Advisory: ============ Adobe Flash Player 11.2.202.626 contains fixes to critical security vulnerabilities found in earlier versions that could potentially allow an attacker to take control of the affected system. This update resolves type confusion vulnerabilities that could lead to code execution (CVE-2016-4144, CVE-2016-4149). This update resolves use-after-free vulnerabilities that could lead to code execution (CVE-2016-4142, CVE-2016-4143, CVE-2016-4145, CVE-2016-4146, CVE-2016-4147, CVE-2016-4148). This update resolves heap buffer overflow vulnerabilities that could lead to code execution (CVE-2016-4135, CVE-2016-4136, CVE-2016-4138). This update resolves memory corruption vulnerabilities that could lead to code execution (CVE-2016-4122, CVE-2016-4123, CVE-2016-4124, CVE-2016-4125, CVE-2016-4127, CVE-2016-4128, CVE-2016-4129, CVE-2016-4130, CVE-2016-4131, CVE-2016-4132, CVE-2016-4133, CVE-2016-4134, CVE-2016-4137, CVE-2016-4141, CVE-2016-4150, CVE-2016-4151, CVE-2016-4152, CVE-2016-4153, CVE-2016-4154, CVE-2016-4155, CVE-2016-4156, CVE-2016-4166, CVE-2016-4171). This update resolves a vulnerability in the directory search path used to find resources that could lead to code execution (CVE-2016-4140). This update resolves a vulnerability that could be exploited to bypass the same-origin-policy and lead to information disclosure (CVE-2016-4139). Adobe reports that an exploit for CVE-2016-4171 exists in the wild. References: https://helpx.adobe.com/security/products/flash-player/apsb16-18.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4122 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4123 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4124 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4125 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4127 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4128 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4129 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4130 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4131 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4132 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4133 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4134 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4135 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4136 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4137 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4138 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4139 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4140 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4141 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4142 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4143 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4144 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4145 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4146 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4147 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4148 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4149 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4150 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4151 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4152 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4153 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4154 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4155 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4156 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4166 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4171 ============ CVEs: CVE-2016-4122, CVE-2016-4123, CVE-2016-4124, CVE-2016-4125, CVE-2016-4127, CVE-2016-4128, CVE-2016-4129, CVE-2016-4130, CVE-2016-4131, CVE-2016-4132, CVE-2016-4133, CVE-2016-4134, CVE-2016-4135, CVE-2016-4136, CVE-2016-4137, CVE-2016-4138, CVE-2016-4139, CVE-2016-4140, CVE-2016-4141, CVE-2016-4142, CVE-2016-4143, CVE-2016-4144, CVE-2016-4145, CVE-2016-4146, CVE-2016-4147, CVE-2016-4148, CVE-2016-4149, CVE-2016-4150, CVE-2016-4151, CVE-2016-4152, CVE-2016-4153, CVE-2016-4154, CVE-2016-4155, CVE-2016-4156, CVE-2016-4166, CVE-2016-4171 Updated Flash Player packages are in mga5 nonfree/updates_testing. Source packages: flash-player-plugin-11.2.202.626-1.mga5.nonfree Binary packages: flash-player-plugin flash-player-plugin-kde
The submitted package had an incorrect changelog and I've submitted a new package to mga5 testing: flash-player-plugin-11.2.202.626-1.1.mga5.nonfree
Testing complete mga5 64 https://helpx.adobe.com/flash-player.html & video on bbc.co.uk in firefox Checked correct version being installed.. "Downloading from http://fpdownload.macromedia.com/get/flashplayer/pdc/11.2.202.626/flash-plugin-11.2.202.626-release.x86_64.rpm:"
Whiteboard: (none) => has_procedure mga5-64-ok
Testing complete Mageia 5 i586. Tested Adobe's flash test page and a music video on vimeo.com (since YouTube seems to only want to use the HTML5 player with no sound now).
Keywords: Security => validated_updateWhiteboard: has_procedure mga5-64-ok => has_procedure mga5-32-ok mga5-64-okCC: (none) => sysadmin-bugs
advisory added
CC: (none) => tmbWhiteboard: has_procedure mga5-32-ok mga5-64-ok => has_procedure mga5-32-ok mga5-64-ok advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0228.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED