Bug 13907

Summary: Security update request for flash-player-plugin, to 11.2.202.400
Product: Mageia Reporter: Anssi Hannula <anssi.hannula>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: marja11, rverschelde, sysadmin-bugs, wrw105
Version: 4Keywords: Security, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA3TOO has_procedure mga3-32-ok MGA4-64-OK MGA4-32-OK MGA3-64-OK advisory
Source RPM: flash-player-plugin CVE: CVE-2014-0538, CVE-2014-0540, CVE-2014-0541, CVE-2014-0542, CVE-2014-0543, CVE-2014-0544, CVE-2014-0545
Status comment:

Description Anssi Hannula 2014-08-14 18:05:54 CEST 
Advisory:
============
Adobe Flash Player 11.2.202.400 contains fixes to critical security 
vulnerabilities found in earlier versions that could potentially allow an 
attacker to take control of the affected system.

This update resolves memory leakage vulnerabilities that could be used to bypass memory address randomization (CVE-2014-0540, CVE-2014-0542, CVE-2014-0543, CVE-2014-0544, CVE-2014-0545).
 
This update resolves a security bypass vulnerability (CVE-2014-0541).
 
This update resolves a use-after-free vulnerability that could lead to code execution (CVE-2014-0538).

References:
https://helpx.adobe.com/security/products/flash-player/apsb14-18.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0538
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0540
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0541
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0542
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0543
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0544
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0545
============

Updated Flash Player 11.2.202.400 packages are in mga3+mga4
nonfree/updates_testing.

Source packages:
flash-player-plugin-11.2.202.400-1.mga3.nonfree
flash-player-plugin-11.2.202.400-1.mga4.nonfree

Binary packages:
flash-player-plugin-11.2.202.400-1.mga3.nonfree
flash-player-plugin-kde-11.2.202.400-1.mga3.nonfree
flash-player-plugin-11.2.202.400-1.mga4.nonfree
flash-player-plugin-kde-11.2.202.400-1.mga4.nonfree
Anssi Hannula 2014-08-14 18:06:37 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 Bill Wilkinson 2014-08-14 22:57:49 CEST 
Tested mga4-64

Watched a couple of YouTube videos, played a flash game, changed and reverted a setting with the kde settings, all behaved as expected.

Given that my 32-bit machines have the older AMD processor and I'm still having rpm issues with mga3-64, I'll have to hand the rest of the testing for this one off.

CC: (none) => wrw105
Whiteboard: MGA3TOO => MGA3TOO mga4-64-ok

Comment 2 David Walser 2014-08-15 02:55:30 CEST 
All good on Mageia 4 i586.

Whiteboard: MGA3TOO mga4-64-ok => MGA3TOO MGA4-64-OK MGA4-32-OK

Comment 3 Bill Wilkinson 2014-08-15 03:46:07 CEST 
OK, found where the problem is with my mga3-64 setup, amended the bug.  Tested mga3-64 as in comment 1, no regressions noted.

Whiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK => MGA3TOO MGA4-64-OK MGA4-32-OK mga3-64=ok

Marja Van Waes 2014-08-15 08:15:41 CEST

CC: (none) => marja11
Whiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK mga3-64=ok => MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-64-OK

Rémi Verschelde 2014-08-15 11:35:29 CEST

CC: (none) => remi
Whiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-64-OK => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-64-OK

Comment 4 claire robinson 2014-08-15 14:14:04 CEST 
Testing complete mga3 32

kde integration and in use.

Ready for validating.

Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-64-OK => MGA3TOO has_procedure mga3-32-ok MGA4-64-OK MGA4-32-OK MGA3-64-OK

Comment 5 Rémi Verschelde 2014-08-15 16:15:19 CEST 
Validating, advisory uploaded.

Please push flash-player-plugin to Mageia 3 & 4 nonfree/updates.

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok MGA4-64-OK MGA4-32-OK MGA3-64-OK => MGA3TOO has_procedure mga3-32-ok MGA4-64-OK MGA4-32-OK MGA3-64-OK advisory
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2014-08-18 11:15:55 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0335.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED