16955 – Security update request for flash-player-plugin, to 11.2.202.535

Bug 16955 - Security update request for flash-player-plugin, to 11.2.202.535

Summary: Security update request for flash-player-plugin, to 11.2.202.535

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	advisory MGA5-64-OK MGA5-32-OK
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2015-10-13 18:35 CEST by Anssi Hannula
Modified:	2015-10-14 07:55 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	flash-player-plugin
CVE:	CVE-2015-5569, CVE-2015-7625, CVE-2015-7626, CVE-2015-7627, CVE-2015-7628, CVE-2015-7629, CVE-2015-7630, CVE-2015-7631, CVE-2015-7632, CVE-2015-7633, CVE-2015-7634, CVE-2015-7643, CVE-2015-7644
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Anssi Hannula 2015-10-13 18:35:03 CEST

Advisory:
============
Adobe Flash Player 11.2.202.535 contains fixes to critical security vulnerabilities found in earlier versions that could potentially allow an attacker to take control of the affected system.

This update resolves a vulnerability that could be exploited to bypass the same-origin-policy and lead to information disclosure (CVE-2015-7628).

This update includes a defense-in-depth feature in the Flash broker API (CVE-2015-5569).

This update resolves use-after-free vulnerabilities that could lead to code execution (CVE-2015-7629, CVE-2015-7631, CVE-2015-7643, CVE-2015-7644).

This update resolves a buffer overflow vulnerability that could lead to code execution (CVE-2015-7632).

This update resolves memory corruption vulnerabilities that could lead to code execution (CVE-2015-7625, CVE-2015-7626, CVE-2015-7627, CVE-2015-7630, CVE-2015-7633, CVE-2015-7634).

References:
https://helpx.adobe.com/security/products/flash-player/apsb15-25.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7625
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7626
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7627
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7628
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7629
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7630
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7631
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7632
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7633
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7634
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7643
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7644
============

CVEs: CVE-2015-5569, CVE-2015-7625, CVE-2015-7626, CVE-2015-7627, CVE-2015-7628, CVE-2015-7629, CVE-2015-7630, CVE-2015-7631, CVE-2015-7632, CVE-2015-7633, CVE-2015-7634, CVE-2015-7643, CVE-2015-7644

Updated Flash Player 11.2.202.535 packages are in mga5 nonfree/updates_testing.

Source packages:
flash-player-plugin-11.2.202.535-1.mga5.nonfree

Binary packages:
flash-player-plugin
flash-player-plugin-kde

Dave Hodgins 2015-10-13 19:03:59 CEST

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 1 Lewis Smith 2015-10-13 20:41:00 CEST

Testing MGA5 x64 real hardware.

flash-player-plugin-11.2.202.535-1.mga5.nonfree

Watched a couple of videos on the BBC site, and one from YouTube (thank goodness for the 'pause' facility). No problem encountered. OK.

CC: (none) => lewyssmith
Whiteboard: advisory => advisory MGA5-64-OK

Comment 2 Ben McMonagle 2015-10-14 00:06:08 CEST

Testing MGA5 i586 real hardware.

flash-player-plugin-11.2.202.535-1.mga5.nonfree

times square earthcam - hd: 
windowed - sound / video ok,
fullscreen - sound / video ok, 
"esc" to exit full screen mode - ok.

abbey road crossing cam - sd:
windowed - sound / video ok,
fullscreen - sound / video ok, 
"esc" to exit full screen mode - not ok. double mouse click required to exit full screen mode

CC: (none) => westel

Comment 3 David Walser 2015-10-14 03:24:33 CEST

Tested playing some videos from Duran Duran's new album on YouTube.  They play fine.  Full screen works, as does coming back from full screen.  Mageia 5 i586.

Please upload the advisory and push to nonfree/updates.  Thank you.

Keywords: Security => validated_update
Whiteboard: advisory MGA5-64-OK => advisory MGA5-64-OK MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2015-10-14 07:55:59 CEST

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0399.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.