18933 – Security update request for flash-player-plugin, to 11.2.202.632

Bug 18933 - Security update request for flash-player-plugin, to 11.2.202.632

Summary: Security update request for flash-player-plugin, to 11.2.202.632

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	https://helpx.adobe.com/security/prod...
Whiteboard:	has_procedure advisory mga5-64-ok
Keywords:	Security, validated_update

Depends on:
Blocks:

Reported:	2016-07-12 18:04 CEST by Anssi Hannula
Modified:	2016-07-12 21:50 CEST (History)
CC List:	1 user (show)

See Also:
Source RPM:	flash-palyer-plugin
CVE:	52 CVEs, too many to fit here
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Anssi Hannula 2016-07-12 18:04:59 CEST

Advisory:
============
Adobe Flash Player 11.2.202.632 contains fixes to critical security vulnerabilities found in earlier versions that could potentially allow an attacker to take control of the affected system.

This update resolves a race condition vulnerability that could lead to information disclosure (CVE-2016-4247).

This update resolves type confusion vulnerabilities that could lead to code execution (CVE-2016-4223, CVE-2016-4224, CVE-2016-4225).

This update resolves use-after-free vulnerabilities that could lead to code execution (CVE-2016-4173, CVE-2016-4174, CVE-2016-4222, CVE-2016-4226, CVE-2016-4227, CVE-2016-4228, CVE-2016-4229, CVE-2016-4230, CVE-2016-4231, CVE-2016-4248).

This update resolves a heap buffer overflow vulnerability that could lead to code execution (CVE-2016-4249).

This update resolves memory corruption vulnerabilities that could lead to code execution (CVE-2016-4172, CVE-2016-4175, CVE-2016-4179, CVE-2016-4180, CVE-2016-4181, CVE-2016-4182, CVE-2016-4183, CVE-2016-4184, CVE-2016-4185, CVE-2016-4186, CVE-2016-4187, CVE-2016-4188, CVE-2016-4189, CVE-2016-4190, CVE-2016-4217, CVE-2016-4218, CVE-2016-4219, CVE-2016-4220, CVE-2016-4221, CVE-2016-4233, CVE-2016-4234, CVE-2016-4235, CVE-2016-4236, CVE-2016-4237, CVE-2016-4238, CVE-2016-4239, CVE-2016-4240, CVE-2016-4241, CVE-2016-4242, CVE-2016-4243, CVE-2016-4244, CVE-2016-4245, CVE-2016-4246).

This update resolves a memory leak vulnerability (CVE-2016-4232).

This update resolves stack corruption vulnerabilities that could lead to code execution (CVE-2016-4176, CVE-2016-4177).

This update resolves a security bypass vulnerability that could lead to information disclosure (CVE-2016-4178)

References:
https://helpx.adobe.com/security/products/flash-player/apsb16-25.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4172
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4173
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4174
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4175
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4176
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4177
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4178
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4179
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4180
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4181
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4182
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4183
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4184
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4185
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4186
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4187
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4188
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4189
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4190
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4217
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4218
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4219
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4220
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4221
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4222
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4223
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4224
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4225
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4226
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4227
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4228
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4229
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4230
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4231
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4232
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4233
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4234
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4235
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4236
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4237
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4238
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4239
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4240
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4241
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4242
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4243
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4244
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4245
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4246
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4247
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4248
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4249

============

CVEs: CVE-2016-4172, CVE-2016-4173, CVE-2016-4174, CVE-2016-4175, CVE-2016-4176, CVE-2016-4177, CVE-2016-4178, CVE-2016-4179, CVE-2016-4180, CVE-2016-4181, CVE-2016-4182, CVE-2016-4183, CVE-2016-4184, CVE-2016-4185, CVE-2016-4186, CVE-2016-4187, CVE-2016-4188, CVE-2016-4189, CVE-2016-4190, CVE-2016-4217, CVE-2016-4218, CVE-2016-4219, CVE-2016-4220, CVE-2016-4221, CVE-2016-4222, CVE-2016-4223, CVE-2016-4224, CVE-2016-4225, CVE-2016-4226, CVE-2016-4227, CVE-2016-4228, CVE-2016-4229, CVE-2016-4230, CVE-2016-4231, CVE-2016-4232, CVE-2016-4233, CVE-2016-4234, CVE-2016-4235, CVE-2016-4236, CVE-2016-4237, CVE-2016-4238, CVE-2016-4239, CVE-2016-4240, CVE-2016-4241, CVE-2016-4242, CVE-2016-4243, CVE-2016-4244, CVE-2016-4245, CVE-2016-4246, CVE-2016-4247, CVE-2016-4248, CVE-2016-4249

Updated Flash Player packages are in mga5 nonfree/updates_testing.

Source packages:
flash-player-plugin-11.2.202.632-1.mga5.nonfree

Binary packages:
flash-player-plugin
flash-player-plugin-kde

Comment 1 claire robinson 2016-07-12 20:04:15 CEST

testing complete mga5 64

Checked correct version downloaded..

Downloading from http://fpdownload.macromedia.com/get/flashplayer/pdc/11.2.202.632/flash-plugin-11.2.202.632-release.x86_64.rpm:


Tested at https://www.adobe.com/software/flash/about/ which shows correct version info and some flash video content.

Used the thingy in kde system settings to delete local storage.

Whiteboard: (none) => has_procedure mga5-64-ok

Comment 2 claire robinson 2016-07-12 20:08:45 CEST

Advisory uploaded + good grief @ 52 CVEs

claire robinson 2016-07-12 20:08:55 CEST

Whiteboard: has_procedure mga5-64-ok => has_procedure advisory mga5-64-ok

Comment 3 claire robinson 2016-07-12 20:10:27 CEST

Validating. Please push urgently.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2016-07-12 21:50:24 CEST

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0251.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.