Bug 19584 - flash-player-plugin security update 11.2.202.637
Summary: flash-player-plugin security update 11.2.202.637
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://helpx.adobe.com/security/prod...
Whiteboard: MGA5-64-OK MGA5-32-OK advisory
Keywords: Security, validated_update
Depends on:
Blocks:
 
Reported: 2016-10-13 18:30 CEST by Zombie Ryushu
Modified: 2016-10-18 20:46 CEST (History)
5 users (show)

See Also:
Source RPM: flash-player-plugin
CVE: CVE-2016-4273, CVE-2016-4286, CVE-2016-6981, CVE-2016-6982, CVE-2016-6983, CVE-2016-6984, CVE-2016-6985, CVE-2016-6986, CVE-2016-6987, CVE-2016-6989, CVE-2016-6990, CVE-2016-6992
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Zombie Ryushu 2016-10-13 18:30:52 CEST 
This update upgrades Flash Player to version 11.2.202.637.

Security Fix(es):

* This update fixes multiple vulnerabilities in Adobe Flash Player. These
vulnerabilities, detailed in the Adobe Security Bulletin listed in the
References section, could allow an attacker to create a specially crafted
SWF file that would cause flash-plugin to crash, execute arbitrary code, or
disclose sensitive information when the victim loaded a page containing the
malicious SWF content. (CVE-2016-4273, CVE-2016-4286, CVE-2016-6981,
CVE-2016-6982, CVE-2016-6983, CVE-2016-6984, CVE-2016-6985, CVE-2016-6986,
CVE-2016-6987, CVE-2016-6989, CVE-2016-6990, CVE-2016-6992)
Zombie Ryushu 2016-10-13 18:45:43 CEST

URL: (none) => http://www.linuxsecurity.com/content/view/168645/

David Walser 2016-10-13 19:54:55 CEST

Assignee: bugsquad => anssi.hannula

Comment 1 Anssi Hannula 2016-10-15 09:39:09 CEST 
Advisory:
============
Adobe Flash Player 11.2.202.637 contains fixes to critical security vulnerabilities found in earlier versions that could potentially allow an attacker to take control of the affected system.

This update resolves a type confusion vulnerability that could lead to code execution (CVE-2016-6992). 
This update resolves use-after-free vulnerabilities that could lead to code execution (CVE-2016-6981, CVE-2016-6987). 
This update resolves a security bypass vulnerability (CVE-2016-4286). 
This update resolves memory corruption vulnerabilities that could lead to code execution (CVE-2016-4273, CVE-2016-6982, CVE-2016-6983, CVE-2016-6984, CVE-2016-6985, CVE-2016-6986, CVE-2016-6989, CVE-2016-6990).


References:
https://helpx.adobe.com/security/products/flash-player/apsb16-32.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4273
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4286
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6981
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6982
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6983
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6984
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6985
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6986
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6987
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6989
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6990
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6992
============

Updated Flash Player packages have been submitted to mga5 nonfree/updates_testing.

Source packages:
flash-player-plugin-11.2.202.637-1.mga5.nonfree

Binary packages:
flash-player-plugin
flash-player-plugin-kde

Keywords: (none) => Security
Status: NEW => ASSIGNED
URL: http://www.linuxsecurity.com/content/view/168645/ => https://helpx.adobe.com/security/products/flash-player/apsb16-32.html
CC: (none) => anssi.hannula
CVE: (none) => CVE-2016-4273, CVE-2016-4286, CVE-2016-6981, CVE-2016-6982, CVE-2016-6983, CVE-2016-6984, CVE-2016-6985, CVE-2016-6986, CVE-2016-6987, CVE-2016-6989, CVE-2016-6990, CVE-2016-6992
Assignee: anssi.hannula => qa-bugs

Comment 2 Lewis Smith 2016-10-17 11:14:48 CEST 
Testing M5-64 real hardware:
 flash-player-plugin-11.2.202.637-1.mga5.nonfree

Simply watched a few video clips on the BBC site, with sound, mini & fullscreen.
No problem noted (except that sound is chronically weak on my system). OK for me, but needs wider confirmation.

CC: (none) => lewyssmith

Comment 3 Len Lawrence 2016-10-17 16:47:52 CEST 
Tested on x86_64 real hardware.
Watched a few videos online; BBC, OK!, Youtube, Vevo.
Sound and vision working perfectly.  Vevo subtitles/OSD worked.

CC: (none) => tarazed25

Comment 4 Thomas Andrews 2016-10-18 19:12:03 CEST 
Tested on 32-bit real hardware. Watched local TV weather forecast, which is only available with Flash. Everything looked good.

CC: (none) => andrewsfarm

Comment 5 Lewis Smith 2016-10-18 20:40:07 CEST 
OK'd for 64 & 32 bit.
Validated the updated.
Advisory uploaded.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA5-64-OK MGA5-32-OK advisory
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2016-10-18 20:46:44 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0346.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.