Bug 1635

Summary: Flash needs to be updated for CVE-2011-2107 and CVE-2011-2110
Product: Mageia Reporter: Pascal Terjan <pterjan>
Component: SecurityAssignee: Security team <security_officers>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: Normal CC: davidwhodgins, ennael1, lists.jjorge, qa-bugs
Version: 1   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard:
Source RPM: flash-player-plugin CVE:
Status comment:

Description Pascal Terjan 2011-06-06 14:08:02 CEST 
Current package is 10.3.181.14, it needs to be updated to 10.3.181.22

An important vulnerability has been identified in Adobe Flash Player 10.3.181.16 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.3.185.22 and earlier versions for Android. This universal cross-site scripting vulnerability (CVE-2011-2107) could be used to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website. There are reports that this vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message.
Comment 1 Pascal Terjan 2011-06-11 12:23:16 CEST 
10.3.181.22 is available in nonfree/updates_testing
Comment 2 Ahmad Samir 2011-06-15 23:48:16 CEST 
A new version 10.3.181.26, should resolve CVE-2011-2110, will land in nonfree/updates_testing soon.

Summary: Flash needs to be updated for CVE-2011-2107 => Flash needs to be updated for CVE-2011-2107 and CVE-2011-2110
Source RPM: (none) => flash-player-plugin

Comment 3 Dave Hodgins 2011-06-23 22:53:04 CEST 
I've tested 10.3.181.26 on Mageia 1 i586 (using opera and youtube), and it
is working.  Looks ready for nonfree/updates to me.

CC: (none) => davidwhodgins

Anne Nicolas 2011-07-07 13:24:06 CEST

CC: (none) => ennael1, qa-bugs
Assignee: bugsquad => security

Comment 4 Dave Hodgins 2011-07-08 00:57:49 CEST 
Note that 10.3.181.34 was released June 28th.
http://forums.adobe.com/thread/870916
Comment 5 Ahmad Samir 2011-07-08 07:34:30 CEST 
According to that forum post it's not a security update, but it still fixes some bugs.

10.3.181.34 should be in updates_testing soon.
Comment 6 Dave Hodgins 2011-07-08 19:53:20 CEST 
Tested at http://www.adobe.com/software/flash/about/
and youtube.com.

Testing complete on i586.

Package
flash-player-plugin
srpm
flash-player-plugin-10.3.181.34-0.1.mga1.nonfree.src.rpm

When testing on x86-64 is complete, move from
Nonfree Updates Testing to Nonfree Updates.

Advisory:
Flash security update fixing cross-site scripting vulnerability CVE-2011-2107,
memory corruption vulnerability CVE-2011-2110, as well as compatibility
issues with some content using cross-domain policy files.
Comment 7 José Jorge 2011-07-09 09:32:01 CEST 
There is no x86-64 package, so this can be submitted.

CC: (none) => lists.jjorge

Comment 8 James Kerr 2011-07-09 10:55:56 CEST 
This rpm is only available in the i586 repo. There is no stable 64 bit version of flash-player available from Adobe.
Comment 9 James Kerr 2011-07-09 11:01:44 CEST 
Sorry for my redundant comment. I misunderstood comment 7.
Comment 10 Dave Hodgins 2011-07-10 02:44:24 CEST 
Can someone from the sysadmin team push the package
flash-player-plugin
srpm flash-player-plugin-10.3.181.34-0.1.mga1.nonfree.src.rpm
from Nonfree Updates Testing to Nonfree Updates. (i586 only).
with the advisory ...
Flash security update fixing cross-site scripting vulnerability CVE-2011-2107,
memory corruption vulnerability CVE-2011-2110, as well as compatibility
issues with some content using cross-domain policy files.
Comment 11 Nicolas Vigier 2011-07-10 17:22:40 CEST 
pushed to updates.

Status: NEW => RESOLVED
CC: (none) => boklm
Resolution: (none) => FIXED

Nicolas Vigier 2014-05-08 18:06:17 CEST

CC: boklm => (none)