Bug 15035 - Security update request for flash-player-plugin, to 11.2.202.429
Summary: Security update request for flash-player-plugin, to 11.2.202.429
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://helpx.adobe.com/security/produ...
Whiteboard: has_procedure advisory mga4-32-ok mga...
Keywords: Security, validated_update
Depends on:
Blocks:
 
Reported: 2015-01-13 19:42 CET by Anssi Hannula
Modified: 2015-01-14 22:56 CET (History)
2 users (show)

See Also:
Source RPM: flash-player-plugin
CVE: CVE-2015-0301, CVE-2015-0302, CVE-2015-0303, CVE-2015-0304, CVE-2015-0305, CVE-2015-0306, CVE-2015-0307, CVE-2015-0308, CVE-2015-0309
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Anssi Hannula 2015-01-13 19:42:06 CET 
Advisory:
============
Adobe Flash Player 11.2.202.429 contains fixes to critical security vulnerabilities found in earlier versions that could potentially allow an attacker to take control of the affected system.

This update resolves an improper file validation issue (CVE-2015-0301).  

This update resolves an information disclosure vulnerability that could be exploited to capture keystrokes on the affected system (CVE-2015-0302).  

This update resolves memory corruption vulnerabilities that could lead to code execution (CVE-2015-0303, CVE-2015-0306).  

This update resolves heap-based buffer overflow vulnerabilities that could lead to code execution (CVE-2015-0304, CVE-2015-0309).  

This update resolves a type confusion vulnerability that could lead to code execution (CVE-2015-0305). 

This update resolves an out-of-bounds read vulnerability that could be exploited to leak memory addresses (CVE-2015-0307).  

This update resolves a use-after-free vulnerability that could lead to code execution (CVE-2015-0308).

References:
http://helpx.adobe.com/security/products/flash-player/apsb15-01.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0301
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0302
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0303
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0304
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0305
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0306
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0307
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0308
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0309
============

Updated Flash Player 11.2.202.429 packages are in mga4 nonfree/updates_testing.

Source packages:
flash-player-plugin-11.2.202.429-1.mga4.nonfree

Binary packages:
flash-player-plugin-11.2.202.429-1.mga4.nonfree
flash-player-plugin-kde-11.2.202.429-1.mga4.nonfree
Comment 1 claire robinson 2015-01-13 23:23:01 CET 
Testing complete mga4 32

https flash video with hardware acceleration enabled and used kde system settings to delete local flash storage.

Whiteboard: (none) => has_procedure mga4-32-ok
Severity: normal => major

Comment 2 Bill Wilkinson 2015-01-14 15:27:15 CET 
Tested as Claire listed above, all OK.

Validating.  Just needs advisory uploaded to push.

Keywords: (none) => validated_update
Whiteboard: has_procedure mga4-32-ok => has_procedure mga4-32-ok mga4-64-ok
CC: (none) => wrw105, sysadmin-bugs

Comment 3 claire robinson 2015-01-14 18:32:19 CET 
Advisory uploaded.

Whiteboard: has_procedure mga4-32-ok mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-ok

Comment 4 Mageia Robot 2015-01-14 22:56:18 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0024.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.