[arch-general] current flash vulnerabilities - what to do?

Sebastian Pipping sebastian at pipping.org
Wed Jul 15 23:37:42 UTC 2015


On 16.07.2015 01:22, D C wrote:
> I've actually posted a thread on the forums about this. For youtube you can
> just use HTML5.

To my best knowledge, it depends on the video / the compression
algorithm used.  For some videos on YouTube HTML5 works just fine, for
some Videos you still need Flash.


> If you require flash there are alternatives: gnash,
> lightspark, freshplayerplugin-git, shumway, etc...
> 
> On Wed, Jul 15, 2015 at 7:09 PM, Francis Gerund <ranrund at gmail.com> wrote:
> 
>> Hello!
>>
>> Run:
>> -  Arch linux 64-bit
>> -  4.0.7-2-ARCH #1 SMP PREEMPT Tue Jun 30 07:50:21 UTC 2015 x86_64
>> GNU/Linux
>> -  Firefox 39.0-1
>> -  flashplugin 11.2.202.481-1 (Install Date   : Wed 08 Jul 2015)
>>
>> What is best practice about the current flash vulnerabilites?

I believe your options are:

 * to enable Flash on a per-bideo basis for content you "consider
   safe" or

 * to switch to a version of Chrom(ium|e) running Pepper API Flash
   18.0.0.209 or newer

(https://helpx.adobe.com/security/products/flash-player/apsb15-18.html) or

 * freshplayerplugin-git with Chrom(ium|e) Pepper Flash 18.0.0.209
   or newer in Firefox, may be be less safe than ussage from
   Chrom(ium|e), due to

     "This particular implementation doesn't implement any sandbox.
      [..] This is the same level of security as NPAPI Flash have."

   see https://github.com/i-rinat/freshplayerplugin or

 * not using Flash until an update is released.


>  Just
>> uninstall flashplugin? Can live without, but many websites still require
>> it.

Since you put it that way, uninstalling Flash has other benefits like
making your browser fingerprint "less unique".  If it's an option to
you, maybe this is the best occasion to quit.

Best,



S


More information about the arch-general mailing list