Bug 16955

Summary: Security update request for flash-player-plugin, to 11.2.202.535
Product: Mageia Reporter: Anssi Hannula <anssi.hannula>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, lewyssmith, sysadmin-bugs, westel
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: advisory MGA5-64-OK MGA5-32-OK
Source RPM: flash-player-plugin CVE: CVE-2015-5569, CVE-2015-7625, CVE-2015-7626, CVE-2015-7627, CVE-2015-7628, CVE-2015-7629, CVE-2015-7630, CVE-2015-7631, CVE-2015-7632, CVE-2015-7633, CVE-2015-7634, CVE-2015-7643, CVE-2015-7644
Status comment:

Description Anssi Hannula 2015-10-13 18:35:03 CEST 
Advisory:
============
Adobe Flash Player 11.2.202.535 contains fixes to critical security vulnerabilities found in earlier versions that could potentially allow an attacker to take control of the affected system.

This update resolves a vulnerability that could be exploited to bypass the same-origin-policy and lead to information disclosure (CVE-2015-7628).

This update includes a defense-in-depth feature in the Flash broker API (CVE-2015-5569).

This update resolves use-after-free vulnerabilities that could lead to code execution (CVE-2015-7629, CVE-2015-7631, CVE-2015-7643, CVE-2015-7644).

This update resolves a buffer overflow vulnerability that could lead to code execution (CVE-2015-7632).

This update resolves memory corruption vulnerabilities that could lead to code execution (CVE-2015-7625, CVE-2015-7626, CVE-2015-7627, CVE-2015-7630, CVE-2015-7633, CVE-2015-7634).

References:
https://helpx.adobe.com/security/products/flash-player/apsb15-25.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7625
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7626
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7627
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7628
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7629
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7630
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7631
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7632
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7633
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7634
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7643
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7644
============

CVEs: CVE-2015-5569, CVE-2015-7625, CVE-2015-7626, CVE-2015-7627, CVE-2015-7628, CVE-2015-7629, CVE-2015-7630, CVE-2015-7631, CVE-2015-7632, CVE-2015-7633, CVE-2015-7634, CVE-2015-7643, CVE-2015-7644

Updated Flash Player 11.2.202.535 packages are in mga5 nonfree/updates_testing.

Source packages:
flash-player-plugin-11.2.202.535-1.mga5.nonfree

Binary packages:
flash-player-plugin
flash-player-plugin-kde
Dave Hodgins 2015-10-13 19:03:59 CEST

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 1 Lewis Smith 2015-10-13 20:41:00 CEST 
Testing MGA5 x64 real hardware.

flash-player-plugin-11.2.202.535-1.mga5.nonfree

Watched a couple of videos on the BBC site, and one from YouTube (thank goodness for the 'pause' facility). No problem encountered. OK.

CC: (none) => lewyssmith
Whiteboard: advisory => advisory MGA5-64-OK

Comment 2 Ben McMonagle 2015-10-14 00:06:08 CEST 
Testing MGA5 i586 real hardware.

flash-player-plugin-11.2.202.535-1.mga5.nonfree

times square earthcam - hd: 
windowed - sound / video ok,
fullscreen - sound / video ok, 
"esc" to exit full screen mode - ok.

abbey road crossing cam - sd:
windowed - sound / video ok,
fullscreen - sound / video ok, 
"esc" to exit full screen mode - not ok. double mouse click required to exit full screen mode

CC: (none) => westel

Comment 3 David Walser 2015-10-14 03:24:33 CEST 
Tested playing some videos from Duran Duran's new album on YouTube.  They play fine.  Full screen works, as does coming back from full screen.  Mageia 5 i586.

Please upload the advisory and push to nonfree/updates.  Thank you.

Keywords: Security => validated_update
Whiteboard: advisory MGA5-64-OK => advisory MGA5-64-OK MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2015-10-14 07:55:59 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0399.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED