Flash Player 11.1.102.62 has been pushed to mga1 nonfree/updates_testing. Advisory: ============ Adobe Flash Player 11.1.102.62 contains fixes to critical security vulnerabilities found in earlier versions. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system. This update also resolves a universal cross-site scripting vulnerability that could be used to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website. This update resolves a memory corruption vulnerability that could lead to code execution (Windows ActiveX control only) (CVE-2012-0751). This update resolves a type confusion memory corruption vulnerability that could lead to code execution (CVE-2012-0752). This update resolves an MP4 parsing memory corruption vulnerability that could lead to code execution (CVE-2012-0753). This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2012-0754). This update resolves a security bypass vulnerability that could lead to code execution (CVE-2012-0755). This update resolves a security bypass vulnerability that could lead to code execution (CVE-2012-0756). This update resolves a universal cross-site scripting vulnerability that could be used to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website (CVE-2012-0767). Additionally, the package has been updated to obey the RPMDrake/urpmi HTTP proxy settings, allowing it to work on systems and networks where the use of a HTTP proxy is required (Mageia bug #3044). References: http://www.adobe.com/support/security/bulletins/apsb12-03.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0751 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0752 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0753 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0754 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0755 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0756 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0767 https://bugs.mageia.org/show_bug.cgi?id=3044 ============ Updated Flash Player 11.1.102.62 packages are in mga1 nonfree/updates_testing as flash-player-plugin (i586 and x86_64) and flash-player-plugin-kde (i586 and x86_64). ========== Suggested testing procedure: ========== Package installs and Flash works.
No PoC's for the CVEs. It will be difficult to show bug 3044 is fixed. x86_64 ------ Updated OK, tested at youtube.com. KDE tested with right click/global settings.
Validating the update. Tested with usual sites, and the using the tools menu entry, to delete all flash cookies. Could someone from the sysadmin team push the srpm flash-player-plugin-11.1.102.62-1.mga1.nonfree.src.rpm from Nonfree Updates Testing to Nonfree Updates. Advisory: Adobe Flash Player 11.1.102.62 contains fixes to critical security vulnerabilities found in earlier versions. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system. This update also resolves a universal cross-site scripting vulnerability that could be used to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website. This update resolves a memory corruption vulnerability that could lead to code execution (Windows ActiveX control only) (CVE-2012-0751). This update resolves a type confusion memory corruption vulnerability that could lead to code execution (CVE-2012-0752). This update resolves an MP4 parsing memory corruption vulnerability that could lead to code execution (CVE-2012-0753). This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2012-0754). This update resolves a security bypass vulnerability that could lead to code execution (CVE-2012-0755). This update resolves a security bypass vulnerability that could lead to code execution (CVE-2012-0756). This update resolves a universal cross-site scripting vulnerability that could be used to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website (CVE-2012-0767). Additionally, the package has been updated to obey the RPMDrake/urpmi HTTP proxy settings, allowing it to work on systems and networks where the use of a HTTP proxy is required (Mageia bug #3044). References: http://www.adobe.com/support/security/bulletins/apsb12-03.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0751 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0752 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0753 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0754 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0755 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0756 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0767 https://bugs.mageia.org/show_bug.cgi?id=3044 https://bugs.mageia.org/show_bug.cgi?id=4561
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
update pushed
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED