Bug 13907 - Security update request for flash-player-plugin, to 11.2.202.400
Summary: Security update request for flash-player-plugin, to 11.2.202.400
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA3TOO has_procedure mga3-32-ok MGA4...
Keywords: Security, validated_update
Depends on:
Blocks:
 
Reported: 2014-08-14 18:05 CEST by Anssi Hannula
Modified: 2014-08-18 11:15 CEST (History)
4 users (show)

See Also:
Source RPM: flash-player-plugin
CVE: CVE-2014-0538, CVE-2014-0540, CVE-2014-0541, CVE-2014-0542, CVE-2014-0543, CVE-2014-0544, CVE-2014-0545
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Anssi Hannula 2014-08-14 18:05:54 CEST 
Advisory:
============
Adobe Flash Player 11.2.202.400 contains fixes to critical security 
vulnerabilities found in earlier versions that could potentially allow an 
attacker to take control of the affected system.

This update resolves memory leakage vulnerabilities that could be used to bypass memory address randomization (CVE-2014-0540, CVE-2014-0542, CVE-2014-0543, CVE-2014-0544, CVE-2014-0545).
 
This update resolves a security bypass vulnerability (CVE-2014-0541).
 
This update resolves a use-after-free vulnerability that could lead to code execution (CVE-2014-0538).

References:
https://helpx.adobe.com/security/products/flash-player/apsb14-18.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0538
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0540
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0541
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0542
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0543
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0544
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0545
============

Updated Flash Player 11.2.202.400 packages are in mga3+mga4
nonfree/updates_testing.

Source packages:
flash-player-plugin-11.2.202.400-1.mga3.nonfree
flash-player-plugin-11.2.202.400-1.mga4.nonfree

Binary packages:
flash-player-plugin-11.2.202.400-1.mga3.nonfree
flash-player-plugin-kde-11.2.202.400-1.mga3.nonfree
flash-player-plugin-11.2.202.400-1.mga4.nonfree
flash-player-plugin-kde-11.2.202.400-1.mga4.nonfree
Anssi Hannula 2014-08-14 18:06:37 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 Bill Wilkinson 2014-08-14 22:57:49 CEST 
Tested mga4-64

Watched a couple of YouTube videos, played a flash game, changed and reverted a setting with the kde settings, all behaved as expected.

Given that my 32-bit machines have the older AMD processor and I'm still having rpm issues with mga3-64, I'll have to hand the rest of the testing for this one off.

CC: (none) => wrw105
Whiteboard: MGA3TOO => MGA3TOO mga4-64-ok

Comment 2 David Walser 2014-08-15 02:55:30 CEST 
All good on Mageia 4 i586.

Whiteboard: MGA3TOO mga4-64-ok => MGA3TOO MGA4-64-OK MGA4-32-OK

Comment 3 Bill Wilkinson 2014-08-15 03:46:07 CEST 
OK, found where the problem is with my mga3-64 setup, amended the bug.  Tested mga3-64 as in comment 1, no regressions noted.

Whiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK => MGA3TOO MGA4-64-OK MGA4-32-OK mga3-64=ok

Marja Van Waes 2014-08-15 08:15:41 CEST

CC: (none) => marja11
Whiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK mga3-64=ok => MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-64-OK

Rémi Verschelde 2014-08-15 11:35:29 CEST

CC: (none) => remi
Whiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-64-OK => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-64-OK

Comment 4 claire robinson 2014-08-15 14:14:04 CEST 
Testing complete mga3 32

kde integration and in use.

Ready for validating.

Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-64-OK => MGA3TOO has_procedure mga3-32-ok MGA4-64-OK MGA4-32-OK MGA3-64-OK

Comment 5 Rémi Verschelde 2014-08-15 16:15:19 CEST 
Validating, advisory uploaded.

Please push flash-player-plugin to Mageia 3 & 4 nonfree/updates.

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok MGA4-64-OK MGA4-32-OK MGA3-64-OK => MGA3TOO has_procedure mga3-32-ok MGA4-64-OK MGA4-32-OK MGA3-64-OK advisory
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2014-08-18 11:15:55 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0335.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.