Bug 10093 - Security update request for flash-player-plugin, to 11.2.202.285
: Security update request for flash-player-plugin, to 11.2.202.285
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
:
: MGA2TOO MGA2-64-OK MGA2-32-OK MGA3-64...
: Security, validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-05-14 18:27 CEST by Anssi Hannula
Modified: 2013-05-15 22:06 CEST (History)
6 users (show)

See Also:
Source RPM: flash-player-plugin
CVE:
Status comment:


Attachments

Description Anssi Hannula 2013-05-14 18:27:10 CEST
Advisory:
============
Adobe Flash Player 11.2.202.285 contains fixes to critical security
vulnerabilities found in earlier versions. These vulnerabilities could cause a
crash and potentially allow an attacker to take control of the affected system.

This update resolves memory corruption vulnerabilities that could lead to code execution (CVE-2013-2728, CVE-2013-3324, CVE-2013-3325, CVE-2013-3326, CVE-2013-3327, CVE-2013-3328, CVE-2013-3329, CVE-2013-3330, CVE-2013-3331, CVE-2013-3332, CVE-2013-3333, CVE-2013-3334, CVE-2013-3335).

References:
http://www.adobe.com/support/security/bulletins/apsb13-14.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2728
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3324
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3325
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3326
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3327
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3328
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3329
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3330
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3331
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3332
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3333
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3334
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3335
============

Updated Flash Player 11.2.202.285 packages are in mga2 nonfree/updates_testing
as flash-player-plugin (i586 and x86_64) and flash-player-plugin-kde (i586 and
x86_64).
Comment 1 David Walser 2013-05-14 18:33:13 CEST
We shouldn't push this until it can be pushed for Mageia 3 also.
Comment 2 claire robinson 2013-05-14 20:25:37 CEST
I'd suggest, to get this included for release we should count this bug as our first mga2 & mga3 validation and test the flash player in mga3 updates testing during our installations as well. It can then be pushed into both in the knowledge it's been checked.

I'm happy to do so tomorrow (if Dave doesn't beat me to it) I've had to be elsewhere today.
Comment 3 Dave Hodgins 2013-05-15 01:19:24 CEST
Testing complete on Mageia 2 i586, x86_64, Mageia 3 i586 and x86_64 using
http://www.youtube.com/watch?v=KaOC9danxNo

Could someone from the sysadmin team push the srpm
flash-player-plugin-11.2.202.285-1.mga2.nonfree.src.rpm
from Mageia 2 Nonfree Updates Testing to Nonfree Updates,
and make an exception to push the srpm
flash-player-plugin-11.2.202.285-1.mga3.nonfree.src.rpm
from Mageia 3 Nonfree Updates Testing to Nonfree release,
or delete it from Nonfree Updates Testing and submit it
to Nonfree Release.
Note that it is not included on any of the iso images.

Advisory: Adobe Flash Player 11.2.202.285 contains fixes to critical security
vulnerabilities found in earlier versions. These vulnerabilities could cause a
crash and potentially allow an attacker to take control of the affected system.

This update resolves memory corruption vulnerabilities that could lead to code execution (CVE-2013-2728, CVE-2013-3324, CVE-2013-3325, CVE-2013-3326, CVE-2013-3327, CVE-2013-3328, CVE-2013-3329, CVE-2013-3330, CVE-2013-3331, CVE-2013-3332, CVE-2013-3333, CVE-2013-3334, CVE-2013-3335).

References:
http://www.adobe.com/support/security/bulletins/apsb13-14.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2728
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3324
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3325
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3326
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3327
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3328
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3329
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3330
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3331
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3332
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3333
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3334
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3335

https://bugs.mageia.org/show_bug.cgi?id=10093
Comment 4 claire robinson 2013-05-15 09:38:48 CEST
Thanks Dave :)
Comment 5 Sander Lepik 2013-05-15 10:21:45 CEST
MGA3-*-OK - how can this be OK? AFAIK Thomas will wipe updates_testing when we are releasing Mageia 3. Also AFAIK there are some packages in updates_testing that won't be released at all with Mageia 3. How do you know that packages in updates_testing don't depend on such packages?
Comment 6 claire robinson 2013-05-15 10:30:32 CEST
I guess the same way we do for Mageia 2, we don't install them :)

Not sure I understand your objection to this Sander? Flash player is widely deployed software which we normally prioritise in our testing and this has now been tested on Mageia 2 and Mageia 3 on x86_64 and i586.
Comment 7 Sander Lepik 2013-05-15 10:49:14 CEST
Yeah, but if Thomas is going to wipe updates_testing during release then what are you going to push into updates? AFAIK those packages have to be rebuilt after release. And that means they have to be tested again.. Correct me if I'm missing something.
Comment 8 claire robinson 2013-05-15 10:53:37 CEST
Well, hopefully Thomas can push them from testing into release on cauldron and testing to updates on mga2.

The alternative would be to hold the update on mageia 2 until after release of mga3, which for something like flash seems unwise if we can possibly help it.

We'll defer to his judgement of course.
Comment 9 David GEIGER 2013-05-15 17:19:04 CEST
Testing complete for flash-player-plugin-11.2.202.285-1.mga2.nonfree and flash-player-plugin-kde-11.2.202.285-1.mga2.nonfree Mageia release 2 (Official) for x86_64, it's ok for me nothing to report and work fine.

Some video on youtube, dailymotion, pluzz.fr, M6, etc....
Test on speedtest.net using flash-player too.
Comment 10 Thomas Backlund 2013-05-15 22:06:26 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0146

and Cauldron packages moved to release

Note You need to log in before you can comment on or make changes to this bug.