Bug 20536

Summary: flash-player-plugin security update 25.0.0.127
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: davidwhodgins, marja11, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: advisory MGA5-64-OK MGA5-32-OK
Source RPM: flash-player-plugin CVE:
Status comment:

Description Nicolas Salguero 2017-03-20 11:53:47 CET 
Hi,

Version 25.0.0.127 fixes:

A buffer overflow vulnerability that could lead to code execution (CVE-2017-2997).

Memory corruption vulnerabilities that could lead to code execution (CVE-2017-2998, CVE-2017-2999).

A random number generator vulnerability used for constant blinding that could lead to information disclosure (CVE-2017-3000).

Use-after-free vulnerabilities that could lead to code execution (CVE-2017-3001, CVE-2017-3002, CVE-2017-3003).

Reference: https://helpx.adobe.com/security/products/flash-player/apsb17-07.html

Best regards,

Nico.
Nicolas Salguero 2017-03-20 11:54:18 CET

Source RPM: (none) => flash-player-plugin
Whiteboard: (none) => MGA5TOO

Marja Van Waes 2017-03-20 12:11:04 CET

CC: (none) => marja11
Assignee: bugsquad => anssi.hannula

Comment 1 Frédéric "LpSolit" Buclin 2017-03-23 19:48:13 CET 
Flash 25 is already in Cauldron. Could someone backport it to Mageia 5, please? Firefox already blocked several websites due to a too old version of Flash. :(
Comment 2 Rémi Verschelde 2017-03-23 21:34:27 CET 
Will do.

Status: NEW => ASSIGNED
Version: Cauldron => 5
Assignee: anssi.hannula => rverschelde
Whiteboard: MGA5TOO => (none)

Comment 3 Rémi Verschelde 2017-03-23 21:45:31 CET 
Submitted to nonfree/updates_testing:  flash-player-plugin-25.0.0.127-1.mga5

Advisory yet to come.

Assignee: rverschelde => qa-bugs

Comment 4 Dave Hodgins 2017-03-23 22:46:38 CET 
Tested on i586 and x86_64. Advisory added as ...
type: security
subject: Updated flash-player-plugin packages fix security vulnerability
CVE:
 - CVE-2017-2997
 - CVE-2017-2998
 - CVE-2017-2999
 - CVE-2017-3000
 - CVE-2017-3001
 - CVE-2017-3002
 - CVE-2017-3003
src:
  5:
   nonfree:
     - flash-player-plugin-25.0.0.127-1.mga5.nonfree
description: |
  Updated flash-player-plugin installs latest version for the flash plugin
  from adobe. See the referenced security bulletin for details.
references:
 - https://bugs.mageia.org/show_bug.cgi?id=20536
 - https://helpx.adobe.com/security/products/flash-player/apsb17-07.html

Validating the update

Keywords: (none) => validated_update
Whiteboard: (none) => advisory MGA5-64-OK MGA5-32-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 5 Mageia Robot 2017-03-25 17:57:40 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0087.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED