440 package but what's that? ma. [1] http://www.adobe.com/software/flash/about/ [2] https://get.adobe.com/flashplayer/ flash-plugin-11.2.202.440 is available in the yum repo hosted by Adobe. But on[1] it doesn't say anything about the issue being fixed for Linux. Sure it does Adobe Flash Player 11.2.202.438 and earlier versions for Linux ... 440 438 ... There's no official confirmation of the fix of the CVE-2015-0311 in 440 yet, you can only assume that. ma. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Flash plugin 0-day vulnerability in the wild
On Mon, Jan 26, 2015 at 2:01 PM, Ahmad Samir ahmadsamir3...@gmail.com wrote: On 26 January 2015 at 14:55, Martin Stransky stran...@redhat.com wrote: Where have you got that? Official Adobe site [1] says the latest is 11.2.202.438 and flash download page [2] gives me the same. I see the Ubuntu update with .440 package but what's that? ma. [1] http://www.adobe.com/software/flash/about/ [2] https://get.adobe.com/flashplayer/ flash-plugin-11.2.202.440 is available in the yum repo hosted by Adobe. But on[1] it doesn't say anything about the issue being fixed for Linux. Sure it does Adobe Flash Player 11.2.202.438 and earlier versions for Linux ... 440 438 ... -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Flash plugin 0-day vulnerability in the wild
On 26 January 2015 at 15:16, Martin Stransky stran...@redhat.com wrote: On 01/26/2015 02:12 PM, Ahmad Samir wrote: On 26 January 2015 at 15:03, drago01 drag...@gmail.com wrote: On Mon, Jan 26, 2015 at 2:01 PM, Ahmad Samir ahmadsamir3...@gmail.com wrote: On 26 January 2015 at 14:55, Martin Stransky stran...@redhat.com wrote: Where have you got that? Official Adobe site [1] says the latest is 11.2.202.438 and flash download page [2] gives me the same. I see the Ubuntu update with .440 package but what's that? ma. [1] http://www.adobe.com/software/flash/about/ [2] https://get.adobe.com/flashplayer/ flash-plugin-11.2.202.440 is available in the yum repo hosted by Adobe. But on[1] it doesn't say anything about the issue being fixed for Linux. Sure it does Adobe Flash Player 11.2.202.438 and earlier versions for Linux ... 440 438 ... From https://helpx.adobe.com/security/products/flash-player/apsa15-01.html: UPDATE (January 24): Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.296 beginning on January 24. This version includes a fix for CVE-2015-0311 I was thinking of something along those lines for the Linux version too. Firefox does not use the 16.X line - that's the Pepper API plugin which runs with Chrome only. I know that; what I meant was that I am waiting to see a similar message about the 11.x version that's used in Linux/Firefox. -- Ahmad Samir -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Flash plugin 0-day vulnerability in the wild
On 01/23/2015 10:51 AM, Martin Stransky wrote: Folk, There's a live 0-day flash vulnerability which is not fixed yet [1][2]. If you use flash plugin I recommend you to enable the click-to-play mode for it. There's also a Fedora Firefox update with such change [3]. ma. [1] https://isc.sans.edu/diary/Flash+0-Day+Exploit+Used+by+Angler+Exploit+Kit/19213 [2] http://malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html [3] https://bugzilla.redhat.com/show_bug.cgi?id=1185241 This vulnerability has got CVE-2015-0311 name [1]. Thx to drago01 to point that out. Unfortunately it's still unfixed by Adobe and latest flash for Linux/Firefox (11.2.202.438) is still vulnerable. ma. [1] http://helpx.adobe.com/security/products/flash-player/apsa15-01.html [2] http://www.adobe.com/software/flash/about/ -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Flash plugin 0-day vulnerability in the wild
On 01/26/2015 02:25 PM, poma wrote: On 01/26/2015 01:01 PM, drago01 wrote: Care to paste a link? I can not find the changelog for flash-plugin, if such a thing even exists!? https://helpx.adobe.com/security/products/flash-player/apsa15-01.html Where do you see 11.2.202.440 there!? Go to adobe's Flash player download site then download the yum version. This download will bring you an rpm which, contains a yum-configuration pointing to a yum repository at Adobe, which carries the latest adobe stuff. And otherwise as you don't know what changelog is, man. Ignore adobe rpm's %changelogs - They apparently don't update their rpm's changelogs :-) Ralf -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Flash plugin 0-day vulnerability in the wild
Am 26.01.2015 um 13:55 schrieb Martin Stransky: On 01/26/2015 01:48 PM, drago01 wrote: The latest one is 11.2.202.440 ... which is supposed to have the fix. Where have you got that? Official Adobe site [1] says the latest is 11.2.202.438 and flash download page [2] gives me the same. I see the Ubuntu update with .440 package but what's that? by just type yum upgrade Jan 25 00:30:22 Updated: flash-plugin-11.2.202.440-release.x86_64 signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Flash plugin 0-day vulnerability in the wild
On 26 January 2015 at 14:55, Martin Stransky stran...@redhat.com wrote: Where have you got that? Official Adobe site [1] says the latest is 11.2.202.438 and flash download page [2] gives me the same. I see the Ubuntu update with .440 package but what's that? ma. [1] http://www.adobe.com/software/flash/about/ [2] https://get.adobe.com/flashplayer/ flash-plugin-11.2.202.440 is available in the yum repo hosted by Adobe. But on[1] it doesn't say anything about the issue being fixed for Linux. [1]https://helpx.adobe.com/security/products/flash-player/apsa15-01.html -- Ahmad Samir -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Flash plugin 0-day vulnerability in the wild
On Mon, Jan 26, 2015 at 1:40 PM, Martin Stransky stran...@redhat.com wrote: On 01/23/2015 10:51 AM, Martin Stransky wrote: Folk, There's a live 0-day flash vulnerability which is not fixed yet [1][2]. If you use flash plugin I recommend you to enable the click-to-play mode for it. There's also a Fedora Firefox update with such change [3]. ma. [1] https://isc.sans.edu/diary/Flash+0-Day+Exploit+Used+by+Angler+Exploit+Kit/19213 [2] http://malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html [3] https://bugzilla.redhat.com/show_bug.cgi?id=1185241 This vulnerability has got CVE-2015-0311 name [1]. Thx to drago01 to point that out. Unfortunately it's still unfixed by Adobe and latest flash for Linux/Firefox (11.2.202.438) is still vulnerable. The latest one is 11.2.202.440 ... which is supposed to have the fix. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Flash plugin 0-day vulnerability in the wild
On 01/26/2015 01:01 PM, drago01 wrote: On Mon, Jan 26, 2015 at 12:58 PM, poma pomidorabelis...@gmail.com wrote: On 26.01.2015 12:42, Ralf Corsepius wrote: On 01/26/2015 12:29 PM, poma wrote: On 23.01.2015 10:51, Martin Stransky wrote: Folk, There's a live 0-day flash vulnerability which is not fixed yet [1][2]. If you use flash plugin I recommend you to enable the click-to-play mode for it. Are we covered with $ rpm -q --changelog flash-plugin-11.2.202.440-release.x86_64 According to what I read in (German) media, this version is supposed to fix this vulnerablity. Ralf Care to paste a link? I can not find the changelog for flash-plugin, if such a thing even exists!? https://helpx.adobe.com/security/products/flash-player/apsa15-01.html Where do you see 11.2.202.440 there!? And otherwise as you don't know what changelog is, man. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Flash plugin 0-day vulnerability in the wild
On 26.01.2015 17:05, Ralf Corsepius wrote: On 01/26/2015 04:34 PM, poma wrote: On 26.01.2015 15:13, Ralf Corsepius wrote: On 01/26/2015 02:25 PM, poma wrote: On 01/26/2015 01:01 PM, drago01 wrote: Care to paste a link? I can not find the changelog for flash-plugin, if such a thing even exists!? https://helpx.adobe.com/security/products/flash-player/apsa15-01.html Where do you see 11.2.202.440 there!? Go to adobe's Flash player download site then download the yum version. This download will bring you an rpm which, contains a yum-configuration pointing to a yum repository at Adobe, which carries the latest adobe stuff. What is going on with you!? :) $ yum -q repoinfo adobe-linux-x86_64 Repo-id : adobe-linux-x86_64 Repo-name: Adobe Systems Incorporated Repo-status : enabled Repo-updated : Sat Jan 24 02:33:22 2015 Repo-pkgs: 2 Repo-size: 6.9 M Repo-baseurl : http://linuxdownload.adobe.com/linux/x86_64/ Repo-expire : 21,600 second(s) (last: Mon Jan 26 11:49:36 2015) Repo-filename: /etc/yum.repos.d/adobe-linux-x86_64.repo Then use this repository! # yum install flash-plugin ... # rpm -q flash-plugin flash-plugin-11.2.202.440-release.x86_64 And voilà there it is, the version which everybody around here seems to be missing. Ralf Man, do you read what is written, it is already installed. What I asked you - According to what I read in (German) media..., care to paste a link, or you'll repeat again n gain what has already been said. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Flash plugin 0-day vulnerability in the wild
On 01/26/2015 04:34 PM, poma wrote: On 26.01.2015 15:13, Ralf Corsepius wrote: On 01/26/2015 02:25 PM, poma wrote: On 01/26/2015 01:01 PM, drago01 wrote: Care to paste a link? I can not find the changelog for flash-plugin, if such a thing even exists!? https://helpx.adobe.com/security/products/flash-player/apsa15-01.html Where do you see 11.2.202.440 there!? Go to adobe's Flash player download site then download the yum version. This download will bring you an rpm which, contains a yum-configuration pointing to a yum repository at Adobe, which carries the latest adobe stuff. What is going on with you!? :) $ yum -q repoinfo adobe-linux-x86_64 Repo-id : adobe-linux-x86_64 Repo-name: Adobe Systems Incorporated Repo-status : enabled Repo-updated : Sat Jan 24 02:33:22 2015 Repo-pkgs: 2 Repo-size: 6.9 M Repo-baseurl : http://linuxdownload.adobe.com/linux/x86_64/ Repo-expire : 21,600 second(s) (last: Mon Jan 26 11:49:36 2015) Repo-filename: /etc/yum.repos.d/adobe-linux-x86_64.repo Then use this repository! # yum install flash-plugin ... # rpm -q flash-plugin flash-plugin-11.2.202.440-release.x86_64 And voilà there it is, the version which everybody around here seems to be missing. Ralf -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Flash plugin 0-day vulnerability in the wild
On 26.01.2015 15:13, Ralf Corsepius wrote: On 01/26/2015 02:25 PM, poma wrote: On 01/26/2015 01:01 PM, drago01 wrote: Care to paste a link? I can not find the changelog for flash-plugin, if such a thing even exists!? https://helpx.adobe.com/security/products/flash-player/apsa15-01.html Where do you see 11.2.202.440 there!? Go to adobe's Flash player download site then download the yum version. This download will bring you an rpm which, contains a yum-configuration pointing to a yum repository at Adobe, which carries the latest adobe stuff. What is going on with you!? :) $ yum -q repoinfo adobe-linux-x86_64 Repo-id : adobe-linux-x86_64 Repo-name: Adobe Systems Incorporated Repo-status : enabled Repo-updated : Sat Jan 24 02:33:22 2015 Repo-pkgs: 2 Repo-size: 6.9 M Repo-baseurl : http://linuxdownload.adobe.com/linux/x86_64/ Repo-expire : 21,600 second(s) (last: Mon Jan 26 11:49:36 2015) Repo-filename: /etc/yum.repos.d/adobe-linux-x86_64.repo And otherwise as you don't know what changelog is, man. Ignore adobe rpm's %changelogs - They apparently don't update their rpm's changelogs :-) Ralf Yeah, we knew that already. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Flash plugin 0-day vulnerability in the wild
On 01/26/2015 05:20 PM, poma wrote: What I asked you - According to what I read in (German) media..., care to paste a link, or you'll repeat again n gain what has already been said. http://www.heise.de/newsticker/meldung/Kritische-Luecke-im-Flash-Player-Adobe-beginnt-Update-Auslieferung-2527977.html -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Flash plugin 0-day vulnerability in the wild
Installed Packages Name: flash-plugin Arch: x86_64 Version : 11.2.202.440 Release : release Size: 19 M Repo: installed From repo : adobe-linux-x86_64 Summary : Adobe Flash Player 11.2 URL : http://www.adobe.com/downloads/ License : Commercial Description : Adobe Flash Plugin 11.2.202.440 : Fully Supported: Mozilla SeaMonkey 1.0+, Firefox 1.5+, Mozilla 1.7.13+ -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Flash plugin 0-day vulnerability in the wild
On 26 January 2015 at 15:03, drago01 drag...@gmail.com wrote: On Mon, Jan 26, 2015 at 2:01 PM, Ahmad Samir ahmadsamir3...@gmail.com wrote: On 26 January 2015 at 14:55, Martin Stransky stran...@redhat.com wrote: Where have you got that? Official Adobe site [1] says the latest is 11.2.202.438 and flash download page [2] gives me the same. I see the Ubuntu update with .440 package but what's that? ma. [1] http://www.adobe.com/software/flash/about/ [2] https://get.adobe.com/flashplayer/ flash-plugin-11.2.202.440 is available in the yum repo hosted by Adobe. But on[1] it doesn't say anything about the issue being fixed for Linux. Sure it does Adobe Flash Player 11.2.202.438 and earlier versions for Linux ... 440 438 ... From https://helpx.adobe.com/security/products/flash-player/apsa15-01.html: UPDATE (January 24): Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.296 beginning on January 24. This version includes a fix for CVE-2015-0311 I was thinking of something along those lines for the Linux version too. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Flash plugin 0-day vulnerability in the wild
On 23.01.2015 10:51, Martin Stransky wrote: Folk, There's a live 0-day flash vulnerability which is not fixed yet [1][2]. If you use flash plugin I recommend you to enable the click-to-play mode for it. There's also a Fedora Firefox update with such change [3]. ma. [1] https://isc.sans.edu/diary/Flash+0-Day+Exploit+Used+by+Angler+Exploit+Kit/19213 [2] http://malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html [3] https://bugzilla.redhat.com/show_bug.cgi?id=1185241 Are we covered with $ rpm -q --changelog flash-plugin-11.2.202.440-release.x86_64 * Wed Dec 13 2006 Warren Togami wtog...@redhat.com 9.0.21.55-4 - more spec and script cleanups - update LICENSE ? -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Flash plugin 0-day vulnerability in the wild
On 01/26/2015 12:29 PM, poma wrote: On 23.01.2015 10:51, Martin Stransky wrote: Folk, There's a live 0-day flash vulnerability which is not fixed yet [1][2]. If you use flash plugin I recommend you to enable the click-to-play mode for it. Are we covered with $ rpm -q --changelog flash-plugin-11.2.202.440-release.x86_64 According to what I read in (German) media, this version is supposed to fix this vulnerablity. Ralf -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Flash plugin 0-day vulnerability in the wild
On 26.01.2015 12:42, Ralf Corsepius wrote: On 01/26/2015 12:29 PM, poma wrote: On 23.01.2015 10:51, Martin Stransky wrote: Folk, There's a live 0-day flash vulnerability which is not fixed yet [1][2]. If you use flash plugin I recommend you to enable the click-to-play mode for it. Are we covered with $ rpm -q --changelog flash-plugin-11.2.202.440-release.x86_64 According to what I read in (German) media, this version is supposed to fix this vulnerablity. Ralf Care to paste a link? I can not find the changelog for flash-plugin, if such a thing even exists!? -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Flash plugin 0-day vulnerability in the wild
On Mon, Jan 26, 2015 at 12:58 PM, poma pomidorabelis...@gmail.com wrote: On 26.01.2015 12:42, Ralf Corsepius wrote: On 01/26/2015 12:29 PM, poma wrote: On 23.01.2015 10:51, Martin Stransky wrote: Folk, There's a live 0-day flash vulnerability which is not fixed yet [1][2]. If you use flash plugin I recommend you to enable the click-to-play mode for it. Are we covered with $ rpm -q --changelog flash-plugin-11.2.202.440-release.x86_64 According to what I read in (German) media, this version is supposed to fix this vulnerablity. Ralf Care to paste a link? I can not find the changelog for flash-plugin, if such a thing even exists!? https://helpx.adobe.com/security/products/flash-player/apsa15-01.html -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Flash plugin 0-day vulnerability in the wild
On 26.01.2015 17:38, Ralf Corsepius wrote: On 01/26/2015 05:20 PM, poma wrote: What I asked you - According to what I read in (German) media..., care to paste a link, or you'll repeat again n gain what has already been said. http://www.heise.de/newsticker/meldung/Kritische-Luecke-im-Flash-Player-Adobe-beginnt-Update-Auslieferung-2527977.html Vorsprung durch Technik! -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Flash plugin 0-day vulnerability in the wild
On Friday, January 23, 2015 08:44:03 AM Andrew Lutomirski wrote: $ sandbox -X xterm [nothing happens] It made me install selinux-policy-sandbox and seunshare. I am able to run Firefox under sandbox without any problem. I am running Fedora 21 KDE. -- Regards, Sudhir Khanger, sudhirkhanger.com, github.com/donniezazen, 5577 8CDB A059 085D 1D60 807F 8C00 45D9 F5EF C394. signature.asc Description: This is a digitally signed message part. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Flash plugin 0-day vulnerability in the wild
On Fri, Jan 23, 2015 at 04:59:31PM +0100, drago01 wrote: On Fri, Jan 23, 2015 at 4:29 PM, Daniel J Walsh dwa...@redhat.com wrote: libflashplayer.so runs within the Mozilla-plugin I believe. If so it would be confined if you have not turned on the unconfined_mozilla_plugin_transition boolean. # getsebool unconfined_mozilla_plugin_transition unconfined_mozilla_plugin_transition -- on I can't recall ever turning that on ... what is it set to by default? It is on by default according to the mozilla_plugin_selinux(8) man page: If you want to allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container, you must turn on the unconfined_mozilla_plugin_transition bool‐ ean. Enabled by default. setsebool -P unconfined_mozilla_plugin_transition 1 Jeff -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Flash plugin 0-day vulnerability in the wild
On Fri, Jan 23, 2015 at 8:18 AM, Matthias Runge
mru...@matthias-runge.de wrote:
On 23/01/15 16:59, Andrew Lutomirski wrote:
sandbox -X will also add more protection.
Unless I'm mistaken, sandbox -X hasn't worked in almost a year.
I gave it a try;
sandbox -X
/usr/bin/sandbox:
/usr/sbin/seunshare is required for the action you want to perform.
Sadly, a naive (and not so naive) dnf reporequery, repoquery and yum
search did not show the right dep.
Wild guessing solved it for me:
dnf install policycoreutils-sandbox
And it works (for me) now.
I'm confused. I thought that
https://bugzilla.redhat.com/show_bug.cgi?id=1103622 affected everyone.
For me:
$ sandbox echo true
true
$ sandbox -X xterm
[nothing happens]
My logs end up full of:
[149118.893566] audit: type=1400 audit(1422030456.097:40): avc:
denied { connectto } for pid=18971 comm=Xephyr
path=002F746D702F2E5831312D756E69782F5830
scontext=unconfined_u:unconfined_r:sandbox_x_t:s0:c87,c567
tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tclass=unix_stream_socket permissive=0
[149123.720019] audit: type=1400 audit(1422030460.929:41): avc:
denied { connectto } for pid=18995 comm=Xephyr
path=002F746D702F2E5831312D756E69782F5830
scontext=unconfined_u:unconfined_r:sandbox_x_t:s0:c77,c197
tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tclass=unix_stream_socket permissive=0
This is true even on 3.18 kernels, which have selinux: Permit bounded
transitions under NO_NEW_PRIVS or NOSUID., which was intended to give
the selinux policy an extra way out of the mess that caused this
problem in the first place.
--Andy
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Flash plugin 0-day vulnerability in the wild
On 23.01.2015 15:12, Kevin Fenzi wrote: On Fri, 23 Jan 2015 12:44:23 +0100 poma pomidorabelis...@gmail.com wrote: On 23.01.2015 10:51, Martin Stransky wrote: Folk, There's a live 0-day flash vulnerability which is not fixed yet [1][2]. If you use flash plugin I recommend you to enable the click-to-play mode for it. Are we covered with $ rpm -q flash-plugin flash-plugin-11.2.202.438-release.x86_64 ? Ref. http://helpx.adobe.com/security.html No. http://helpx.adobe.com/security/products/flash-player/apsa15-01.html kevin Thanks for reference. Until this is resolved, is this a valid way: $ sandbox -X -T tmp -t sandbox_web_t firefox to cover this security issue, or can we isolate only libflashplayer.so, not the entire browser. Daniel, can you comment. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Flash plugin 0-day vulnerability in the wild
Folk, There's a live 0-day flash vulnerability which is not fixed yet [1][2]. If you use flash plugin I recommend you to enable the click-to-play mode for it. There's also a Fedora Firefox update with such change [3]. ma. [1] https://isc.sans.edu/diary/Flash+0-Day+Exploit+Used+by+Angler+Exploit+Kit/19213 [2] http://malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html [3] https://bugzilla.redhat.com/show_bug.cgi?id=1185241 -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Flash plugin 0-day vulnerability in the wild
On 23.01.2015 10:51, Martin Stransky wrote: Folk, There's a live 0-day flash vulnerability which is not fixed yet [1][2]. If you use flash plugin I recommend you to enable the click-to-play mode for it. Are we covered with $ rpm -q flash-plugin flash-plugin-11.2.202.438-release.x86_64 ? Ref. http://helpx.adobe.com/security.html There's also a Fedora Firefox update with such change [3]. ma. [1] https://isc.sans.edu/diary/Flash+0-Day+Exploit+Used+by+Angler+Exploit+Kit/19213 [2] http://malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html [3] https://bugzilla.redhat.com/show_bug.cgi?id=1185241 -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Flash plugin 0-day vulnerability in the wild
On Fri, 23 Jan 2015 12:44:23 +0100 poma pomidorabelis...@gmail.com wrote: On 23.01.2015 10:51, Martin Stransky wrote: Folk, There's a live 0-day flash vulnerability which is not fixed yet [1][2]. If you use flash plugin I recommend you to enable the click-to-play mode for it. Are we covered with $ rpm -q flash-plugin flash-plugin-11.2.202.438-release.x86_64 ? Ref. http://helpx.adobe.com/security.html No. http://helpx.adobe.com/security/products/flash-player/apsa15-01.html kevin pgpB8cxfk5g6m.pgp Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Flash plugin 0-day vulnerability in the wild
On 01/23/2015 09:29 AM, Daniel J Walsh wrote: On 01/23/2015 10:25 AM, poma wrote: Until this is resolved, is this a valid way: $ sandbox -X -T tmp -t sandbox_web_t firefox to cover this security issue, or can we isolate only libflashplayer.so, not the entire browser. Daniel, can you comment. libflashplayer.so runs within the Mozilla-plugin I believe. If so it would be confined if you have not turned on the unconfined_mozilla_plugin_transition boolean. If this is the case we are somewhat protected, and of course you run with setenforce 1. sandbox -X will also add more protection. Is that boolean just very badly named/described, because it certainly sounds like it works the opposite of what you said above: Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container. The only possible way I can read that is to say that with the boolean _set_ execution will transition to the confined plugin domain, and with the boolean _unset_ it will remain unconfined. -- Bob Nichols NOSPAM is really part of my email address. Do NOT delete it. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Flash plugin 0-day vulnerability in the wild
On Fri, Jan 23, 2015 at 4:29 PM, Daniel J Walsh dwa...@redhat.com wrote: On 01/23/2015 10:25 AM, poma wrote: On 23.01.2015 15:12, Kevin Fenzi wrote: On Fri, 23 Jan 2015 12:44:23 +0100 poma pomidorabelis...@gmail.com wrote: On 23.01.2015 10:51, Martin Stransky wrote: Folk, There's a live 0-day flash vulnerability which is not fixed yet [1][2]. If you use flash plugin I recommend you to enable the click-to-play mode for it. Are we covered with $ rpm -q flash-plugin flash-plugin-11.2.202.438-release.x86_64 ? Ref. http://helpx.adobe.com/security.html No. http://helpx.adobe.com/security/products/flash-player/apsa15-01.html kevin Thanks for reference. Until this is resolved, is this a valid way: $ sandbox -X -T tmp -t sandbox_web_t firefox to cover this security issue, or can we isolate only libflashplayer.so, not the entire browser. Daniel, can you comment. libflashplayer.so runs within the Mozilla-plugin I believe. If so it would be confined if you have not turned on the unconfined_mozilla_plugin_transition boolean. # getsebool unconfined_mozilla_plugin_transition unconfined_mozilla_plugin_transition -- on I can't recall ever turning that on ... what is it set to by default? -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Flash plugin 0-day vulnerability in the wild
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/23/2015 04:29 PM, Daniel J Walsh wrote: On 01/23/2015 10:25 AM, poma wrote: On 23.01.2015 15:12, Kevin Fenzi wrote: On Fri, 23 Jan 2015 12:44:23 +0100 poma pomidorabelis...@gmail.com wrote: On 23.01.2015 10:51, Martin Stransky wrote: Folk, There's a live 0-day flash vulnerability which is not fixed yet [1][2]. If you use flash plugin I recommend you to enable the click-to-play mode for it. Are we covered with $ rpm -q flash-plugin flash-plugin-11.2.202.438-release.x86_64 ? Ref. http://helpx.adobe.com/security.html No. http://helpx.adobe.com/security/products/flash-player/apsa15-01.html kevin Thanks for reference. Until this is resolved, is this a valid way: $ sandbox -X -T tmp -t sandbox_web_t firefox to cover this security issue, or can we isolate only libflashplayer.so, not the entire browser. Daniel, can you comment. libflashplayer.so runs within the Mozilla-plugin I believe. If so it would be confined if you have not turned on the unconfined_mozilla_plugin_transition boolean. Therefore unconfined_mozilla_plugin_transition boolean must be 'off'. If this is the case we are somewhat protected, and of course you run with setenforce 1. sandbox -X will also add more protection. - -- Antonio Trande mailto: sagitter 'at' fedoraproject 'dot' org http://fedoraos.wordpress.com/ https://fedoraproject.org/wiki/User:Sagitter GPG Key: 0x66E15D00 Check on https://keys.fedoraproject.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJUwnA6AAoJEFyovWBm4V0A5dIQAJyiby8TeGwU/dcJtmeklbYB Rh/YM0tScPAUovYyBu1EqncVtCLh2QaHwUNCiEl8+KglTXwV3ckkAT3ywq6oO5eA d/6fzS5+vO5TD9USwlc8jArQlF3kHc2sxCLBFCGE4ersqKrhn1VmwOV58XYGMwh/ /apwfS+R6IdPYoDthPBfzBVJicQJknbWH9djsUEejPeuXHKfZbSk2iaLlsJt7Qc5 HDeWyZB7W72/TVaawjl5HwDeMQt4185qXGRM6CN/FZDHfUNkmTU8aaGGMfjTZFD+ JQphaGy34CVf9GZ6/pTrTBBMRwCfSKyIMyAFjpOzOePdRbjYW72wol+RzFr8SfcV Wg6O6bRm4Yq18FiapSvVRYATUnd+lBfB+LlbQXb2COJVbNh1QJ9h+0AgyPvF6kGI 1OObbIgdpAQTqPI6vADB3ChSMiqqzMVvExpXJQ64pe70zHddQoh9yy7rF1jC9+pi wLbQPDsmnzixso46u3xy6z06qOrCu6yBnPaH8TqKry3JWPIbxNXKy5W6M11XYgwr FI7R5Jhe5DKS3WshSwQRGhvRTN2CyerValwPKAkXzR1QdnHmqcK0dzvOwDJN0zjm lzofy1f0q2cOs/+qmVUuBMQ3vq6gnXaTCdKJCeS6F2bTlcIyLSEA1R6XpAmnOjEN WBabI9nhJzkvrm7nZHqY =Roc2 -END PGP SIGNATURE- -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Flash plugin 0-day vulnerability in the wild
On 23/01/15 16:59, Andrew Lutomirski wrote: sandbox -X will also add more protection. Unless I'm mistaken, sandbox -X hasn't worked in almost a year. I gave it a try; sandbox -X /usr/bin/sandbox: /usr/sbin/seunshare is required for the action you want to perform. Sadly, a naive (and not so naive) dnf reporequery, repoquery and yum search did not show the right dep. Wild guessing solved it for me: dnf install policycoreutils-sandbox And it works (for me) now. I would expect at least a dependency here added. Matthias -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Flash plugin 0-day vulnerability in the wild
Once upon a time, Matthias Runge mru...@matthias-runge.de said: /usr/sbin/seunshare is required for the action you want to perform. Sadly, a naive (and not so naive) dnf reporequery, repoquery and yum search did not show the right dep. Don't know about dnf, but a simple yum install /usr/sbin/seunshare will do what you need (don't overthink it). -- Chris Adams li...@cmadams.net -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Flash plugin 0-day vulnerability in the wild
On 01/23/2015 10:25 AM, poma wrote: On 23.01.2015 15:12, Kevin Fenzi wrote: On Fri, 23 Jan 2015 12:44:23 +0100 poma pomidorabelis...@gmail.com wrote: On 23.01.2015 10:51, Martin Stransky wrote: Folk, There's a live 0-day flash vulnerability which is not fixed yet [1][2]. If you use flash plugin I recommend you to enable the click-to-play mode for it. Are we covered with $ rpm -q flash-plugin flash-plugin-11.2.202.438-release.x86_64 ? Ref. http://helpx.adobe.com/security.html No. http://helpx.adobe.com/security/products/flash-player/apsa15-01.html kevin Thanks for reference. Until this is resolved, is this a valid way: $ sandbox -X -T tmp -t sandbox_web_t firefox to cover this security issue, or can we isolate only libflashplayer.so, not the entire browser. Daniel, can you comment. libflashplayer.so runs within the Mozilla-plugin I believe. If so it would be confined if you have not turned on the unconfined_mozilla_plugin_transition boolean. If this is the case we are somewhat protected, and of course you run with setenforce 1. sandbox -X will also add more protection. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Flash plugin 0-day vulnerability in the wild
Am 23.01.2015 um 12:44 schrieb poma: On 23.01.2015 10:51, Martin Stransky wrote: There's a live 0-day flash vulnerability which is not fixed yet [1][2]. If you use flash plugin I recommend you to enable the click-to-play mode for it. Are we covered with $ rpm -q flash-plugin flash-plugin-11.2.202.438-release.x86_64 no you are not if you just read some IT news you find out that Adobe is considering to fix that somewhere in a week or so as well you find the recommendation to disable flash completly until that happened signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Flash plugin 0-day vulnerability in the wild
On Jan 23, 2015 7:47 AM, Daniel J Walsh dwa...@redhat.com wrote: On 01/23/2015 10:25 AM, poma wrote: On 23.01.2015 15:12, Kevin Fenzi wrote: On Fri, 23 Jan 2015 12:44:23 +0100 poma pomidorabelis...@gmail.com wrote: On 23.01.2015 10:51, Martin Stransky wrote: Folk, There's a live 0-day flash vulnerability which is not fixed yet [1][2]. If you use flash plugin I recommend you to enable the click-to-play mode for it. Are we covered with $ rpm -q flash-plugin flash-plugin-11.2.202.438-release.x86_64 ? Ref. http://helpx.adobe.com/security.html No. http://helpx.adobe.com/security/products/flash-player/apsa15-01.html kevin Thanks for reference. Until this is resolved, is this a valid way: $ sandbox -X -T tmp -t sandbox_web_t firefox to cover this security issue, or can we isolate only libflashplayer.so, not the entire browser. Daniel, can you comment. libflashplayer.so runs within the Mozilla-plugin I believe. If so it would be confined if you have not turned on the unconfined_mozilla_plugin_transition boolean. If this is the case we are somewhat protected, and of course you run with setenforce 1. sandbox -X will also add more protection. Unless I'm mistaken, sandbox -X hasn't worked in almost a year. --Andy -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
