| Summary: | Security update request for flash-player-plugin, to 11.2.202.468 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Anssi Hannula <anssi.hannula> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | davidwhodgins, sysadmin-bugs, wrw105 |
| Version: | 5 | Keywords: | Security, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA4TOO has_procedure advisory MGA4-64-OK MGA4-32-OK MGA5-64-OK MGA5-32-OK | ||
| Source RPM: | flash-player-plugin | CVE: | CVE-2015-3096, CVE-2015-3098, CVE-2015-3099, CVE-2015-3100, CVE-2015-3101, CVE-2015-3102, CVE-2015-3103, CVE-2015-3104, CVE-2015-3105, CVE-2015-3106, CVE-2015-3107, CVE-2015-3108, CVE-2015-3113 |
| Status comment: | |||
|
Description
Anssi Hannula
2015-06-17 17:02:02 CEST
This also needs to be updated for Mageia 5, but can't be until Mageia 5 SVN is branched. Tested the usual battery: played videos on youtube, played a game, changed cookie settings in kde panel, all OK. MGA4-64 My 32 bit system apparently needs a new motherboard, so i'm stuck on 64 at this point. CC:
(none) =>
wrw105 Updated Flash Player 11.2.202.466 packages are now submitted to mga5 nonfree/updates_testing as well, in addition to mga4 that were previously available. Version:
4 =>
5 Thanks Anssi! Confirmed working on Mageia 4 i586. Whiteboard:
MGA4TOO mga4-64-ok has_procedure =>
MGA4TOO mga4-64-ok mga4-32-ok has_procedure Tested mga5-64 as above. All OK. Whiteboard:
MGA4TOO mga4-64-ok mga4-32-ok has_procedure =>
MGA4TOO mga4-64-ok mga4-32-ok has_procedure mga5-64-ok While it does work, as usual another critical security bug has been found, so there is no point pushing this one as flash-plugin-11.2.202.468-release.x86_64.rpm has been released fixing another critical security issue. CC:
(none) =>
davidwhodgins Adobe has released a new emergency update for an issue that is being exploited in the wild: 11.2.202.468. Please re-test. Updated advisory: ============ Adobe Flash Player 11.2.202.468 contains fixes to critical security vulnerabilities found in earlier versions that could cause a crash and potentially allow an attacker to take control of the affected system. Adobe is aware of reports that CVE-2015-3113 is being actively exploited in the wild via limited, targeted attacks. Systems running Internet Explorer for Windows 7 and below, as well as Firefox on Windows XP, are known targets. This update resolves a heap buffer overflow vulnerability that could lead to code execution (CVE-2015-3113). This update resolves a vulnerability (CVE-2015-3096) that could be exploited to bypass the fix for CVE-2014-5333. This update resolves vulnerabilities that could be exploited to bypass the same-origin-policy and lead to information disclosure (CVE-2015-3098, CVE-2015-3099, CVE-2015-3102). This update resolves a stack overflow vulnerability that could lead to code execution (CVE-2015-3100). This update resolves a permission issue in the Flash broker for Internet Explorer that could be exploited to perform privilege escalation from low to medium integrity level (CVE-2015-3101). This update resolves an integer overflow vulnerability that could lead to code execution (CVE-2015-3104). This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2015-3105). This update resolves use-after-free vulnerabilities that could lead to code execution (CVE-2015-3103, CVE-2015-3106, CVE-2015-3107). This update resolves a memory leak vulnerability that could be used to bypass ASLR (CVE-2015-3108). References: https://helpx.adobe.com/security/products/flash-player/apsb15-11.html https://helpx.adobe.com/security/products/flash-player/apsb15-14.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3096 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3098 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3099 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3100 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3101 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3102 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3103 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3104 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3105 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3106 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3107 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3108 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3133 ============ Updated Flash Player 11.2.202.468 packages are in mga4 nonfree/updates_testing. Source packages: flash-player-plugin-11.2.202.468-1.mgaX.nonfree Binary packages: flash-player-plugin-11.2.202.468-1.mgaX.nonfree flash-player-plugin-kde-11.2.202.468-1.mgaX.nonfree CVE:
CVE-2015-3096, CVE-2015-3098, CVE-2015-3099, CVE-2015-3100, CVE-2015-3101, CVE-2015-3102, CVE-2015-3103, CVE-2015-3104, CVE-2015-3105, CVE-2015-3106, CVE-2015-3107, CVE-2015-3108 =>
CVE-2015-3096, CVE-2015-3098, CVE-2015-3099, CVE-2015-3100, CVE-2015-3101, CVE-2015-3102, CVE-2015-3103, CVE-2015-3104, CVE-2015-3105, CVE-2015-3106, CVE-2015-3107, CVE-2015-3108, CVE-2015-3113
Dave Hodgins
2015-06-23 23:51:05 CEST
Whiteboard:
MGA4TOO has_procedure =>
MGA4TOO has_procedure advisory Mageia 4 testing complete. I'll test Mageia 5 shortly. Whiteboard:
MGA4TOO has_procedure advisory =>
MGA4TOO has_procedure advisory MGA4-64-OK MGA4-32-OK Testing complete. Someone from the sysadmin team please push 16139.adv to updates (Note, both Mageia 4 and 5). Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0248.html Status:
ASSIGNED =>
RESOLVED |