Bug 15035

Summary: Security update request for flash-player-plugin, to 11.2.202.429
Product: Mageia Reporter: Anssi Hannula <anssi.hannula>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: sysadmin-bugs, wrw105
Version: 4Keywords: Security, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://helpx.adobe.com/security/products/flash-player/apsb15-01.html
Whiteboard: has_procedure advisory mga4-32-ok mga4-64-ok
Source RPM: flash-player-plugin CVE: CVE-2015-0301, CVE-2015-0302, CVE-2015-0303, CVE-2015-0304, CVE-2015-0305, CVE-2015-0306, CVE-2015-0307, CVE-2015-0308, CVE-2015-0309
Status comment:

Description Anssi Hannula 2015-01-13 19:42:06 CET 
Advisory:
============
Adobe Flash Player 11.2.202.429 contains fixes to critical security vulnerabilities found in earlier versions that could potentially allow an attacker to take control of the affected system.

This update resolves an improper file validation issue (CVE-2015-0301).  

This update resolves an information disclosure vulnerability that could be exploited to capture keystrokes on the affected system (CVE-2015-0302).  

This update resolves memory corruption vulnerabilities that could lead to code execution (CVE-2015-0303, CVE-2015-0306).  

This update resolves heap-based buffer overflow vulnerabilities that could lead to code execution (CVE-2015-0304, CVE-2015-0309).  

This update resolves a type confusion vulnerability that could lead to code execution (CVE-2015-0305). 

This update resolves an out-of-bounds read vulnerability that could be exploited to leak memory addresses (CVE-2015-0307).  

This update resolves a use-after-free vulnerability that could lead to code execution (CVE-2015-0308).

References:
http://helpx.adobe.com/security/products/flash-player/apsb15-01.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0301
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0302
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0303
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0304
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0305
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0306
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0307
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0308
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0309
============

Updated Flash Player 11.2.202.429 packages are in mga4 nonfree/updates_testing.

Source packages:
flash-player-plugin-11.2.202.429-1.mga4.nonfree

Binary packages:
flash-player-plugin-11.2.202.429-1.mga4.nonfree
flash-player-plugin-kde-11.2.202.429-1.mga4.nonfree
Comment 1 claire robinson 2015-01-13 23:23:01 CET 
Testing complete mga4 32

https flash video with hardware acceleration enabled and used kde system settings to delete local flash storage.

Whiteboard: (none) => has_procedure mga4-32-ok
Severity: normal => major

Comment 2 Bill Wilkinson 2015-01-14 15:27:15 CET 
Tested as Claire listed above, all OK.

Validating.  Just needs advisory uploaded to push.

Keywords: (none) => validated_update
Whiteboard: has_procedure mga4-32-ok => has_procedure mga4-32-ok mga4-64-ok
CC: (none) => wrw105, sysadmin-bugs

Comment 3 claire robinson 2015-01-14 18:32:19 CET 
Advisory uploaded.

Whiteboard: has_procedure mga4-32-ok mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-ok

Comment 4 Mageia Robot 2015-01-14 22:56:18 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0024.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED