Bug 17721

Summary: Security update request for flash-player-plugin, to 11.2.202.569
Product: Mageia Reporter: Anssi Hannula <anssi.hannula>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: sysadmin-bugs
Version: 5Keywords: Security, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://helpx.adobe.com/security/products/flash-player/apsb16-04.html
Whiteboard: has_procedure advisory MGA5-32-OK mga5-64-ok
Source RPM: flash-player-plugin CVE: 22 CVEs, too many to fit here
Status comment:

Description Anssi Hannula 2016-02-09 17:54:41 CET 
Advisory:
============
Adobe Flash Player 11.2.202.569 contains fixes to critical security vulnerabilities found in earlier versions that could potentially allow an attacker to take control of the affected system.

This update resolves a type confusion vulnerability that could lead to code execution (CVE-2016-0985).

This update resolves use-after-free vulnerabilities that could lead to code execution (CVE-2016-0973, CVE-2016-0974, CVE-2016-0975, CVE-2016-0982, CVE-2016-0983, CVE-2016-0984).

This update resolves a heap buffer overflow vulnerability that could lead to code execution (CVE-2016-0971).

This update resolves memory corruption vulnerabilities that could lead to code execution (CVE-2016-0964, CVE-2016-0965, CVE-2016-0966, CVE-2016-0967, CVE-2016-0968, CVE-2016-0969, CVE-2016-0970, CVE-2016-0972, CVE-2016-0976, CVE-2016-0977, CVE-2016-0978, CVE-2016-0979, CVE-2016-0980, CVE-2016-0981).

References:
https://helpx.adobe.com/security/products/flash-player/apsb16-04.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0964
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0965
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0966
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0967
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0968
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0969
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0970
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0971
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0972
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0973
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0974
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0975
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0976
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0977
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0978
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0979
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0980
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0981
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0982
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0983
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0984
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0985
============

CVEs: CVE-2016-0964, CVE-2016-0965, CVE-2016-0966, CVE-2016-0967, CVE-2016-0968, CVE-2016-0969, CVE-2016-0970, CVE-2016-0971, CVE-2016-0972, CVE-2016-0973, CVE-2016-0974, CVE-2016-0975, CVE-2016-0976, CVE-2016-0977, CVE-2016-0978, CVE-2016-0979, CVE-2016-0980, CVE-2016-0981, CVE-2016-0982, CVE-2016-0983, CVE-2016-0984, CVE-2016-0985

Updated Flash Player 11.2.202.569 packages are in mga5 nonfree/updates_testing.

Source packages:
flash-player-plugin-11.2.202.569-1.mga5.nonfree

Binary packages:
flash-player-plugin
flash-player-plugin-kde
Comment 1 David Walser 2016-02-09 18:47:21 CET 
Working fine on Mageia 5 i586.

Whiteboard: (none) => MGA5-32-OK

Comment 2 claire robinson 2016-02-09 19:03:53 CET 
Advisory uploaded.

Whiteboard: MGA5-32-OK => advisory MGA5-32-OK
Severity: normal => critical

Comment 3 claire robinson 2016-02-09 19:08:21 CET 
Testing complete mga5 64

Ensured correct version downloaded..
Downloading from http://fpdownload.macromedia.com/get/flashplayer/pdc/11.2.202.569/flash-plugin-11.2.202.569-release.x86_64.rpm

Checked flash video, OK. Deleted local flash storage in kde system settings.

Validating. Please push to 5 updates. Thanks

Keywords: (none) => validated_update
Whiteboard: advisory MGA5-32-OK => has_procedure advisory MGA5-32-OK mga5-64-ok
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2016-02-09 20:06:16 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0062.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED