Bug 9677 - Security update request for flash-player-plugin, to 11.2.202.280
: Security update request for flash-player-plugin, to 11.2.202.280
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
:
: mga2-64-ok mga2-32-ok
: Security, validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-04-09 18:08 CEST by Anssi Hannula
Modified: 2013-04-10 00:13 CEST (History)
3 users (show)

See Also:
Source RPM: flash-player-plugin
CVE:
Status comment:


Attachments

Description Anssi Hannula 2013-04-09 18:08:58 CEST
Flash Player 11.2.202.280 has been pushed to mga2 nonfree/updates_testing.

Updated Flash Player 11.2.202.280 packages are in mga2 nonfree/updates_testing
as flash-player-plugin (i586 and x86_64) and flash-player-plugin-kde (i586 and
x86_64).

No advisory just yet, nothing has been published by Adobe. I'll give them 24 hours after which we will push this as a non-security update. I'll write an advisory at that time at the latest.

I think this update can be tested regardless.
Comment 1 Anssi Hannula 2013-04-09 19:55:36 CEST
And we got advisory.

Advisory:
============
Adobe Flash Player 11.2.202.280 contains fixes to critical security
vulnerabilities found in earlier versions. These vulnerabilities could cause a
crash and potentially allow an attacker to take control of the affected system.

These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2013-2555). 

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2013-1378, CVE-2013-1380). 

These updates resolve a memory corruption vulnerability caused by Flash Player improperly initializing certain pointer arrays, which could lead to code execution (CVE-2013-1379).

References:
http://www.adobe.com/support/security/bulletins/apsb13-11.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1378
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1379
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1380
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2555
============
Comment 2 David GEIGER 2013-04-09 20:17:42 CEST
Testing complete for the new flash-player-plugin-11.2.202.280 and flash-player-plugin-kde on Mageia release 2 (Official) for x86_64, for it's good nothind to report, it works fine.

test some video: youtube, dailymotion, pluzz, tf1replay, m6replay...
Comment 3 claire robinson 2013-04-09 22:13:50 CEST
testing mga2 32
Comment 4 claire robinson 2013-04-09 22:21:30 CEST
Thanks Anssi & David

Testing complete mga2 32

Checked flash videos and deleted storage in kde flash settings

Validating

Advisory & srpm in comment 1

Could sysadmin please push from nonfree/updates_testing to nonfree/updates

Thanks!
Comment 5 Thomas Backlund 2013-04-10 00:13:04 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0116

Note You need to log in before you can comment on or make changes to this bug.