Bug 18933

Summary: Security update request for flash-player-plugin, to 11.2.202.632
Product: Mageia Reporter: Anssi Hannula <anssi.hannula>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs
Version: 5Keywords: Security, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://helpx.adobe.com/security/products/flash-player/apsb16-25.html
Whiteboard: has_procedure advisory mga5-64-ok
Source RPM: flash-palyer-plugin CVE: 52 CVEs, too many to fit here
Status comment:

Description Anssi Hannula 2016-07-12 18:04:59 CEST 
Advisory:
============
Adobe Flash Player 11.2.202.632 contains fixes to critical security vulnerabilities found in earlier versions that could potentially allow an attacker to take control of the affected system.

This update resolves a race condition vulnerability that could lead to information disclosure (CVE-2016-4247).

This update resolves type confusion vulnerabilities that could lead to code execution (CVE-2016-4223, CVE-2016-4224, CVE-2016-4225).

This update resolves use-after-free vulnerabilities that could lead to code execution (CVE-2016-4173, CVE-2016-4174, CVE-2016-4222, CVE-2016-4226, CVE-2016-4227, CVE-2016-4228, CVE-2016-4229, CVE-2016-4230, CVE-2016-4231, CVE-2016-4248).

This update resolves a heap buffer overflow vulnerability that could lead to code execution (CVE-2016-4249).

This update resolves memory corruption vulnerabilities that could lead to code execution (CVE-2016-4172, CVE-2016-4175, CVE-2016-4179, CVE-2016-4180, CVE-2016-4181, CVE-2016-4182, CVE-2016-4183, CVE-2016-4184, CVE-2016-4185, CVE-2016-4186, CVE-2016-4187, CVE-2016-4188, CVE-2016-4189, CVE-2016-4190, CVE-2016-4217, CVE-2016-4218, CVE-2016-4219, CVE-2016-4220, CVE-2016-4221, CVE-2016-4233, CVE-2016-4234, CVE-2016-4235, CVE-2016-4236, CVE-2016-4237, CVE-2016-4238, CVE-2016-4239, CVE-2016-4240, CVE-2016-4241, CVE-2016-4242, CVE-2016-4243, CVE-2016-4244, CVE-2016-4245, CVE-2016-4246).

This update resolves a memory leak vulnerability (CVE-2016-4232).

This update resolves stack corruption vulnerabilities that could lead to code execution (CVE-2016-4176, CVE-2016-4177).

This update resolves a security bypass vulnerability that could lead to information disclosure (CVE-2016-4178)

References:
https://helpx.adobe.com/security/products/flash-player/apsb16-25.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4172
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4173
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4174
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4175
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4176
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4177
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4178
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4179
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4180
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4181
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4182
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4183
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4184
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4185
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4186
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4187
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4188
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4189
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4190
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4217
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4218
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4219
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4220
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4221
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4222
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4223
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4224
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4225
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4226
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4227
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4228
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4229
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4230
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4231
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4232
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4233
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4234
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4235
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4236
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4237
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4238
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4239
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4240
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4241
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4242
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4243
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4244
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4245
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4246
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4247
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4248
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4249

============

CVEs: CVE-2016-4172, CVE-2016-4173, CVE-2016-4174, CVE-2016-4175, CVE-2016-4176, CVE-2016-4177, CVE-2016-4178, CVE-2016-4179, CVE-2016-4180, CVE-2016-4181, CVE-2016-4182, CVE-2016-4183, CVE-2016-4184, CVE-2016-4185, CVE-2016-4186, CVE-2016-4187, CVE-2016-4188, CVE-2016-4189, CVE-2016-4190, CVE-2016-4217, CVE-2016-4218, CVE-2016-4219, CVE-2016-4220, CVE-2016-4221, CVE-2016-4222, CVE-2016-4223, CVE-2016-4224, CVE-2016-4225, CVE-2016-4226, CVE-2016-4227, CVE-2016-4228, CVE-2016-4229, CVE-2016-4230, CVE-2016-4231, CVE-2016-4232, CVE-2016-4233, CVE-2016-4234, CVE-2016-4235, CVE-2016-4236, CVE-2016-4237, CVE-2016-4238, CVE-2016-4239, CVE-2016-4240, CVE-2016-4241, CVE-2016-4242, CVE-2016-4243, CVE-2016-4244, CVE-2016-4245, CVE-2016-4246, CVE-2016-4247, CVE-2016-4248, CVE-2016-4249

Updated Flash Player packages are in mga5 nonfree/updates_testing.

Source packages:
flash-player-plugin-11.2.202.632-1.mga5.nonfree

Binary packages:
flash-player-plugin
flash-player-plugin-kde
Comment 1 claire robinson 2016-07-12 20:04:15 CEST 
testing complete mga5 64

Checked correct version downloaded..

Downloading from http://fpdownload.macromedia.com/get/flashplayer/pdc/11.2.202.632/flash-plugin-11.2.202.632-release.x86_64.rpm:


Tested at https://www.adobe.com/software/flash/about/ which shows correct version info and some flash video content.

Used the thingy in kde system settings to delete local storage.

Whiteboard: (none) => has_procedure mga5-64-ok

Comment 2 claire robinson 2016-07-12 20:08:45 CEST 
Advisory uploaded + good grief @ 52 CVEs
claire robinson 2016-07-12 20:08:55 CEST

Whiteboard: has_procedure mga5-64-ok => has_procedure advisory mga5-64-ok

Comment 3 claire robinson 2016-07-12 20:10:27 CEST 
Validating. Please push urgently.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2016-07-12 21:50:24 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0251.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED