Bug 12997

Summary: Security update request for flash-player-plugin, to 11.2.202.346
Product: Mageia Reporter: Anssi Hannula <anssi.hannula>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: smorgan, sysadmin-bugs, tmb, wrw105
Version: 4Keywords: Security, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA3TOO has_procedure advisory mga3-32-ok mga4-32-ok mga4-64-ok mga3-64-ok
Source RPM: flash-player-plugin CVE: CVE-2014-0503, CVE-2014-0504
Status comment:

Description Anssi Hannula 2014-03-11 23:32:54 CET 
Suggested advisory:
============
Adobe Flash Player 11.2.202.346 contains fixes to important vulnerabilities found in earlier versions that could allow a remote attacker to bypass security restrictions or to access sensitive information.

This update resolves a vulnerability that could be used to bypass the same origin policy (CVE-2014-0503).

This update resolves a vulnerability that could be used to read the contents of the clipboard (CVE-2014-0504).

References:
http://helpx.adobe.com/security/products/flash-player/apsb14-08.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0503
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0504
============

Uploaded to mga3+mga4 nonfree/updates_testing:

Source packages:
flash-player-plugin-11.2.202.346-1.mga3.nonfree
flash-player-plugin-11.2.202.346-1.mga4.nonfree

Binary packages:
flash-player-plugin-11.2.202.346-1.mga3.nonfree
flash-player-plugin-kde-11.2.202.346-1.mga3.nonfree
flash-player-plugin-11.2.202.346-1.mga4.nonfree
flash-player-plugin-kde-11.2.202.346-1.mga4.nonfree

P.S. This is the first time I remember Adobe issuing a Flash update classified as only Important instead of Critical... (this is because the security issues do not allow a remote takeover as usual).
Comment 1 Bill Wilkinson 2014-03-12 12:36:57 CET 
No PoC. Tested general use mga4-64.

Played Youtube videos, and a flash game. changed settings in KDE panel, all OK.

Will test mga3-64 momentarily.  Someone else will have to pick up mga3 and 4 32. I have an older AMD processor and newer flash updates don't work on my 32-bit system.

CC: (none) => wrw105
Whiteboard: (none) => MGA3TOO mga4-64-ok

Comment 2 claire robinson 2014-03-12 12:47:40 CET 
I'll do both 32bit now.
Comment 3 Bill Wilkinson 2014-03-12 13:00:35 CET 
Tested mga3-64 as above, all OK.

Whiteboard: MGA3TOO mga4-64-ok => MGA3TOO mga4-64-ok mga3-64-ok

Comment 4 claire robinson 2014-03-12 13:10:13 CET 
Testing complete mga3 32 & mga4 32
Comment 5 claire robinson 2014-03-12 13:17:14 CET 
Advisory uploaded. Validating.

Could sysadmin please push to 3 & 4 nonfree updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO mga4-64-ok mga3-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga4-32-ok mga4-64-ok mga3-64-ok
CC: (none) => sysadmin-bugs

Stuart Morgan 2014-03-12 17:29:37 CET

CC: (none) => smorgan

Comment 6 Thomas Backlund 2014-03-12 17:33:39 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0128.html

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED