Bug 19359

Summary: Security update request for flash-player-plugin, to 11.2.202.635
Product: Mageia Reporter: Anssi Hannula <anssi.hannula>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, wrw105
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://helpx.adobe.com/security/products/flash-player/apsb16-29.html
Whiteboard: MGA5-32-OK mga5-64-ok advisory
Source RPM: flash-player-plugin CVE: 26 CVEs, too many to fit here
Status comment:

Description Anssi Hannula 2016-09-14 20:03:03 CEST 
Advisory:
============
Adobe Flash Player 11.2.202.635 contains fixes to critical security vulnerabilities found in earlier versions that could potentially allow an attacker to take control of the affected system.

This update resolves an integer overflow vulnerability that could lead to code execution (CVE-2016-4287). 

This update resolves use-after-free vulnerabilities that could lead to code execution (CVE-2016-4272, CVE-2016-4279, CVE-2016-6921, CVE-2016-6923, CVE-2016-6925, CVE-2016-6926, CVE-2016-6927, CVE-2016-6929, CVE-2016-6930, CVE-2016-6931, CVE-2016-6932). 

This update resolves security bypass vulnerabilities that could lead to information disclosure (CVE-2016-4271, CVE-2016-4277, CVE-2016-4278). 

This update resolves memory corruption vulnerabilities that could lead to code execution (CVE-2016-4274, CVE-2016-4275, CVE-2016-4276, CVE-2016-4280, CVE-2016-4281, CVE-2016-4282, CVE-2016-4283, CVE-2016-4284, CVE-2016-4285, CVE-2016-6922, CVE-2016-6924).


References:
https://helpx.adobe.com/security/products/flash-player/apsb16-29.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4271
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4272
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4274
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4275
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4276
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4277
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4278
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4279
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4280
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4281
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4282
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4283
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4284
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4285
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4287
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6921
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6922
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6923
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6924
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6925
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6926
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6927
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6929
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6930
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6931
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6932

============

CVEs: CVE-2016-4271, CVE-2016-4272, CVE-2016-4274, CVE-2016-4275, CVE-2016-4276, CVE-2016-4277, CVE-2016-4278, CVE-2016-4279, CVE-2016-4280, CVE-2016-4281, CVE-2016-4282, CVE-2016-4283, CVE-2016-4284, CVE-2016-4285, CVE-2016-4287, CVE-2016-6921, CVE-2016-6922, CVE-2016-6923, CVE-2016-6924, CVE-2016-6925, CVE-2016-6926, CVE-2016-6927, CVE-2016-6929, CVE-2016-6930, CVE-2016-6931, CVE-2016-6932

Updated Flash Player packages have been submitted to mga5 nonfree/updates_testing.

Source packages:
flash-player-plugin-11.2.202.635-1.mga5.nonfree

Binary packages:
flash-player-plugin
flash-player-plugin-kde
Comment 1 David Walser 2016-09-15 05:13:24 CEST 
Working fine Mageia 5 i586.

Whiteboard: (none) => MGA5-32-OK

Comment 2 Bill Wilkinson 2016-09-16 01:27:34 CEST 
Played a game and viewed video mga5-64.

Validating. Ready for push when advisory uploaded to svn.

Keywords: Security => validated_update
Whiteboard: MGA5-32-OK => MGA5-32-OK mga5-64-ok
CC: (none) => wrw105, sysadmin-bugs

Comment 3 Dave Hodgins 2016-09-21 16:39:00 CEST 
Advisory added to svn

CC: (none) => davidwhodgins
Whiteboard: MGA5-32-OK mga5-64-ok => MGA5-32-OK mga5-64-ok advisory

Comment 4 Mageia Robot 2016-09-21 22:39:31 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0315.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Anssi Hannula 2016-10-15 09:35:31 CEST

Summary: Security update request for flash-player-plugin, to 11.2.202.632 => Security update request for flash-player-plugin, to 11.2.202.635