Bug 9677 - Security update request for flash-player-plugin, to 11.2.202.280
Summary: Security update request for flash-player-plugin, to 11.2.202.280
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: mga2-64-ok mga2-32-ok
Keywords: Security, validated_update
Depends on:
Blocks:
 
Reported: 2013-04-09 18:08 CEST by Anssi Hannula
Modified: 2013-04-10 00:13 CEST (History)
3 users (show)

See Also:
Source RPM: flash-player-plugin
CVE:
Status comment:


Attachments

Description Anssi Hannula 2013-04-09 18:08:58 CEST
Flash Player 11.2.202.280 has been pushed to mga2 nonfree/updates_testing.

Updated Flash Player 11.2.202.280 packages are in mga2 nonfree/updates_testing
as flash-player-plugin (i586 and x86_64) and flash-player-plugin-kde (i586 and
x86_64).

No advisory just yet, nothing has been published by Adobe. I'll give them 24 hours after which we will push this as a non-security update. I'll write an advisory at that time at the latest.

I think this update can be tested regardless.
Comment 1 Anssi Hannula 2013-04-09 19:55:36 CEST
And we got advisory.

Advisory:
============
Adobe Flash Player 11.2.202.280 contains fixes to critical security
vulnerabilities found in earlier versions. These vulnerabilities could cause a
crash and potentially allow an attacker to take control of the affected system.

These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2013-2555). 

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2013-1378, CVE-2013-1380). 

These updates resolve a memory corruption vulnerability caused by Flash Player improperly initializing certain pointer arrays, which could lead to code execution (CVE-2013-1379).

References:
http://www.adobe.com/support/security/bulletins/apsb13-11.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1378
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1379
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1380
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2555
============

Keywords: (none) => Security
Status: NEW => ASSIGNED
Component: RPM Packages => Security
Summary: Update request for flash-player-plugin, to 11.2.202.280 => Security update request for flash-player-plugin, to 11.2.202.280

Comment 2 David GEIGER 2013-04-09 20:17:42 CEST
Testing complete for the new flash-player-plugin-11.2.202.280 and flash-player-plugin-kde on Mageia release 2 (Official) for x86_64, for it's good nothind to report, it works fine.

test some video: youtube, dailymotion, pluzz, tf1replay, m6replay...

CC: (none) => geiger.david68210

Comment 3 claire robinson 2013-04-09 22:13:50 CEST
testing mga2 32

Whiteboard: (none) => mga2-64-ok

Comment 4 claire robinson 2013-04-09 22:21:30 CEST
Thanks Anssi & David

Testing complete mga2 32

Checked flash videos and deleted storage in kde flash settings

Validating

Advisory & srpm in comment 1

Could sysadmin please push from nonfree/updates_testing to nonfree/updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: mga2-64-ok => mga2-64-ok mga2-32-ok
CC: (none) => sysadmin-bugs

claire robinson 2013-04-09 22:22:48 CEST

QA Contact: (none) => security

Comment 5 Thomas Backlund 2013-04-10 00:13:04 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0116

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.