Bug 17313

Summary: Security update request for flash-player-plugin, to 11.2.202.554
Product: Mageia Reporter: Anssi Hannula <anssi.hannula>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: luigiwalser, sysadmin-bugs
Version: 5Keywords: Security, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://helpx.adobe.com/security/products/flash-player/apsb15-32.html
Whiteboard: MGA5-32-OK MGA5-64-OK advisory
Source RPM: flash-player-plugin CVE: 78 CVEs, too many to fit here
Status comment:

Description Anssi Hannula 2015-12-08 19:23:20 CET 
Advisory:
============
Adobe Flash Player 11.2.202.554 contains fixes to critical security vulnerabilities found in earlier versions that could potentially allow an attacker to take control of the affected system.

This update resolves heap buffer overflow vulnerabilities that could lead to code execution (CVE-2015-8438, CVE-2015-8446).

This update resolves memory corruption vulnerabilities that could lead to code execution (CVE-2015-8444, CVE-2015-8443, CVE-2015-8417, CVE-2015-8416, CVE-2015-8451, CVE-2015-8047, CVE-2015-8053, CVE-2015-8045, CVE-2015-8051, CVE-2015-8060, CVE-2015-8419, CVE-2015-8408).

This update resolves security bypass vulnerabilities (CVE-2015-8453, CVE-2015-8440, CVE-2015-8409).

This update resolves a stack overflow vulnerability that could lead to code execution (CVE-2015-8407).

This update resolves a type confusion vulnerability that could lead to code execution (CVE-2015-8439).

This update resolves an integer overflow vulnerability that could lead to code execution (CVE-2015-8445).

This update resolves a buffer overflow vulnerability that could lead to code execution (CVE-2015-8415)

This update resolves use-after-free vulnerabilities that could lead to code execution (CVE-2015-8050, CVE-2015-8049, CVE-2015-8437, CVE-2015-8450, CVE-2015-8449, CVE-2015-8448, CVE-2015-8436, CVE-2015-8452, CVE-2015-8048, CVE-2015-8413, CVE-2015-8412, CVE-2015-8410, CVE-2015-8411, CVE-2015-8424, CVE-2015-8422, CVE-2015-8420, CVE-2015-8421, CVE-2015-8423, CVE-2015-8425, CVE-2015-8433, CVE-2015-8432, CVE-2015-8431, CVE-2015-8426, CVE-2015-8430, CVE-2015-8427, CVE-2015-8428, CVE-2015-8429, CVE-2015-8434, CVE-2015-8435, CVE-2015-8414, CVE-2015-8052, CVE-2015-8059, CVE-2015-8058, CVE-2015-8055, CVE-2015-8057, CVE-2015-8056, CVE-2015-8061, CVE-2015-8067, CVE-2015-8066, CVE-2015-8062, CVE-2015-8068, CVE-2015-8064, CVE-2015-8065, CVE-2015-8063, CVE-2015-8405, CVE-2015-8404, CVE-2015-8402, CVE-2015-8403, CVE-2015-8071, CVE-2015-8401, CVE-2015-8406, CVE-2015-8069, CVE-2015-8070, CVE-2015-8441, CVE-2015-8442, CVE-2015-8447).

References:
https://helpx.adobe.com/security/products/flash-player/apsb15-32.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8045
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8047
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8048
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8049
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8050
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8051
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8052
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8053
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8054
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8055
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8056
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8057
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8058
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8059
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8060
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8061
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8062
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8063
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8064
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8065
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8066
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8067
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8068
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8069
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8070
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8071
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8401
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8402
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8403
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8404
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8405
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8406
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8407
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8408
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8409
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8410
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8411
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8412
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8413
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8414
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8415
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8416
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8417
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8419
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8420
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8421
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8422
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8423
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8424
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8425
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8426
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8427
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8428
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8429
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8430
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8431
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8432
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8433
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8434
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8435
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8436
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8437
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8438
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8439
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8440
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8441
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8442
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8443
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8444
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8445
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8446
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8447
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8448
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8449
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8450
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8451
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8452
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8453
============

CVEs: CVE-2015-8045, CVE-2015-8047, CVE-2015-8048, CVE-2015-8049, CVE-2015-8050, CVE-2015-8051, CVE-2015-8052, CVE-2015-8053, CVE-2015-8054, CVE-2015-8055, CVE-2015-8056, CVE-2015-8057, CVE-2015-8058, CVE-2015-8059, CVE-2015-8060, CVE-2015-8061, CVE-2015-8062, CVE-2015-8063, CVE-2015-8064, CVE-2015-8065, CVE-2015-8066, CVE-2015-8067, CVE-2015-8068, CVE-2015-8069, CVE-2015-8070, CVE-2015-8071, CVE-2015-8401, CVE-2015-8402, CVE-2015-8403, CVE-2015-8404, CVE-2015-8405, CVE-2015-8406, CVE-2015-8407, CVE-2015-8408, CVE-2015-8409, CVE-2015-8410, CVE-2015-8411, CVE-2015-8412, CVE-2015-8413, CVE-2015-8414, CVE-2015-8415, CVE-2015-8416, CVE-2015-8417, CVE-2015-8419, CVE-2015-8420, CVE-2015-8421, CVE-2015-8422, CVE-2015-8423, CVE-2015-8424, CVE-2015-8425, CVE-2015-8426, CVE-2015-8427, CVE-2015-8428, CVE-2015-8429, CVE-2015-8430, CVE-2015-8431, CVE-2015-8432, CVE-2015-8433, CVE-2015-8434, CVE-2015-8435, CVE-2015-8436, CVE-2015-8437, CVE-2015-8438, CVE-2015-8439, CVE-2015-8440, CVE-2015-8441, CVE-2015-8442, CVE-2015-8443, CVE-2015-8444, CVE-2015-8445, CVE-2015-8446, CVE-2015-8447, CVE-2015-8448, CVE-2015-8449, CVE-2015-8450, CVE-2015-8451, CVE-2015-8452, CVE-2015-8453

Updated Flash Player 11.2.202.554 packages are in mga5 nonfree/updates_testing.

Source packages:
flash-player-plugin-11.2.202.554-1.mga5.nonfree

Binary packages:
flash-player-plugin
flash-player-plugin-kde
Comment 1 David Walser 2015-12-09 03:09:59 CET 
Working fine, Mageia 5 i586.

CC: (none) => luigiwalser
Whiteboard: (none) => MGA5-32-OK

Comment 2 James Kerr 2015-12-09 07:56:47 CET 
On mga5-64

installing flash-player-plugin-kde-11.2.202.554-1.mga5.nonfree.x86_64.rpm flash-player-plugin-11.2.202.554-1.mga5.nonfree.x86_64.rpm 

Packages installed cleanly. Flash video and streaming working in Firefox

OK for mga5-64

Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK

Comment 3 James Kerr 2015-12-09 08:01:43 CET 
This update is now validated. The Advisory needs to be uploaded to SVN. The packages can then be pushed to updates.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 4 RĂ©mi Verschelde 2015-12-09 08:46:13 CET 
Advisory uploaded.

78 CVEs... Come on flash, just die already...

Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory

Comment 5 Mageia Robot 2015-12-09 11:53:47 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0468.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED