Bug 14096 - Security update request for flash-player-plugin, to 11.2.202.406
Summary: Security update request for flash-player-plugin, to 11.2.202.406
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA3TOO advisory mga4-64-ok mga3-64-o...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-09-14 01:29 CEST by Anssi Hannula
Modified: 2014-09-22 10:31 CEST (History)
3 users (show)

See Also:
Source RPM: flash-player-plugin
CVE: CVE-2014-0547, CVE-2014-0548, CVE-2014-0549, CVE-2014-0550, CVE-2014-0551, CVE-2014-0552, CVE-2014-0553, CVE-2014-0554, CVE-2014-0555, CVE-2014-0556, CVE-2014-0557, CVE-2014-0559
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Anssi Hannula 2014-09-14 01:29:38 CEST 
Advisory:
============
Adobe Flash Player 11.2.202.406 contains fixes to critical security 
vulnerabilities found in earlier versions that could potentially allow an 
attacker to take control of the affected system.

This update resolves memory leakage vulnerabilities that could be used to bypass memory address randomization (CVE-2014-0557).

This update resolves a security bypass vulnerability (CVE-2014-0554).

This update resolves a use-after-free vulnerability that could lead to code execution (CVE-2014-0553).

This update resolves memory corruption vulnerabilities that could lead to code execution (CVE-2014-0547, CVE-2014-0549, CVE-2014-0550, CVE-2014-0551, CVE-2014-0552, CVE-2014-0555).

This update resolves a vulnerability that could be used to bypass the same origin policy (CVE-2014-0548).

This update resolves a heap buffer overflow vulnerability that could lead to code execution (CVE-2014-0556, CVE-2014-0559).

References:
http://helpx.adobe.com/security/products/flash-player/apsb14-21.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0547
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0548
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0549
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0550
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0551
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0552
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0553
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0554
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0555
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0556
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0557
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0559
============

Updated Flash Player 11.2.202.406 packages are in mga3+mga4
nonfree/updates_testing.

Source packages:
flash-player-plugin-11.2.202.406-1.mga3.nonfree
flash-player-plugin-11.2.202.406-1.mga4.nonfree

Binary packages:
flash-player-plugin-11.2.202.406-1.mga3.nonfree
flash-player-plugin-kde-11.2.202.406-1.mga3.nonfree
flash-player-plugin-11.2.202.406-1.mga4.nonfree
flash-player-plugin-kde-11.2.202.406-1.mga4.nonfree
Anssi Hannula 2014-09-14 01:29:48 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 Bill Wilkinson 2014-09-14 16:34:54 CEST 
tested mga4-64
Youtube videos, played a tetris game at flash-games.com, changed a setting with the control panel, all OK.

CC: (none) => wrw105
Whiteboard: MGA3TOO => MGA3TOO mga4-64-ok mga3-64-ok

Comment 2 Bill Wilkinson 2014-09-14 23:57:23 CEST 
not sure if I set the bit for mga3-64 as well (possibly firefox was being too helpful!), but I just tested mga3-64 as above, and all as expected.
Comment 3 Bill Wilkinson 2014-09-15 01:06:41 CEST 
Oh, and in case anyone forgot: my 32 bit system has an older AMD processor, so the newer flash player plugins don't work with it, so I'll have to hand off the 32 bit testing to someone else.
Comment 4 David Walser 2014-09-15 02:57:48 CEST 
Works fine Mageia 4 i586.  Will test Mageia 3 late tomorrow at work if nobody beats me to it.

Whiteboard: MGA3TOO mga4-64-ok mga3-64-ok => MGA3TOO mga4-64-ok mga3-64-ok mga4-32-ok

Comment 5 David GEIGER 2014-09-15 09:04:36 CEST 
Tested mga4_64,

Testing complete for the new flash-player-plugin-11.2.202.406-1.mga4.nonfree, Ok for me it work properly.

flash-player-plugin-11.2.202.406-1.mga4.nonfree
flash-player-plugin-kde-11.2.202.406-1.mga4.nonfree

CC: (none) => geiger.david68210

Comment 6 David Walser 2014-09-15 22:17:05 CEST 
Works fine Mageia 3 i586.  Validating the update now.

Could a sysadmin please push this to nonfree/updates for Mageia 3 and Mageia 4?

We also need someone to upload the advisory.  Thanks.

Keywords: Security => validated_update
Whiteboard: MGA3TOO mga4-64-ok mga3-64-ok mga4-32-ok => MGA3TOO mga4-64-ok mga3-64-ok mga4-32-ok mga3-32-ok
CC: (none) => sysadmin-bugs

Comment 7 claire robinson 2014-09-16 14:27:54 CEST 
Advisory uploaded.

Whiteboard: MGA3TOO mga4-64-ok mga3-64-ok mga4-32-ok mga3-32-ok => MGA3TOO advisory mga4-64-ok mga3-64-ok mga4-32-ok mga3-32-ok

Comment 8 Mageia Robot 2014-09-22 10:31:55 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0382.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.