Bug 15136

Summary: Security update request for flash-player-plugin, to 11.2.202.440
Product: Mageia Reporter: Anssi Hannula <anssi.hannula>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: High CC: sysadmin-bugs
Version: 4Keywords: Security, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://helpx.adobe.com/security/products/flash-player/apsa15-01.html
Whiteboard: has_procedure advisory mga4-32-ok mga4-64-ok
Source RPM: flash-player-plugin CVE: CVE-2015-0311, CVE-2015-0312
Status comment:

Description Anssi Hannula 2015-01-26 18:42:39 CET 
Advisory:
============
Adobe Flash Player 11.2.202.440 contains a fix to a critical unspecified security vulnerability found in earlier versions that could cause a crash and potentially allow an attacker to take control of the affected system (CVE-2015-0311).

Adobe reports that this vulnerability is already being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows.

References:
http://helpx.adobe.com/security/products/flash-player/apsa15-01.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0311
============

NOTE: There are no release notes from Adobe available yet. If those are released (at http://blogs.adobe.com/psirt/ ) before this update is pushed, the advisory can be updated with more details.


Updated Flash Player 11.2.202.440 packages are in mga4 nonfree/updates_testing.

Source packages:
flash-player-plugin-11.2.202.440-1.mga4.nonfree

Binary packages:
flash-player-plugin-11.2.202.440-1.mga4.nonfree
flash-player-plugin-kde-11.2.202.440-1.mga4.nonfree
Comment 1 Anssi Hannula 2015-01-26 19:00:35 CET 
The submitted 1.mga4.nonfree pkgs had a bug in the download URL section, submitted fixed packages now:

Source packages:
flash-player-plugin-11.2.202.440-1.1.mga4.nonfree

Binary packages:
flash-player-plugin-11.2.202.440-1.1.mga4.nonfree
flash-player-plugin-kde-11.2.202.440-1.1.mga4.nonfree
Comment 2 claire robinson 2015-01-26 21:25:50 CET 
Testing complete mga4 32

Whiteboard: (none) => mga4-32-ok

Comment 3 claire robinson 2015-01-26 22:00:09 CET 
Advisory uploaded. I added http://blogs.adobe.com/psirt/ as a reference for now.

Whiteboard: mga4-32-ok => advisory mga4-32-ok

Comment 4 claire robinson 2015-01-27 13:14:55 CET 
Testing complete mga4 64

https flash video from youtube. https://www.adobe.com/software/flash/about/ version check. Deleted local storage with kde system settings.

Keywords: (none) => validated_update
Whiteboard: advisory mga4-32-ok => advisory has_procedure mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 5 claire robinson 2015-01-27 13:15:15 CET 
Validating. Please push to 4 updates.
Comment 6 Anssi Hannula 2015-01-27 18:44:22 CET 
Adobe has released a new bulletin. This version also contains another security fix.

Updated suggested advisory:
============
  Adobe Flash Player 11.2.202.440 contains fixes to critical security
  vulnerabilities found in earlier versions that could cause a crash and
  potentially allow an attacker to take control of the affected system.

  Adobe reports that CVE-2015-0311 is already being actively exploited in the wild
  via drive-by-download attacks against systems running Internet Explorer and
  Firefox on Windows.

  This update resolves a use-after-free vulnerability that could lead to code
  execution (CVE-2015-0311).

  This update resolves a double-free vulnerability that could lead to code
  execution (CVE-2015-0312). 

references:
 - https://bugs.mageia.org/show_bug.cgi?id=15136
 - http://helpx.adobe.com/security/products/flash-player/apsb15-03.html
============

CVE: CVE-2015-0311 => CVE-2015-0311, CVE-2015-0312

Comment 7 David Walser 2015-01-27 18:52:01 CET 
Thanks.  Removing advisory tag from whiteboard until it's updated in SVN.

Whiteboard: advisory has_procedure mga4-32-ok mga4-64-ok => has_procedure mga4-32-ok mga4-64-ok

Comment 8 claire robinson 2015-01-27 18:52:50 CET 
Advisory updated in svn.

Whiteboard: has_procedure mga4-32-ok mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-ok

Comment 9 Mageia Robot 2015-01-27 22:09:12 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0043.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED