Bug 9677

Summary: Security update request for flash-player-plugin, to 11.2.202.280
Product: Mageia Reporter: Anssi Hannula <anssi.hannula>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: geiger.david68210, sysadmin-bugs, tmb
Version: 2Keywords: Security, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: mga2-64-ok mga2-32-ok
Source RPM: flash-player-plugin CVE:
Status comment:

Description Anssi Hannula 2013-04-09 18:08:58 CEST 
Flash Player 11.2.202.280 has been pushed to mga2 nonfree/updates_testing.

Updated Flash Player 11.2.202.280 packages are in mga2 nonfree/updates_testing
as flash-player-plugin (i586 and x86_64) and flash-player-plugin-kde (i586 and
x86_64).

No advisory just yet, nothing has been published by Adobe. I'll give them 24 hours after which we will push this as a non-security update. I'll write an advisory at that time at the latest.

I think this update can be tested regardless.
Comment 1 Anssi Hannula 2013-04-09 19:55:36 CEST 
And we got advisory.

Advisory:
============
Adobe Flash Player 11.2.202.280 contains fixes to critical security
vulnerabilities found in earlier versions. These vulnerabilities could cause a
crash and potentially allow an attacker to take control of the affected system.

These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2013-2555). 

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2013-1378, CVE-2013-1380). 

These updates resolve a memory corruption vulnerability caused by Flash Player improperly initializing certain pointer arrays, which could lead to code execution (CVE-2013-1379).

References:
http://www.adobe.com/support/security/bulletins/apsb13-11.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1378
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1379
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1380
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2555
============

Keywords: (none) => Security
Status: NEW => ASSIGNED
Component: RPM Packages => Security
Summary: Update request for flash-player-plugin, to 11.2.202.280 => Security update request for flash-player-plugin, to 11.2.202.280

Comment 2 David GEIGER 2013-04-09 20:17:42 CEST 
Testing complete for the new flash-player-plugin-11.2.202.280 and flash-player-plugin-kde on Mageia release 2 (Official) for x86_64, for it's good nothind to report, it works fine.

test some video: youtube, dailymotion, pluzz, tf1replay, m6replay...

CC: (none) => geiger.david68210

Comment 3 claire robinson 2013-04-09 22:13:50 CEST 
testing mga2 32

Whiteboard: (none) => mga2-64-ok

Comment 4 claire robinson 2013-04-09 22:21:30 CEST 
Thanks Anssi & David

Testing complete mga2 32

Checked flash videos and deleted storage in kde flash settings

Validating

Advisory & srpm in comment 1

Could sysadmin please push from nonfree/updates_testing to nonfree/updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: mga2-64-ok => mga2-64-ok mga2-32-ok
CC: (none) => sysadmin-bugs

claire robinson 2013-04-09 22:22:48 CEST

QA Contact: (none) => security

Comment 5 Thomas Backlund 2013-04-10 00:13:04 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0116

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED