Bug 13706

Summary: Security update request for flash-player-plugin, to 11.2.202.394
Product: Mageia Reporter: Anssi Hannula <anssi.hannula>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: cmrisolde, pterjan, sysadmin-bugs
Version: 4Keywords: Security, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA3TOO has_procedure advisory MGA3-32-OK mga3-64-ok MGA4-32-OK mga4-64-ok
Source RPM: flash-player-plugin CVE: CVE-2014-0537, CVE-2014-0539, CVE-2014-4671
Status comment:

Description Anssi Hannula 2014-07-08 20:34:48 CEST
Advisory:
============
Adobe Flash Player 11.2.202.394 contains fixes to critical security 
vulnerabilities found in earlier versions that could potentially allow an 
attacker to take control of the affected system.

This update includes additional validation checks to ensure that Flash Player rejects malicious content from vulnerable JSONP callback APIs (CVE-2014-4671).

This update resolves security bypass vulnerabilities (CVE-2014-0537, CVE-2014-0539).
References:
http://helpx.adobe.com/security/products/flash-player/apsb14-17.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0537
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0539
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4671
============

Updated Flash Player 11.2.202.394 packages are in mga3+mga4
nonfree/updates_testing.

Source packages:
flash-player-plugin-11.2.202.394-1.mga3.nonfree
flash-player-plugin-11.2.202.394-1.mga4.nonfree

Binary packages:
flash-player-plugin-11.2.202.394-1.mga3.nonfree
flash-player-plugin-kde-11.2.202.394-1.mga3.nonfree
flash-player-plugin-11.2.202.394-1.mga4.nonfree
flash-player-plugin-kde-11.2.202.394-1.mga4.nonfree
Anssi Hannula 2014-07-08 20:34:57 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 Carolyn Rowse 2014-07-09 12:28:30 CEST
Mga3 32-bit seems fine, TrainStation game on Facebook loads fine after update and various items on BBC website OK.

Carolyn

CC: (none) => cmrisolde
Whiteboard: MGA3TOO => MGA3TOO MGA3-32-OK

Comment 2 Carolyn Rowse 2014-07-09 12:47:42 CEST
No problems encountered with Mga4 32-bit either.

Carolyn

Whiteboard: MGA3TOO MGA3-32-OK => MGA3TOO MGA3-32-OK MGA4-32-OK

Comment 3 claire robinson 2014-07-09 14:33:59 CEST
Testing complete mga3 64 and mga4 64

Played various flash videos and deleted local storage using the flash player utility in kde system settings.

Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 nonfree updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO MGA3-32-OK MGA4-32-OK => MGA3TOO has_procedure advisory MGA3-32-OK mga3-64-ok MGA4-32-OK mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 4 Pascal Terjan 2014-07-10 01:23:04 CEST
http://advisories.mageia.org/MGASA-2014-0291.html

Status: ASSIGNED => RESOLVED
CC: (none) => pterjan
Resolution: (none) => FIXED