Bug 16573 - Security update request for flash-player-plugin, to 11.2.202.508
Summary: Security update request for flash-player-plugin, to 11.2.202.508
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA4TOO has_procedure mga4-32-ok advi...
Keywords: Security, validated_update
Depends on:
Blocks:
 
Reported: 2015-08-11 18:10 CEST by Anssi Hannula
Modified: 2015-08-11 22:23 CEST (History)
3 users (show)

See Also:
Source RPM: flash-player-plugin
CVE: 34 CVEs, too many to fit here
Status comment:


Attachments

Description Anssi Hannula 2015-08-11 18:10:15 CEST
Advisory:
============
Adobe Flash Player 11.2.202.508 contains fixes to critical security vulnerabilities found in earlier versions that could potentially allow an attacker to take control of the affected system.

This update resolves type confusion vulnerabilities that could lead to code execution (CVE-2015-5128, CVE-2015-5554, CVE-2015-5555, CVE-2015-5558, CVE-2015-5562).

This update includes further hardening to a mitigation against vector length corruptions (CVE-2015-5125).

This update resolves use-after-free vulnerabilities that could lead to code execution (CVE-2015-5550, CVE-2015-5551, CVE-2015-3107, CVE-2015-5556, CVE-2015-5130, CVE-2015-5134, CVE-2015-5539, CVE-2015-5540, CVE-2015-5557, CVE-2015-5559, CVE-2015-5127, CVE-2015-5563, CVE-2015-5561, CVE-2015-5124).

This update resolves heap buffer overflow vulnerabilities that could lead to code execution (CVE-2015-5129, CVE-2015-5541).

This update resolves buffer overflow vulnerabilities that could lead to code execution (CVE-2015-5131, CVE-2015-5132, CVE-2015-5133).

This update resolves memory corruption vulnerabilities that could lead to code execution (CVE-2015-5544, CVE-2015-5545, CVE-2015-5546, CVE-2015-5547, CVE-2015-5548, CVE-2015-5549, CVE-2015-5552, CVE-2015-5553).

This update resolves an integer overflow vulnerability that could lead to code execution (CVE-2015-5560).

References:
https://helpx.adobe.com/security/products/flash-player/apsb15-19.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5124
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5125
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5127
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5128
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5129
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5130
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5131
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5132
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5133
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5134
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5539
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5540
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5541
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5544
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5545
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5546
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5547
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5548
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5549
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5550
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5551
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5552
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5553
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5554
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5555
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5556
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5557
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5558
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5559
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5560
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5561
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5562
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5563
============

CVEs: CVE-2015-3107, CVE-2015-5124, CVE-2015-5125, CVE-2015-5127, CVE-2015-5128, CVE-2015-5129, CVE-2015-5130, CVE-2015-5131, CVE-2015-5132, CVE-2015-5133, CVE-2015-5134, CVE-2015-5539, CVE-2015-5540, CVE-2015-5541, CVE-2015-5544, CVE-2015-5545, CVE-2015-5546, CVE-2015-5547, CVE-2015-5548, CVE-2015-5549, CVE-2015-5550, CVE-2015-5551, CVE-2015-5552, CVE-2015-5553, CVE-2015-5554, CVE-2015-5555, CVE-2015-5556, CVE-2015-5557, CVE-2015-5558, CVE-2015-5559, CVE-2015-5560, CVE-2015-5561, CVE-2015-5562, CVE-2015-5563

Updated Flash Player 11.2.202.508 packages are in mga5+mga4 nonfree/updates_testing.

Source packages:
flash-player-plugin-11.2.202.508-1.mga4.nonfree
flash-player-plugin-11.2.202.508-1.mga5.nonfree

Binary packages:
flash-player-plugin
flash-player-plugin-kde
Anssi Hannula 2015-08-11 18:10:32 CEST

Whiteboard: (none) => MGA4TOO

Comment 1 claire robinson 2015-08-11 20:43:04 CEST
Testing complete mga4 32

Verified flash was working on vimeo.com etc and used the deleted local flash storage in kde system settings. Checked installed version at
http://www.adobe.com/software/flash/about/

Whiteboard: MGA4TOO => MGA4TOO has_procedure mga4-32-ok
Severity: normal => critical

Dave Hodgins 2015-08-11 21:22:05 CEST

CC: (none) => davidwhodgins
Whiteboard: MGA4TOO has_procedure mga4-32-ok => MGA4TOO has_procedure mga4-32-ok advisory

Comment 2 Yann Cantin 2015-08-11 21:42:19 CEST
mga5 64 LANG=fr_FR.UTF-8

flash-player-plugin-kde-11.2.202.508-1.mga5.nonfree
flash-player-plugin-11.2.202.508-1.mga5.nonfree

Flash working with videos and apps.
kde settings delete ok.

CC: (none) => yann.cantin
Whiteboard: MGA4TOO has_procedure mga4-32-ok advisory => MGA4TOO has_procedure mga4-32-ok advisory MGA5-64-OK

Dave Hodgins 2015-08-11 21:49:36 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 3 Mageia Robot 2015-08-11 22:23:45 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0311.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.