We don't yet have the release notes or security bulletin from Adobe, but I expect the newly posted version to fix CVE-2016-1019 which is being actively exploited on Windows so I've submitted it to testing already. I'll add the advisory as a comment once Adobe publishes the security bulletin, which I expect to happen within 24 hours. Updated Flash Player 11.2.202.616 packages are in mga5 nonfree/updates_testing. Source packages: flash-player-plugin-11.2.202.616-1.mga5.nonfree Binary packages: flash-player-plugin flash-player-plugin-kde
Thanks Anssi. Testing complete mga5 64 Watched flash video (rogue one trailer) and duran duran and deleted flash storage in kde system settings.
Whiteboard: (none) => has_procedure mga5-64-ok
Severity: major => critical
Seems to work OK in i586, too.
CC: (none) => andrewsfarmWhiteboard: has_procedure mga5-64-ok => has_procedure mga5-64-ok mga5-32-ok
Confirmed working on Mageia 5 i586. Validating.
Keywords: Security => validated_updateCC: (none) => sysadmin-bugs
Following advisory added for now, so update can be pushed. type: security subject: Updated flash-player-plugin packages fix security vulnerability src: 5: nonfree: - flash-player-plugin-11.2.202.616-1.mga5.nonfree description: | Details to be provided when available. references: - https://bugs.mageia.org/show_bug.cgi?id=18158
CC: (none) => davidwhodginsWhiteboard: has_procedure mga5-64-ok mga5-32-ok => has_procedure mga5-64-ok mga5-32-ok advisory
Adobe has released a Security Bulletin, so here is a full suggested advisory: Advisory: ============ Adobe Flash Player 11.2.202.616 contains fixes to critical security vulnerabilities found in earlier versions that could potentially allow an attacker to take control of the affected system. This update hardens a mitigation against JIT spraying attacks that could be used to bypass memory layout randomization mitigations (CVE-2016-1006). This update resolves type confusion vulnerabilities that could lead to code execution (CVE-2016-1015, CVE-2016-1019). This update resolves use-after-free vulnerabilities that could lead to code execution (CVE-2016-1011, CVE-2016-1013, CVE-2016-1016, CVE-2016-1017, CVE-2016-1031). This update resolves memory corruption vulnerabilities that could lead to code execution (CVE-2016-1012, CVE-2016-1020, CVE-2016-1021, CVE-2016-1022, CVE-2016-1023, CVE-2016-1024, CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029, CVE-2016-1032, CVE-2016-1033). This update resolves a stack overflow vulnerability that could lead to code execution (CVE-2016-1018). This update resolves a security bypass vulnerability (CVE-2016-1030). This update resolves a vulnerability in the directory search path used to find resources that could lead to code execution (CVE-2016-1014). Adobe reports that CVE-2016-1019 is already being actively exploited on Windows systems. References: https://helpx.adobe.com/security/products/flash-player/apsb16-10.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1006 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1011 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1012 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1013 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1014 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1015 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1016 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1017 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1021 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1022 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1023 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1024 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1025 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1026 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1027 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1028 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1029 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1030 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1031 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1032 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1033 ============ CVEs: CVE-2016-1006, CVE-2016-1011, CVE-2016-1012, CVE-2016-1013, CVE-2016-1014, CVE-2016-1015, CVE-2016-1016, CVE-2016-1017, CVE-2016-1018, CVE-2016-1019, CVE-2016-1020, CVE-2016-1021, CVE-2016-1022, CVE-2016-1023, CVE-2016-1024, CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029, CVE-2016-1030, CVE-2016-1031, CVE-2016-1032, CVE-2016-1033
URL: https://helpx.adobe.com/security/products/flash-player/apsa16-01.html => https://helpx.adobe.com/security/products/flash-player/apsb16-10.htmlCVE: CVE-2016-1019 => 24 CVEs
advisory updated in svn
CC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0134.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED