Re: Flash plugin
On Thu, 6 Oct 2011, Yasha Karant wrote: On 10/06/2011 04:37 PM, Dag Wieers wrote: On Thu, 6 Oct 2011, Yasha Karant wrote: I realise that except for the Fermilab/CERN staff persons, almost all of the rest of those maintaining material for SL are unpaid volunteers. With that stated, what is the typical/average/median/whatever delay from the Adobe release until the SL compatible port for the flash plugin? In some cases, Adobe adds functionality -- but in most cases it is a matter of bug and security-hole fixes -- and the sooner one installs a valid security fix, the better. Do you have proof that this is a security fix. Because I track the RHEL packages and no such update has come through their channels. It seems as if the release was simply their official Flash Player 11 release, rather than a security fix. If it is a security fix, even Red Hat is behind. Somehow I don't believe that, but for you to provide proof of what you state. Thanks. I use the direct Mozilla (and OpenOffice) distributions and updates. For Firefox 7.x (that the Firefox update on Help -- About Firefox reports as up to date), I ran an update check on the addons, including plugins using Tools -- Add ons and URL https://www.mozilla.org/en-US/plugincheck/ and the following was displayed: Vulnerable plugins: Plugin Icon Shockwave Flash Shockwave Flash 11.0 r1 Vulnerable (more info) (11.0.1.129 is what actually is installed) Again, without any information it is hard to determine whether the plugincheck is mainly checking the version against the latest (known) available, or whether it actually knows about vulnerabilities. I bet the first option is what is implemented (because the second adds complexity without any real gain). Their aim is to have people running the latest. ALso, if we look at TUV, they still offer flash-plugin-10.3.183.10-1.el6, which is most likely not vulnerable (and which was the version offered by Repoforge until this morning too). In other words, we are now disconnected from the RHSA information. If you noticed a flash-plugin update from Adobe, feel free to let us know so we can update our flash-plugin package too. Thanks in advance, -- -- dag wieers, d...@wieers.com, http://dag.wieers.com/ -- dagit linux solutions, i...@dagit.net, http://dagit.net/ [Any errors in spelling, tact or fact are transmission errors]
Re: Flash plugin
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The 64 bit version I installed an hour or so ago from the Adobe yum repo is: flash-plugin-11.0.1.152-release.x86_64 Dag Wieers wrote: | On Thu, 6 Oct 2011, Yasha Karant wrote: | | On 10/06/2011 04:37 PM, Dag Wieers wrote: | On Thu, 6 Oct 2011, Yasha Karant wrote: | | I realise that except for the Fermilab/CERN staff persons, almost all | of the rest of those maintaining material for SL are unpaid | volunteers. With that stated, what is the | typical/average/median/whatever delay from the Adobe release until | the | SL compatible port for the flash plugin? |In some cases, Adobe adds functionality -- but in most cases it | is a | matter of bug and security-hole fixes -- and the sooner one | installs a | valid security fix, the better. | | Do you have proof that this is a security fix. Because I track the RHEL | packages and no such update has come through their channels. It | seems as | if the release was simply their official Flash Player 11 release, | rather | than a security fix. | | If it is a security fix, even Red Hat is behind. Somehow I don't | believe | that, but for you to provide proof of what you state. Thanks. | | I use the direct Mozilla (and OpenOffice) distributions and updates. | For Firefox 7.x (that the Firefox update on Help -- About Firefox | reports as up to date), I ran an update check on the addons, including | plugins using Tools -- Add ons and URL | https://www.mozilla.org/en-US/plugincheck/ and the following was | displayed: | | Vulnerable plugins: | Plugin Icon | Shockwave Flash | Shockwave Flash 11.0 r1 Vulnerable (more info) | | (11.0.1.129 is what actually is installed) | | Again, without any information it is hard to determine whether the | plugincheck is mainly checking the version against the latest (known) | available, or whether it actually knows about vulnerabilities. | | I bet the first option is what is implemented (because the second adds | complexity without any real gain). Their aim is to have people running | the latest. | | ALso, if we look at TUV, they still offer | flash-plugin-10.3.183.10-1.el6, which is most likely not vulnerable (and | which was the version offered by Repoforge until this morning too). In | other words, we are now disconnected from the RHSA information. | | If you noticed a flash-plugin update from Adobe, feel free to let us | know so we can update our flash-plugin package too. | | Thanks in advance, - -- Robert E. Blair, Room C221, Building 360 Argonne National Laboratory (High Energy Physics Division) 9700 South Cass Avenue, Argonne, IL 60439, USA Phone: (630)-252-7545 FAX: (630)-252-5782 GnuPG Public Key: http://www.hep.anl.gov/reb/key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFOjqn/OMIGC6x7/XQRAhFvAJ9QBWWochI/ODbT+jfTvfM8YpxjLwCgrOxG qdBTZXJirs0EQgmSn2XL/Eg= =gp6S -END PGP SIGNATURE- attachment: reb.vcf smime.p7s Description: S/MIME Cryptographic Signature
Re: Flash plugin
On 2011/10/07 00:12, Dag Wieers wrote:
On Thu, 6 Oct 2011, Yasha Karant wrote:
On 10/06/2011 04:37 PM, Dag Wieers wrote:
On Thu, 6 Oct 2011, Yasha Karant wrote:
I realise that except for the Fermilab/CERN staff persons, almost all
of the rest of those maintaining material for SL are unpaid
volunteers. With that stated, what is the
typical/average/median/whatever delay from the Adobe release until the
SL compatible port for the flash plugin?
In some cases, Adobe adds functionality -- but in most cases it is a
matter of bug and security-hole fixes -- and the sooner one installs a
valid security fix, the better.
Do you have proof that this is a security fix. Because I track the RHEL
packages and no such update has come through their channels. It seems as
if the release was simply their official Flash Player 11 release, rather
than a security fix.
If it is a security fix, even Red Hat is behind. Somehow I don't believe
that, but for you to provide proof of what you state. Thanks.
I use the direct Mozilla (and OpenOffice) distributions and updates. For
Firefox 7.x (that the Firefox update on Help -- About Firefox reports as up
to date), I ran an update check on the addons, including plugins using Tools
-- Add ons and URL https://www.mozilla.org/en-US/plugincheck/ and the
following was displayed:
Vulnerable plugins:
Plugin Icon
Shockwave Flash
Shockwave Flash 11.0 r1 Vulnerable (more info)
(11.0.1.129 is what actually is installed)
Again, without any information it is hard to determine whether the plugincheck
is mainly checking the version against the latest (known) available, or whether
it actually knows about vulnerabilities.
I bet the first option is what is implemented (because the second adds
complexity without any real gain). Their aim is to have people running the
latest.
ALso, if we look at TUV, they still offer flash-plugin-10.3.183.10-1.el6, which
is most likely not vulnerable (and which was the version offered by Repoforge
until this morning too). In other words, we are now disconnected from the RHSA
information.
If you noticed a flash-plugin update from Adobe, feel free to let us know so we
can update our flash-plugin package too.
In that vein it seems odd to me that a 32 bit package would be accepted as an
update for a 64 bit package. This seems to be to be a bug.
{^_^}
Re: Flash plugin
On Fri, 7 Oct 2011, jdow wrote: In that vein it seems odd to me that a 32 bit package would be accepted as an update for a 64 bit package. This seems to be to be a bug. The reason is that some 64bit users have been using 32bit flash-plugins on 64bit. Repoforge for some time (and now Adobe) offer 64bit flash-plugin packages, but a lot of 64bit users have the 32bit repository enabled. Hence you get those conflicts. There is nothing I can do regarding this. Users having problems may have to change their configuration and use the 64bit plugin instead. The only thing that is under my control is keeping the flash-plugin up-to-date. Which is not that simple, because Red Hat is at flash-plugin v10 and Adobe does not release any security information, nor is there something I can subscribe to to get informed of updates. Although I did add the 32bit and 64bit repositories to my local mrepo instance. -- -- dag wieers, d...@wieers.com, http://dag.wieers.com/ -- dagit linux solutions, i...@dagit.net, http://dagit.net/ [Any errors in spelling, tact or fact are transmission errors]
Re: Flash plugin
On Fri, 7 Oct 2011, Robert E. Blair wrote: Dag Wieers wrote: | Again, without any information it is hard to determine whether the | plugincheck is mainly checking the version against the latest (known) | available, or whether it actually knows about vulnerabilities. | | I bet the first option is what is implemented (because the second adds | complexity without any real gain). Their aim is to have people running | the latest. | | ALso, if we look at TUV, they still offer | flash-plugin-10.3.183.10-1.el6, which is most likely not vulnerable (and | which was the version offered by Repoforge until this morning too). In | other words, we are now disconnected from the RHSA information. The 64 bit version I installed an hour or so ago from the Adobe yum repo is: flash-plugin-11.0.1.152-release.x86_64 Ok, let's hope I can kill this thread with actual vendor information instead. On the Adobe website, there's even no mention of flash-plugin v11. http://www.adobe.com/support/security/#flashplayer So as I suspected, the new v11 release is just the first official release announcement, which is *NOT* security-related. At least there is not information to support such claims, and no proof that the v10 offering is vulnerable. Wrt. to Red Hat not tracking flash-plugin security updates. As far as I can tell, TUV has the latest flash-plugin v10, so there is no security impact. TUV provides flash-plugin-10.3.183.10-1.el6, which is newer than the latest Adobe security bulletin from the Adobe page above. Executive summary: - Do not mix 32bit and 64bit flash-plugin packages. Decide which to use and stick to it. - New Adobe releases do not imply new security vulnerabilities. - Red Hat is offering a secure flash-plugin offering (even newer than the latest Adobe security bulletin), even when it is not the latest and greatest (just-released) v11. Please only reply to this thread if you have new information and some references to back it up. Thanks :-) -- -- dag wieers, d...@wieers.com, http://dag.wieers.com/ -- dagit linux solutions, i...@dagit.net, http://dagit.net/ [Any errors in spelling, tact or fact are transmission errors]
Re: Flash plugin
On Fri, 7 Oct 2011, Vladimir Mosgalin wrote: On 2011.10.07 at 01:34:38 +0200, Dag Wieers wrote next: Evidently, a number of stock end-user applications, such as Firefox, Thunderbird, and the like, have security holes as well as bugs, and thus need regularly kept current. Do you have any proof of security problems ? Was there a security advisory for this release ? It's not as simple as that. There was no supported version of 64-bit flash 10 plugin. Information about security problems in betas and RCs of flash plugins aren't displayed on that page that you saw - it does, however, appear in news from adobe and in adobe blogs; but they don't add them to list of problems in final releases. I am nog arguing about that. But people using 64bit flash plugins did not have any security for months either. I personally don't care about security for people that don't care about security :) But that said, now that an official 64bit release is out, we have it too. Btw, 64-bit flash 10 plugin was even in more sorry state: there were lot of known security problems for it, but adobe stopped developing it and latest known (beta) version was said to be very vulnerable. Again, no arguing against that. If you look at the mail(s) I was replying too, I was answering to the general view that: - Not having the latest flash-plugin is a security problem - Red Hat is failing to provide a secure flash-plugin Both statements are false, unless you apply them (only) to already insecure situations (eg. 64bit beta). Which is more of a mental excercise anyway. -- -- dag wieers, d...@wieers.com, http://dag.wieers.com/ -- dagit linux solutions, i...@dagit.net, http://dagit.net/ [Any errors in spelling, tact or fact are transmission errors]
Re: Flash plugin
Hi jdow! On 2011.10.06 at 05:05:05 -0700, jdow wrote next: Date: Thu, 06 Oct 2011 05:05:05 -0700 From: jdow j...@earthlink.net To: scientific-linux-us...@fnal.gov X-Original-To: mosgalin@localhost Subject: Flash plugin User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1 I have the elrepo 64 bit beta flash plugin installed. A 32 bit flash update is being forced on my system. Here are the error messages. Transaction Check Error: file /usr/share/applications/flash-player-properties.desktop from install of flash-plugin-11.0.1.152-release.i386 conflicts with file from package flash-plugin-11.0.1.129-0.1.el6.rf.x86_64 There is no flash plugin in elrepo. You seem to have one from rpmforge installed. Either wait until x86_64 package appears in rpmforge, or uninstall it, then install official adobe yum repository and install flash plugin from there.. -- Vladimir
Re: Flash plugin
I did encounter a problem with the official adobe repo yesterday - it wanted to install the i386 version over the x86_64 version, so bombed with a file conflict. Deleting the adobe yum config rpms and relying on Dag made things work here. -- Alec Habig, University of Minnesota Duluth Physics Dept. ha...@neutrino.d.umn.edu http://neutrino.d.umn.edu/~habig/
Re: Flash plugin
Hi Dag Wieers! On 2011.10.06 at 16:38:04 +0200, Dag Wieers wrote next: There is no flash plugin in elrepo. You seem to have one from rpmforge installed. Either wait until x86_64 package appears in rpmforge, or uninstall it, then install official adobe yum repository and install flash plugin from there.. RPMforge provides already the (beta) 64bit flash-plugin, so there's no need to wait for it. In this case the 64bit is installed, so there is no reason to install the 32bit. Unless you want to replace the 64bit by the 32bit. Yes, well, I meant when final 11 release will appear in rpmforge (like it is now in official repo). OK, according to you it's best to just wait a bit. -- Vladimir
Re: Flash plugin
On Thu, 6 Oct 2011, Dag Wieers wrote: RPMforge provides already the (beta) 64bit flash-plugin, so there's no need to wait for it. In this case the 64bit is installed, so there is no reason to install the 32bit. Unless you want to replace the 64bit by the 32bit. Hmm. Unless I am using an out of date mirror RPMforge has flash-plugin.x86_64 11.0.1.129-0.1.el6.rf rpmforge whereas the adobe-linux-i386 repo has flash-plugin.i38611.0.1.152-release @adobe-linux-i386 (Build Date: Sat 24 Sep 2011 02:45:27 AM BST). -- Dr. Andrew C. Aitchison Computer Officer, DPMMS, Cambridge a.c.aitchi...@dpmms.cam.ac.uk http://www.dpmms.cam.ac.uk/~werdna
Re: Flash plugin
On Thu, 6 Oct 2011, Dr Andrew C Aitchison wrote: On Thu, 6 Oct 2011, Dag Wieers wrote: RPMforge provides already the (beta) 64bit flash-plugin, so there's no need to wait for it. In this case the 64bit is installed, so there is no reason to install the 32bit. Unless you want to replace the 64bit by the 32bit. Hmm. Unless I am using an out of date mirror RPMforge has flash-plugin.x86_64 11.0.1.129-0.1.el6.rf rpmforge whereas the adobe-linux-i386 repo has flash-plugin.i38611.0.1.152-release @adobe-linux-i386 (Build Date: Sat 24 Sep 2011 02:45:27 AM BST). So, why would one replace a 64bit flash-plugin with a 32bit one ? If the 64bit version was used, it simply would have worked. -- -- dag wieers, d...@wieers.com, http://dag.wieers.com/ -- dagit linux solutions, i...@dagit.net, http://dagit.net/ [Any errors in spelling, tact or fact are transmission errors]
Re: Flash plugin
On 10/06/2011 10:08 AM, Dag Wieers wrote: On Thu, 6 Oct 2011, Dr Andrew C Aitchison wrote: On Thu, 6 Oct 2011, Dag Wieers wrote: RPMforge provides already the (beta) 64bit flash-plugin, so there's no need to wait for it. In this case the 64bit is installed, so there is no reason to install the 32bit. Unless you want to replace the 64bit by the 32bit. Hmm. Unless I am using an out of date mirror RPMforge has flash-plugin.x86_64 11.0.1.129-0.1.el6.rf rpmforge whereas the adobe-linux-i386 repo has flash-plugin.i386 11.0.1.152-release @adobe-linux-i386 (Build Date: Sat 24 Sep 2011 02:45:27 AM BST). So, why would one replace a 64bit flash-plugin with a 32bit one ? If the 64bit version was used, it simply would have worked. Unless I misunderstood, the 32 bit version is the current (most secure) release, 152, whereas the 64 bit version is not current, 129. I face the same problem, and thus attempt to keep a 32 bit Firefox installed, non-distro but straight from Mozilla, and use the 32 bit plugins, etc. This presents the additional issue of keeping all of the needed 32 bit .so libraries, etc., in place. Evidently, a number of stock end-user applications, such as Firefox, Thunderbird, and the like, have security holes as well as bugs, and thus need regularly kept current. Yasha Karant
Re: Flash plugin
On Thu, 2011-10-06 at 19:08 +0200, Dag Wieers wrote: So, why would one replace a 64bit flash-plugin with a 32bit one ? If the 64bit version was used, it simply would have worked. I originally installed the 32 bit version from adobe and then updated to the 64 bit from the repo. Now, every time adobe updates the version, it appears as an update. The solution is to remove or disable the adobe repo.
Re: Flash plugin
On Thu, 6 Oct 2011, Dag Wieers wrote: On Thu, 6 Oct 2011, Dr Andrew C Aitchison wrote: On Thu, 6 Oct 2011, Dag Wieers wrote: RPMforge provides already the (beta) 64bit flash-plugin, so there's no need to wait for it. In this case the 64bit is installed, so there is no reason to install the 32bit. Unless you want to replace the 64bit by the 32bit. Hmm. Unless I am using an out of date mirror RPMforge has flash-plugin.x86_64 11.0.1.129-0.1.el6.rf rpmforge whereas the adobe-linux-i386 repo has flash-plugin.i38611.0.1.152-release @adobe-linux-i386 (Build Date: Sat 24 Sep 2011 02:45:27 AM BST). So, why would one replace a 64bit flash-plugin with a 32bit one ? Not so much that I want to - rather that the 32 bit adobe repo was already enabled from when the machine was running SL5 and I have only now looked for the adobe-linux-x86_64 repo. My real point was that the rpmforge plugin is presumably out of date if the adobe repo has a newer plugin with a higher release number. -- Dr. Andrew C. Aitchison Computer Officer, DPMMS, Cambridge a.c.aitchi...@dpmms.cam.ac.uk http://www.dpmms.cam.ac.uk/~werdna
Re: Flash plugin
On 2011/10/06 07:38, Dag Wieers wrote:
On Thu, 6 Oct 2011, Vladimir Mosgalin wrote:
On 2011.10.06 at 05:05:05 -0700, jdow wrote next:
Date: Thu, 06 Oct 2011 05:05:05 -0700
From: jdow j...@earthlink.net
To: scientific-linux-us...@fnal.gov
X-Original-To: mosgalin@localhost
Subject: Flash plugin
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20110929
Thunderbird/7.0.1
I have the elrepo 64 bit beta flash plugin installed. A 32 bit flash update
is being forced on my system. Here are the error messages.
Transaction Check Error:
file /usr/share/applications/flash-player-properties.desktop from
install of flash-plugin-11.0.1.152-release.i386 conflicts with file
from package flash-plugin-11.0.1.129-0.1.el6.rf.x86_64
There is no flash plugin in elrepo. You seem to have one from rpmforge
installed. Either wait until x86_64 package appears in rpmforge, or
uninstall it, then install official adobe yum repository and install
flash plugin from there..
RPMforge provides already the (beta) 64bit flash-plugin, so there's no need to
wait for it. In this case the 64bit is installed, so there is no reason to
install the 32bit. Unless you want to replace the 64bit by the 32bit.
That is entirely true. Now, I need to convince yum update of this pesky
detail.
(And sorry about tracking down which repo I got it from. I stopped too soon
on the version and literally didn't see the .rf in there. My bad.)
The problem is that yum update insists I need the 32 bit version of the
flash plugin.
{^_-}
If that is the case (beware, you may need to change browsers, or install another
plugin) you should uninstall the 64bit package first.
RPMforge tracks the flash-plugin releases and packages them asap because there
is an important security impact for systems that have it installed.
Re: Flash plugin
On 2011/10/06 13:12, Dr Andrew C Aitchison wrote:
On Thu, 6 Oct 2011, Dag Wieers wrote:
On Thu, 6 Oct 2011, Dr Andrew C Aitchison wrote:
On Thu, 6 Oct 2011, Dag Wieers wrote:
RPMforge provides already the (beta) 64bit flash-plugin, so there's no
need to wait for it. In this case the 64bit is installed, so there is no
reason to install the 32bit. Unless you want to replace the 64bit by the
32bit.
Hmm. Unless I am using an out of date mirror RPMforge has
flash-plugin.x86_64 11.0.1.129-0.1.el6.rf rpmforge
whereas the adobe-linux-i386 repo has
flash-plugin.i386 11.0.1.152-release @adobe-linux-i386
(Build Date: Sat 24 Sep 2011 02:45:27 AM BST).
So, why would one replace a 64bit flash-plugin with a 32bit one ?
Not so much that I want to - rather that the 32 bit adobe repo was
already enabled from when the machine was running SL5 and I have
only now looked for the adobe-linux-x86_64 repo.
My real point was that the rpmforge plugin is presumably out of
date if the adobe repo has a newer plugin with a higher release number.
And even an explicit yum update flash-plugin.x86_64 still tries to update
the .i386 version. I disabled the adobe repo. That seems to sort of fix it.
Now, I hope the 64 bit version updates properly. (Of course, I seldom use
the browser on that particular machine. Lately I've been using it to stream
some background music for the room. Otherwise I'd have never bothered with
the flash plugin. KUSC and K-Mozart are unlikely to be sources of 'ix type
nasties. So I figure I'm safe.)
{^_^}
Re: Flash plugin
On Thu, 6 Oct 2011, Dr Andrew C Aitchison wrote: On Thu, 6 Oct 2011, Dag Wieers wrote: On Thu, 6 Oct 2011, Dr Andrew C Aitchison wrote: On Thu, 6 Oct 2011, Dag Wieers wrote: RPMforge provides already the (beta) 64bit flash-plugin, so there's no need to wait for it. In this case the 64bit is installed, so there is no reason to install the 32bit. Unless you want to replace the 64bit by the 32bit. Hmm. Unless I am using an out of date mirror RPMforge has flash-plugin.x86_64 11.0.1.129-0.1.el6.rfrpmforge whereas the adobe-linux-i386 repo has flash-plugin.i38611.0.1.152-release @adobe-linux-i386 (Build Date: Sat 24 Sep 2011 02:45:27 AM BST). So, why would one replace a 64bit flash-plugin with a 32bit one ? Not so much that I want to - rather that the 32 bit adobe repo was already enabled from when the machine was running SL5 and I have only now looked for the adobe-linux-x86_64 repo. My real point was that the rpmforge plugin is presumably out of date if the adobe repo has a newer plugin with a higher release number. It's quite hard to release before Adobe. -- -- dag wieers, d...@wieers.com, http://dag.wieers.com/ -- dagit linux solutions, i...@dagit.net, http://dagit.net/ [Any errors in spelling, tact or fact are transmission errors]
Re: Flash plugin
On 10/06/2011 04:19 PM, Dag Wieers wrote: On Thu, 6 Oct 2011, Dr Andrew C Aitchison wrote: On Thu, 6 Oct 2011, Dag Wieers wrote: On Thu, 6 Oct 2011, Dr Andrew C Aitchison wrote: On Thu, 6 Oct 2011, Dag Wieers wrote: RPMforge provides already the (beta) 64bit flash-plugin, so there's no need to wait for it. In this case the 64bit is installed, so there is no reason to install the 32bit. Unless you want to replace the 64bit by the 32bit. Hmm. Unless I am using an out of date mirror RPMforge has flash-plugin.x86_64 11.0.1.129-0.1.el6.rf rpmforge whereas the adobe-linux-i386 repo has flash-plugin.i386 11.0.1.152-release @adobe-linux-i386 (Build Date: Sat 24 Sep 2011 02:45:27 AM BST). So, why would one replace a 64bit flash-plugin with a 32bit one ? Not so much that I want to - rather that the 32 bit adobe repo was already enabled from when the machine was running SL5 and I have only now looked for the adobe-linux-x86_64 repo. My real point was that the rpmforge plugin is presumably out of date if the adobe repo has a newer plugin with a higher release number. It's quite hard to release before Adobe. I realise that except for the Fermilab/CERN staff persons, almost all of the rest of those maintaining material for SL are unpaid volunteers. With that stated, what is the typical/average/median/whatever delay from the Adobe release until the SL compatible port for the flash plugin? In some cases, Adobe adds functionality -- but in most cases it is a matter of bug and security-hole fixes -- and the sooner one installs a valid security fix, the better. Yasha Karant
Re: Flash plugin
On Thu, 6 Oct 2011, Yasha Karant wrote: On 10/06/2011 10:08 AM, Dag Wieers wrote: On Thu, 6 Oct 2011, Dr Andrew C Aitchison wrote: On Thu, 6 Oct 2011, Dag Wieers wrote: RPMforge provides already the (beta) 64bit flash-plugin, so there's no need to wait for it. In this case the 64bit is installed, so there is no reason to install the 32bit. Unless you want to replace the 64bit by the 32bit. Hmm. Unless I am using an out of date mirror RPMforge has flash-plugin.x86_64 11.0.1.129-0.1.el6.rf rpmforge whereas the adobe-linux-i386 repo has flash-plugin.i386 11.0.1.152-release @adobe-linux-i386 (Build Date: Sat 24 Sep 2011 02:45:27 AM BST). So, why would one replace a 64bit flash-plugin with a 32bit one ? If the 64bit version was used, it simply would have worked. Unless I misunderstood, the 32 bit version is the current (most secure) release, 152, whereas the 64 bit version is not current, 129. You indeed misunderstood: 1. There is _now_ also a 64bit 152 release 2. There was no security update release by Red Hat for the flash-plugin. That is the only source that I can track properly, I do not visit the Adobe flash-plugin website daily. 3. Feel free to report new flash-plugin release through the github.com web-interface at: http://github.com/repoforge Evidently, a number of stock end-user applications, such as Firefox, Thunderbird, and the like, have security holes as well as bugs, and thus need regularly kept current. Do you have any proof of security problems ? Was there a security advisory for this release ? -- -- dag wieers, d...@wieers.com, http://dag.wieers.com/ -- dagit linux solutions, i...@dagit.net, http://dagit.net/ [Any errors in spelling, tact or fact are transmission errors]
Re: Flash plugin
On Thu, 6 Oct 2011, Yasha Karant wrote: On 10/06/2011 04:19 PM, Dag Wieers wrote: On Thu, 6 Oct 2011, Dr Andrew C Aitchison wrote: On Thu, 6 Oct 2011, Dag Wieers wrote: On Thu, 6 Oct 2011, Dr Andrew C Aitchison wrote: On Thu, 6 Oct 2011, Dag Wieers wrote: RPMforge provides already the (beta) 64bit flash-plugin, so there's no need to wait for it. In this case the 64bit is installed, so there is no reason to install the 32bit. Unless you want to replace the 64bit bythe 32bit. Hmm. Unless I am using an out of date mirror RPMforge has flash-plugin.x86_64 11.0.1.129-0.1.el6.rf rpmforge whereas the adobe-linux-i386 repo has flash-plugin.i386 11.0.1.152-release @adobe-linux-i386 (Build Date: Sat 24 Sep 2011 02:45:27 AM BST). So, why would one replace a 64bit flash-plugin with a 32bit one ? Not so much that I want to - rather that the 32 bit adobe repo was already enabled from when the machine was running SL5 and I have only now looked for the adobe-linux-x86_64 repo. My real point was that the rpmforge plugin is presumably out of date if the adobe repo has a newer plugin with a higher release number. It's quite hard to release before Adobe. I realise that except for the Fermilab/CERN staff persons, almost all of the rest of those maintaining material for SL are unpaid volunteers. With that stated, what is the typical/average/median/whatever delay from the Adobe release until the SL compatible port for the flash plugin? In some cases, Adobe adds functionality -- but in most cases it is a matter of bug and security-hole fixes -- and the sooner one installs a valid security fix, the better. Do you have proof that this is a security fix. Because I track the RHEL packages and no such update has come through their channels. It seems as if the release was simply their official Flash Player 11 release, rather than a security fix. If it is a security fix, even Red Hat is behind. Somehow I don't believe that, but for you to provide proof of what you state. Thanks. -- -- dag wieers, d...@wieers.com, http://dag.wieers.com/ -- dagit linux solutions, i...@dagit.net, http://dagit.net/ [Any errors in spelling, tact or fact are transmission errors]
Re: Flash plugin
On Fri, 7 Oct 2011, JR van Rensburg wrote: On Fri, 2011-10-07 at 01:19 +0200, Dag Wieers wrote: It's quite hard to release before Adobe. The way I understand it from pre 64-bit Flash, Adobe weren't responsible for the 64-bit Flash development and it came with the caveat that it won't be updated from their repo. This meant that you only got the 32-bit plugin from adobe. The issue is mixing 32bit and 64bit packages. The exact same error would have happened if you had the old 32bit flash-plugin installed, and would install the 64bit new plugin. I don't see exactly what everything else has to do with anything. Tomorrow the 11.0.1.152 will be available from Repoforge, for both 32bit and 64bit. And any issues are resolved, but we can never proactively prevent something we cannot control. If tomorrow Adobe releases a newer 32bit RPM and people use that repository on 64bit using the Repoforge 64bit package, we could not have prevented that... Without Adobe Flash the world would be much more simple, Steve Jobs knew that :) -- -- dag wieers, d...@wieers.com, http://dag.wieers.com/ -- dagit linux solutions, i...@dagit.net, http://dagit.net/ [Any errors in spelling, tact or fact are transmission errors]
Re: Flash plugin
On 7 October 2011 00:37, Dag Wieers d...@wieers.com wrote: Do you have proof that this is a security fix. Because I track the RHEL packages and no such update has come through their channels. It seems as if the release was simply their official Flash Player 11 release, rather than a security fix. If it is a security fix, even Red Hat is behind. Somehow I don't believe that, but for you to provide proof of what you state. Thanks. Hi Dag, I strongly suspect that there are certain people posting to this list who are still new to the RHEL product ethos and, thus, that of its clones. As you know, the recommended reading for those persons starts with the following Red Hat policy regarding the backporting of security fixes -- http://www.redhat.com/security/updates/backporting/ Regards, Alan.
Re: Flash plugin
On Fri, 2011-10-07 at 01:19 +0200, Dag Wieers wrote: It's quite hard to release before Adobe. The way I understand it from pre 64-bit Flash, Adobe weren't responsible for the 64-bit Flash development and it came with the caveat that it won't be updated from their repo. This meant that you only got the 32-bit plugin from adobe. Since EL/SL has a custom rolled 64-bit version now, there is no need to use the Adobe repo (other than for the reader), so disable the repo after installing the reader. (It does some things better than evince, so you may need it occasionally.)
Re: Flash plugin
On Fri, 2011-10-07 at 00:58 +0100, Alan Bartlett wrote: As you know, the recommended reading for those persons starts with the following Red Hat policy regarding the backporting of security fixes -- http://www.redhat.com/security/updates/backporting/ Perhaps it's a tribute to the rise in the distro popularity that many users expect EL to have the same features as the more popular desktop user oriented Ubuntu or Fedora distros, say. ... Together with the fact that the modern Linux user expects it all to work without any self help or understanding of what goes on behind the scenes.
Re: Flash plugin
On 10/06/2011 04:37 PM, Dag Wieers wrote: On Thu, 6 Oct 2011, Yasha Karant wrote: On 10/06/2011 04:19 PM, Dag Wieers wrote: On Thu, 6 Oct 2011, Dr Andrew C Aitchison wrote: On Thu, 6 Oct 2011, Dag Wieers wrote: On Thu, 6 Oct 2011, Dr Andrew C Aitchison wrote: On Thu, 6 Oct 2011, Dag Wieers wrote: RPMforge provides already the (beta) 64bit flash-plugin, so there's no need to wait for it. In this case the 64bit is installed, so there is no reason to install the 32bit. Unless you want to replace the 64bit by the 32bit. Hmm. Unless I am using an out of date mirror RPMforge has flash-plugin.x86_64 11.0.1.129-0.1.el6.rf rpmforge whereas the adobe-linux-i386 repo has flash-plugin.i386 11.0.1.152-release @adobe-linux-i386 (Build Date: Sat 24 Sep 2011 02:45:27 AM BST). So, why would one replace a 64bit flash-plugin with a 32bit one ? Not so much that I want to - rather that the 32 bit adobe repo was already enabled from when the machine was running SL5 and I have only now looked for the adobe-linux-x86_64 repo. My real point was that the rpmforge plugin is presumably out of date if the adobe repo has a newer plugin with a higher release number. It's quite hard to release before Adobe. I realise that except for the Fermilab/CERN staff persons, almost all of the rest of those maintaining material for SL are unpaid volunteers. With that stated, what is the typical/average/median/whatever delay from the Adobe release until the SL compatible port for the flash plugin? In some cases, Adobe adds functionality -- but in most cases it is a matter of bug and security-hole fixes -- and the sooner one installs a valid security fix, the better. Do you have proof that this is a security fix. Because I track the RHEL packages and no such update has come through their channels. It seems as if the release was simply their official Flash Player 11 release, rather than a security fix. If it is a security fix, even Red Hat is behind. Somehow I don't believe that, but for you to provide proof of what you state. Thanks. I use the direct Mozilla (and OpenOffice) distributions and updates. For Firefox 7.x (that the Firefox update on Help -- About Firefox reports as up to date), I ran an update check on the addons, including plugins using Tools -- Add ons and URL https://www.mozilla.org/en-US/plugincheck/ and the following was displayed: Vulnerable plugins: Plugin Icon Shockwave Flash Shockwave Flash 11.0 r1 Vulnerable (more info) (11.0.1.129 is what actually is installed) Thus, although I have been unable to find the vulnerability list (for some reason, more info does not give the details but just does nothing), Mozilla identifies this plugin as vulnerable, presumably a security issue. As a test, I will reload the plugin just in case there is a problem with the Mozilla identification and the vulnerable warning goes away. Just did that: Shockwave Flash Shockwave Flash 11.0 r1 11.0.1.0 is now up to date and the actual package was: flash-plugin-11.0.1.152-release.i386.rpm from macromedia.com As a test, I restarted Firefox and went to http://www.adobe.com/software/flash/about/ that responded that the current Flash plugin is functioning (You have version 11,0,1,152 installed was displayed). Note that I am running IA-32 Firefox on SL 6.1 X86-64, with all necessary compatibility (IA-32) libraries installed in a different path than the X86-64 libraries. (As to the other respondent, I have read and am familiar with TUV policy in https://access.redhat.com/security/updates/backporting/ . I do not necessarily agree with this policy.) Yasha Karant
Re: Flash plugin
On 2011/10/06 17:22, Yasha Karant wrote:
On 10/06/2011 04:37 PM, Dag Wieers wrote:
On Thu, 6 Oct 2011, Yasha Karant wrote:
On 10/06/2011 04:19 PM, Dag Wieers wrote:
On Thu, 6 Oct 2011, Dr Andrew C Aitchison wrote:
On Thu, 6 Oct 2011, Dag Wieers wrote:
On Thu, 6 Oct 2011, Dr Andrew C Aitchison wrote:
On Thu, 6 Oct 2011, Dag Wieers wrote:
RPMforge provides already the (beta) 64bit flash-plugin, so
there's no
need to wait for it. In this case the 64bit is installed, so
there is no
reason to install the 32bit. Unless you want to replace the
64bit
by the
32bit.
Hmm. Unless I am using an out of date mirror RPMforge has
flash-plugin.x86_64 11.0.1.129-0.1.el6.rf rpmforge
whereas the adobe-linux-i386 repo has
flash-plugin.i386 11.0.1.152-release @adobe-linux-i386
(Build Date: Sat 24 Sep 2011 02:45:27 AM BST).
So, why would one replace a 64bit flash-plugin with a 32bit
one ?
Not so much that I want to - rather that the 32 bit adobe repo was
already enabled from when the machine was running SL5 and I have
only now looked for the adobe-linux-x86_64 repo.
My real point was that the rpmforge plugin is presumably out of
date if the adobe repo has a newer plugin with a higher release
number.
It's quite hard to release before Adobe.
I realise that except for the Fermilab/CERN staff persons, almost all
of the rest of those maintaining material for SL are unpaid
volunteers. With that stated, what is the
typical/average/median/whatever delay from the Adobe release until the
SL compatible port for the flash plugin?
In some cases, Adobe adds functionality -- but in most cases it is a
matter of bug and security-hole fixes -- and the sooner one installs a
valid security fix, the better.
Do you have proof that this is a security fix. Because I track the RHEL
packages and no such update has come through their channels. It seems as
if the release was simply their official Flash Player 11 release, rather
than a security fix.
If it is a security fix, even Red Hat is behind. Somehow I don't believe
that, but for you to provide proof of what you state. Thanks.
I use the direct Mozilla (and OpenOffice) distributions and updates. For Firefox
7.x (that the Firefox update on Help -- About Firefox reports as up to date), I
ran an update check on the addons, including plugins using Tools -- Add ons and
URL https://www.mozilla.org/en-US/plugincheck/ and the following was displayed:
Vulnerable plugins:
Plugin Icon
Shockwave Flash
Shockwave Flash 11.0 r1 Vulnerable (more info)
(11.0.1.129 is what actually is installed)
Thus, although I have been unable to find the vulnerability list (for some
reason, more info does not give the details but just does nothing), Mozilla
identifies this plugin as vulnerable, presumably a security issue.
As a test, I will reload the plugin just in case there is a problem with the
Mozilla identification and the vulnerable warning goes away.
Just did that:
Shockwave Flash
Shockwave Flash 11.0 r1 11.0.1.0 is now up to date
and the actual package was:
flash-plugin-11.0.1.152-release.i386.rpm from macromedia.com
As a test, I restarted Firefox and went to
http://www.adobe.com/software/flash/about/ that responded that the current Flash
plugin is functioning (You have version 11,0,1,152 installed was displayed).
Note that I am running IA-32 Firefox on SL 6.1 X86-64, with all necessary
compatibility (IA-32) libraries installed in a different path than the X86-64
libraries.
(As to the other respondent, I have read and am familiar with TUV policy in
https://access.redhat.com/security/updates/backporting/ . I do not necessarily
agree with this policy.)
Yasha Karant
The downside of that direct approach is that the world gets messy when you want
to move to 7 someday. The direct applications of FireFox and Flash might cause
some form of update conflict you'd get to resolve.
Thanks to the person who mentioned the adobe x86_64 repo. I simply copied the
.i386 file and judiciously renamed a couple lines in the new file. Works fine.
I didn't find one when I looked for it.
{^_-} Joanne
Re: Flash-plugin 11 rpmforge freeze full screen using metacity window manager
On Thu, 21 Jul 2011, jonathan wrote: Upon upgrading from flash-plugin-10.3.162.29-0.1.el6.rf (x86_64) to flash-plugin-11.0.1.60.0.1.el6.rf (x86_64), when i switch to full screen mode when playing a video on for example youtube Xorg freezes. When using flash plugin 10 the use of OverrideGPUValidation=true in the /etc/adobe/mms.cfg file fixed the problem. Though it does not fix the problem on flash-plugin 11. If the compiz window manager is used fullscreen playback works. Any suggestions? Sorry Jon, Let me clarify that this Flash update was very much needed, even though we go to another Beta. The problem is that the 64bit plugin (square alpha) had lots of security issues. Undoubtedly this release will have some too, but at least anything known is fixed in a more recent release. Here's hoping Adobe will take care of 64bit platforms soon with proper security updates... -- -- dag wieers, d...@wieers.com, http://dag.wieers.com/ -- dagit linux solutions, i...@dagit.net, http://dagit.net/ [Any errors in spelling, tact or fact are transmission errors]
Re: Flash-plugin 11 rpmforge freeze full screen using metacity window manager
On 07/21/2011 08:21 AM, Dag Wieers wrote: On Thu, 21 Jul 2011, jonathan wrote: Upon upgrading from flash-plugin-10.3.162.29-0.1.el6.rf (x86_64) to flash-plugin-11.0.1.60.0.1.el6.rf (x86_64), when i switch to full screen mode when playing a video on for example youtube Xorg freezes. When using flash plugin 10 the use of OverrideGPUValidation=true in the /etc/adobe/mms.cfg file fixed the problem. Though it does not fix the problem on flash-plugin 11. If the compiz window manager is used fullscreen playback works. Any suggestions? Sorry Jon, Let me clarify that this Flash update was very much needed, even though we go to another Beta. The problem is that the 64bit plugin (square alpha) had lots of security issues. Undoubtedly this release will have some too, but at least anything known is fixed in a more recent release. Here's hoping Adobe will take care of 64bit platforms soon with proper security updates... I do not know if the IA-32 Linux version of this plugin is any better in terms of security, but it does work. For this reason, I run the IA-32 versions of Firefox and Thunderbird, both current (release 5), by installing whatever libraries these applications need, relying upon the polymorphic compliance for both the IA-32 and X86-64 model of the Linux (RHEL 6) loader as well as the CPU. Yasha Karant
Re: Flash-plugin 11 rpmforge freeze full screen using metacity window manager
Thank you all for your feedback. I have since updated the xorg-x11-drv-intel and libdrm from the elrepo, which has solved the problem. flash player 11 now runs successfully. The cpu usage is a bit high e.g. when acessing the right click menu in full screen mode it is a bit laggy, but otherwise it is good. jon On Thu, 2011-07-21 at 17:21 +0200, Dag Wieers wrote: On Thu, 21 Jul 2011, jonathan wrote: Upon upgrading from flash-plugin-10.3.162.29-0.1.el6.rf (x86_64) to flash-plugin-11.0.1.60.0.1.el6.rf (x86_64), when i switch to full screen mode when playing a video on for example youtube Xorg freezes. When using flash plugin 10 the use of OverrideGPUValidation=true in the /etc/adobe/mms.cfg file fixed the problem. Though it does not fix the problem on flash-plugin 11. If the compiz window manager is used fullscreen playback works. Any suggestions? Sorry Jon, Let me clarify that this Flash update was very much needed, even though we go to another Beta. The problem is that the 64bit plugin (square alpha) had lots of security issues. Undoubtedly this release will have some too, but at least anything known is fixed in a more recent release. Here's hoping Adobe will take care of 64bit platforms soon with proper security updates...
