Bug 1635 - Flash needs to be updated for CVE-2011-2107 and CVE-2011-2110
Summary: Flash needs to be updated for CVE-2011-2107 and CVE-2011-2110
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 1
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: Security team
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-06-06 14:08 CEST by Pascal Terjan
Modified: 2014-05-08 18:06 CEST (History)
4 users (show)

See Also:
Source RPM: flash-player-plugin
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Pascal Terjan 2011-06-06 14:08:02 CEST 
Current package is 10.3.181.14, it needs to be updated to 10.3.181.22

An important vulnerability has been identified in Adobe Flash Player 10.3.181.16 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.3.185.22 and earlier versions for Android. This universal cross-site scripting vulnerability (CVE-2011-2107) could be used to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website. There are reports that this vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message.
Comment 1 Pascal Terjan 2011-06-11 12:23:16 CEST 
10.3.181.22 is available in nonfree/updates_testing
Comment 2 Ahmad Samir 2011-06-15 23:48:16 CEST 
A new version 10.3.181.26, should resolve CVE-2011-2110, will land in nonfree/updates_testing soon.

Summary: Flash needs to be updated for CVE-2011-2107 => Flash needs to be updated for CVE-2011-2107 and CVE-2011-2110
Source RPM: (none) => flash-player-plugin

Comment 3 Dave Hodgins 2011-06-23 22:53:04 CEST 
I've tested 10.3.181.26 on Mageia 1 i586 (using opera and youtube), and it
is working.  Looks ready for nonfree/updates to me.

CC: (none) => davidwhodgins

Anne Nicolas 2011-07-07 13:24:06 CEST

CC: (none) => ennael1, qa-bugs
Assignee: bugsquad => security

Comment 4 Dave Hodgins 2011-07-08 00:57:49 CEST 
Note that 10.3.181.34 was released June 28th.
http://forums.adobe.com/thread/870916
Comment 5 Ahmad Samir 2011-07-08 07:34:30 CEST 
According to that forum post it's not a security update, but it still fixes some bugs.

10.3.181.34 should be in updates_testing soon.
Comment 6 Dave Hodgins 2011-07-08 19:53:20 CEST 
Tested at http://www.adobe.com/software/flash/about/
and youtube.com.

Testing complete on i586.

Package
flash-player-plugin
srpm
flash-player-plugin-10.3.181.34-0.1.mga1.nonfree.src.rpm

When testing on x86-64 is complete, move from
Nonfree Updates Testing to Nonfree Updates.

Advisory:
Flash security update fixing cross-site scripting vulnerability CVE-2011-2107,
memory corruption vulnerability CVE-2011-2110, as well as compatibility
issues with some content using cross-domain policy files.
Comment 7 José Jorge 2011-07-09 09:32:01 CEST 
There is no x86-64 package, so this can be submitted.

CC: (none) => lists.jjorge

Comment 8 James Kerr 2011-07-09 10:55:56 CEST 
This rpm is only available in the i586 repo. There is no stable 64 bit version of flash-player available from Adobe.
Comment 9 James Kerr 2011-07-09 11:01:44 CEST 
Sorry for my redundant comment. I misunderstood comment 7.
Comment 10 Dave Hodgins 2011-07-10 02:44:24 CEST 
Can someone from the sysadmin team push the package
flash-player-plugin
srpm flash-player-plugin-10.3.181.34-0.1.mga1.nonfree.src.rpm
from Nonfree Updates Testing to Nonfree Updates. (i586 only).
with the advisory ...
Flash security update fixing cross-site scripting vulnerability CVE-2011-2107,
memory corruption vulnerability CVE-2011-2110, as well as compatibility
issues with some content using cross-domain policy files.
Comment 11 Nicolas Vigier 2011-07-10 17:22:40 CEST 
pushed to updates.

Status: NEW => RESOLVED
CC: (none) => boklm
Resolution: (none) => FIXED

Nicolas Vigier 2014-05-08 18:06:17 CEST

CC: boklm => (none)
Note You need to log in before you can comment on or make changes to this bug.