Bug 16325

Summary: Security update request for flash-player-plugin, to 11.2.202.481
Product: Mageia Reporter: Anssi Hannula <anssi.hannula>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: High CC: davidwhodgins, sysadmin-bugs
Version: 5Keywords: Security, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA4TOO MGA4-64-OK MGA4-32-OK advisory MGA5-64-OK MGA5-32-OK
Source RPM: flash-player-plugin CVE: CVE-2015-5119 and 34 others that do not fit in this field
Status comment:

Description Anssi Hannula 2015-07-08 16:59:07 CEST 
Advisory:
============
Adobe Flash Player 11.2.202.481 contains fixes to critical security vulnerabilities found in earlier versions that could potentially allow an attacker to take control of the affected system.

Adobe is aware of a report that an exploit targeting CVE-2015-5119 has been publicly published. 

This updates resolves heap buffer overflow vulnerabilities that could lead to code execution (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118).

This updates resolves memory corruption vulnerabilities that could lead to code execution (CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3133, CVE-2015-3134, CVE-2015-4431).

This updates resolves null pointer dereference issues (CVE-2015-3126, CVE-2015-4429).

This updates resolves a security bypass vulnerability that could lead to information disclosure (CVE-2015-3114).

This updates resolves type confusion vulnerabilities that could lead to code execution (CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, CVE-2015-3122, CVE-2015-4433).

This updates resolves use-after-free vulnerabilities that could lead to code execution (CVE-2015-3118, CVE-2015-3124, CVE-2015-5117, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, CVE-2015-5119).

This updates resolves vulnerabilities that could be exploited to bypass the same-origin-policy and lead to information disclosure (CVE-2014-0578, CVE-2015-3115, CVE-2015-3116, CVE-2015-3125, CVE-2015-5116).

References:
https://helpx.adobe.com/security/products/flash-player/apsb15-16.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0578
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3114
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3115
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3116
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3117
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3118
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3119
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3120
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3121
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3122
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3123
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3124
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3125
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3126
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3127
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3128
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3129
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3130
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3131
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3132
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3133
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3134
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3135
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3136
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3137
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4428
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4429
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4430
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4431
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4432
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4433
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5116
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5117
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5118
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5119
============

Updated Flash Player 11.2.202.481 packages are in mga5+mga4 nonfree/updates_testing.

Source packages:
flash-player-plugin-11.2.202.481-1.mga5.nonfree

Binary packages:
flash-player-plugin-11.2.202.481-1.mga5.nonfree
flash-player-plugin-kde-11.2.202.481-1.mga5.nonfree
Anssi Hannula 2015-07-08 16:59:20 CEST

Whiteboard: (none) => MGA4TOO

Anssi Hannula 2015-07-08 16:59:35 CEST

Assignee: bugsquad => qa-bugs

Comment 1 Dave Hodgins 2015-07-09 01:41:23 CEST 
Advisory committed to svn, and testing complete on Mageia 4.

Note I used flash-player-plugin-11.2.202.481-1.mga4.nonfree for
the Mageia 4 srpm, as it wasn't specified above.

CC: (none) => davidwhodgins
Whiteboard: MGA4TOO => MGA4TOO MGA4-64-OK MGA4-32-OK advisory

Comment 2 Dave Hodgins 2015-07-09 01:50:16 CEST 
Testing complete on Mageia 5. Validating the update.

Keywords: (none) => validated_update
Whiteboard: MGA4TOO MGA4-64-OK MGA4-32-OK advisory => MGA4TOO MGA4-64-OK MGA4-32-OK advisory MGA5-64-OK MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 3 Mageia Robot 2015-07-09 10:10:08 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0273.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED