VARIoT IoT vulnerabilities database
| VAR-201603-0080 | CVE-2016-2846 | Siemens SIMATIC S7-1200 CPU In the device " User program block " Vulnerabilities that circumvent protection mechanisms |
CVSS V2: 6.4 CVSS V3: 6.5 Severity: MEDIUM |
Siemens SIMATIC S7-1200 CPU devices before 4.0 allow remote attackers to bypass a "user program block" protection mechanism via unspecified vectors. Supplementary information : CWE Vulnerability type by CWE-254: Security Features ( Security function ) Has been identified. The Siemens SIMATIC S7-1200 CPU device is a small programmable controller that meets the needs of small and medium-sized automation systems from Siemens AG
| VAR-201608-0494 | No CVE | Multiple Intel Solid-State Drive DC Series Product Denial of Service Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The IntelSolid-StateDriveDC series is available on some LenovoSystemX servers. A number of IntelSolid-StateDriveDC products have a denial of service vulnerability. An attacker can exploit a vulnerability that would result in a denial of service
| VAR-201603-0401 | No CVE | There are SQL injection vulnerabilities in Guanqun Jinchen anti-virus wall gateway device |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
An anti-virus gateway is a network device that protects the security of incoming and outgoing data within a network (typically a local area network). There is a SQL injection vulnerability in the Guanqun Jinchen anti-virus wall gateway device. The vulnerability parameter is sth, which allows an attacker to exploit common vulnerabilities to obtain database sensitive information. The vulnerability URL is: https://106.39.115.3:443/index.php?action=relogin&nickname=anoeloff&sth=522&warning=%B5%C7%C2%BC%CA%A7%B0%DC%A3%A1%D3%C3 %BB%A7%C3%FB%BB%F2%C3%DC%C2%EB%B4%ED%CE%F3%A3%AC%C7%EB%C1%AA%CF%B5%CF%B5%CD %B3%B9%DC%C0%ED%D4%B1%A3%A1<br>Login%20failed!%20username%20or%20password%20error, Please%20contact%20system%20administrators!
| VAR-201603-0141 | CVE-2016-1731 | Windows Run on Apple Software Update Forged update vulnerability |
CVSS V2: 5.0 CVSS V3: 5.9 Severity: MEDIUM |
Apple Software Update before 2.2 on Windows does not use HTTPS, which makes it easier for man-in-the-middle attackers to spoof updates by modifying the client-server data stream. Supplementary information : CWE Vulnerability type by CWE-345: Insufficient Verification of Data Authenticity ( Inadequate verification of data reliability ) Has been identified
| VAR-201603-0099 | CVE-2015-7446 | IBM FlashSystem V9000 Vulnerable to cross-site request forgery |
CVSS V2: 6.8 CVSS V3: 8.8 Severity: HIGH |
Cross-site request forgery (CSRF) vulnerability in IBM Flash System V9000 7.4 before 7.4.1.4, 7.5 before 7.5.1.3, and 7.6 before 7.6.0.4 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences. IBM FlashSystem V9000 is an all-flash enterprise-level storage solution developed by IBM Corporation in the United States. The solution provides a full set of disaster recovery tools (including snapshot, clone and replication) to protect data security and use IBM Virtual Storage Center to realize virtualization configuration and performance management. A remote attacker could exploit this vulnerability to insert an XSS sequence. The following models and versions are affected: IBM FlashSystem V9000 9846-AE2, 9848-AE2, 9846-AC2, 9848-AC2 7.4 prior to 7.4.1.4, 7.5 prior to 7.5.1.3, 7.6 prior to 7.6.0.4
| VAR-201603-0034 | CVE-2016-1338 | Cisco TelePresence Video Communication Server Service disruption in (DoS) Vulnerabilities |
CVSS V2: 8.0 CVSS V3: 6.5 Severity: MEDIUM |
Cisco TelePresence Video Communication Server (VCS) X8.5.1 and X8.5.2 allows remote authenticated users to cause a denial of service (VoIP outage) via a crafted SIP message, aka Bug ID CSCuu43026
| VAR-201603-0290 | CVE-2016-1361 | Cisco Gigabit Switch Router 1200 IOS XR Denial of Service Vulnerability |
CVSS V2: 4.6 CVSS V3: 5.3 Severity: MEDIUM |
Cisco IOS XR through 4.3.2 on Gigabit Switch Router (GSR) 12000 devices does not properly check for a Bidirectional Forwarding Detection (BFD) header in a UDP packet, which allows remote attackers to cause a denial of service (line-card restart) via a crafted packet, aka Bug ID CSCuw56900. Vendors have confirmed this vulnerability Bug ID CSCuw56900 It is released as.Denial of service operation via a packet crafted by a third party ( Line card restart ) There is a possibility of being put into a state. The Cisco IOSXRonGigabitSwitchRouter (GSR) 12000 is a fully modular, distributed network operating system running on the Cisco 12000 Series Switch Routers from Cisco. A remote attacker could exploit the vulnerability by sending a specially crafted packet to cause a denial of service
| VAR-201603-0336 | No CVE | SAP 3D Visual Enterprise Viewer Memory Error Reference Remote Code Execution Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
SAP 3D Visual Enterprise Viewer (VEV) is a suite of software from SAP, Inc. for viewing, scaling, panning and rotating interactive 3D data and playing step-by-step animations. A security vulnerability exists in SAP 3D Visual Enterprise Viewer. Allows an attacker to exploit this vulnerability to execute arbitrary script code in the context of the current process or to cause a denial of service
| VAR-201603-0335 | No CVE | SAP 3D Visual Enterprise Viewern Memory Error Reference Remote Code Execution Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
SAP 3D Visual Enterprise Viewer (VEV) is a suite of software from SAP, Inc. for viewing, scaling, panning and rotating interactive 3D data and playing step-by-step animations. There is a security vulnerability in SAP 3D Visual Enterprise Viewern. Allows an attacker to exploit this vulnerability to execute arbitrary code in the context of an affected program, resulting in a denial of service
| VAR-201603-0402 | No CVE | NatShell Blue Ocean Excellence User Self-Service System has a universal password login vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Blue Ocean Excellence Broadband Access Gateway is a dedicated intelligent device for Ethernet broadband access. The NatShell Blue Ocean Excellence User Self-Service System has a universal password login vulnerability. An attacker can use the vulnerability to log in to the system to view user sensitive information.
| VAR-201603-0067 | CVE-2015-6485 | plural Schneider Electric Vulnerabilities in which important information can be obtained from device memory in product firmware |
CVSS V2: 5.0 CVSS V3: 5.3 Severity: MEDIUM |
Schneider Electric Telvent Sage 2300 RTUs with firmware before C3413-500-S01, and LANDAC II-2, Sage 1410, Sage 1430, Sage 1450, Sage 2400, and Sage 3030M RTUs with firmware before C3414-500-S02J2, allow remote attackers to obtain sensitive information from device memory by reading a padding field of an Ethernet packet. SchneiderElectricTelventSage3030M is an industrial data communication device used by Schneider Electric in France for the energy sector. The SchneiderElectricTelventSage3030M failed to properly populate the data fields in the Ethernet packet, allowing remote attackers to exploit the vulnerability to submit special requests for sensitive information. Schneider Electric Telvent Sage 3030M, etc
| VAR-201603-0289 | CVE-2016-1360 | Cisco Prime LAN Management Solution Vulnerability in obtaining plaintext data |
CVSS V2: 3.0 CVSS V3: 7.1 Severity: HIGH |
Cisco Prime LAN Management Solution (LMS) through 4.2.5 uses the same database decryption key across different customers' installations, which allows local users to obtain cleartext data by leveraging console connectivity, aka Bug ID CSCuw85390. Vendors have confirmed this vulnerability Bug ID CSCuw85390 It is released as.There is a possibility that plain text data can be obtained by using a console connection by a local user. The solution configures, manages, monitors and maintains the network
| VAR-201603-0280 | CVE-2016-0963 | Adobe Flash Player and Adobe AIR Integer overflow vulnerability |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
Integer overflow in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-0993 and CVE-2016-1010. This vulnerability CVE-2016-0993 and CVE-2016-1010 Is a different vulnerability.An attacker could execute arbitrary code. The following versions are affected: Adobe Flash Player Desktop Runtime 20.0.0.306 and earlier versions based on Windows and Macintosh platforms, Adobe Flash Player Extended Support Release 18.0.0.329 and earlier versions, AIR Desktop Runtime 20.0.0.260 and earlier versions, based on Windows, Macintosh , Adobe Flash Player for Google Chrome 20.0.0.306 and earlier versions on Linux and ChromeOS platforms, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 20.0.0.306 and earlier versions based on Windows 10 platform, and Adobe Flash Player for Windows 8.1-based platforms Internet Explorer 11 20.0.0.306 and earlier versions, Adobe Flash Player for Linux 11.2.202.569 and earlier versions based on Linux platforms, AIR SDK 20.0.0.260 and earlier versions based on Windows, Macintosh, Android and iOS platforms, AIR SDK & Compiler 20.0 .0.260 and earlier, AIR for Android 20.0.0.233 and earlier.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information, or bypass security restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v "www-plugins/adobe-flash-11.2.202.577"
References
==========
[ 1 ] CVE-2016-0960
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0960
[ 2 ] CVE-2016-0961
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0961
[ 3 ] CVE-2016-0962
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0962
[ 4 ] CVE-2016-0963
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0963
[ 5 ] CVE-2016-0964
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0964
[ 6 ] CVE-2016-0965
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0965
[ 7 ] CVE-2016-0966
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0966
[ 8 ] CVE-2016-0967
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0967
[ 9 ] CVE-2016-0968
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0968
[ 10 ] CVE-2016-0969
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0969
[ 11 ] CVE-2016-0970
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0970
[ 12 ] CVE-2016-0971
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0971
[ 13 ] CVE-2016-0972
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0972
[ 14 ] CVE-2016-0973
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0973
[ 15 ] CVE-2016-0974
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0974
[ 16 ] CVE-2016-0975
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0975
[ 17 ] CVE-2016-0976
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0976
[ 18 ] CVE-2016-0977
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0977
[ 19 ] CVE-2016-0978
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0978
[ 20 ] CVE-2016-0979
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0979
[ 21 ] CVE-2016-0980
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0980
[ 22 ] CVE-2016-0981
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0981
[ 23 ] CVE-2016-0982
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0982
[ 24 ] CVE-2016-0983
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0983
[ 25 ] CVE-2016-0984
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0984
[ 26 ] CVE-2016-0985
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0985
[ 27 ] CVE-2016-0986
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0986
[ 28 ] CVE-2016-0987
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0987
[ 29 ] CVE-2016-0988
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0988
[ 30 ] CVE-2016-0989
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0989
[ 31 ] CVE-2016-0990
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0990
[ 32 ] CVE-2016-0991
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0991
[ 33 ] CVE-2016-0992
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0992
[ 34 ] CVE-2016-0993
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0993
[ 35 ] CVE-2016-0994
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0994
[ 36 ] CVE-2016-0995
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0995
[ 37 ] CVE-2016-0996
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0996
[ 38 ] CVE-2016-0997
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0997
[ 39 ] CVE-2016-0998
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0998
[ 40 ] CVE-2016-0999
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0999
[ 41 ] CVE-2016-1000
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1000
[ 42 ] CVE-2016-1001
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1001
[ 43 ] CVE-2016-1002
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1002
[ 44 ] CVE-2016-1005
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1005
[ 45 ] CVE-2016-1010
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1010
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201603-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2016 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2016:0438-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-0438.html
Issue date: 2016-03-11
CVE Names: CVE-2016-0960 CVE-2016-0961 CVE-2016-0962
CVE-2016-0963 CVE-2016-0986 CVE-2016-0987
CVE-2016-0988 CVE-2016-0989 CVE-2016-0990
CVE-2016-0991 CVE-2016-0992 CVE-2016-0993
CVE-2016-0994 CVE-2016-0995 CVE-2016-0996
CVE-2016-0997 CVE-2016-0998 CVE-2016-0999
CVE-2016-1000 CVE-2016-1001 CVE-2016-1002
CVE-2016-1005 CVE-2016-1010
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities, detailed in the Adobe Security Bulletin APSB16-08 listed
in the References section, could allow an attacker to create a specially
crafted SWF file that would cause flash-plugin to crash, execute arbitrary
code, or disclose sensitive information when the victim loaded a page
containing the malicious SWF content. (CVE-2016-0960, CVE-2016-0961,
CVE-2016-0962, CVE-2016-0963, CVE-2016-0986, CVE-2016-0987, CVE-2016-0988,
CVE-2016-0989, CVE-2016-0990, CVE-2016-0991, CVE-2016-0992, CVE-2016-0993,
CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998,
CVE-2016-0999, CVE-2016-1000, CVE-2016-1001, CVE-2016-1002, CVE-2016-1005,
CVE-2016-1010)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 11.2.202.577.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1316809 - flash-plugin: multiple code execution issues fixed in APSB16-08
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-0960
https://access.redhat.com/security/cve/CVE-2016-0961
https://access.redhat.com/security/cve/CVE-2016-0962
https://access.redhat.com/security/cve/CVE-2016-0963
https://access.redhat.com/security/cve/CVE-2016-0986
https://access.redhat.com/security/cve/CVE-2016-0987
https://access.redhat.com/security/cve/CVE-2016-0988
https://access.redhat.com/security/cve/CVE-2016-0989
https://access.redhat.com/security/cve/CVE-2016-0990
https://access.redhat.com/security/cve/CVE-2016-0991
https://access.redhat.com/security/cve/CVE-2016-0992
https://access.redhat.com/security/cve/CVE-2016-0993
https://access.redhat.com/security/cve/CVE-2016-0994
https://access.redhat.com/security/cve/CVE-2016-0995
https://access.redhat.com/security/cve/CVE-2016-0996
https://access.redhat.com/security/cve/CVE-2016-0997
https://access.redhat.com/security/cve/CVE-2016-0998
https://access.redhat.com/security/cve/CVE-2016-0999
https://access.redhat.com/security/cve/CVE-2016-1000
https://access.redhat.com/security/cve/CVE-2016-1001
https://access.redhat.com/security/cve/CVE-2016-1002
https://access.redhat.com/security/cve/CVE-2016-1005
https://access.redhat.com/security/cve/CVE-2016-1010
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb16-08.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFW4xBVXlSAg2UNWIIRAkCgAKCHw64puWPWdM5cVPU2vBI1mHZyFgCeI2Rx
fg/pDiOCh9x1HJhk/a+BDeA=
=4hyN
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201603-0279 | CVE-2016-0962 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2016-0960, CVE-2016-0961, CVE-2016-0986, CVE-2016-0989, CVE-2016-0992, CVE-2016-1002, and CVE-2016-1005. This vulnerability CVE-2016-0960 , CVE-2016-0961 , CVE-2016-0986 , CVE-2016-0989 , CVE-2016-0992 , CVE-2016-1002 ,and CVE-2016-1005 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state. The following versions are affected: Adobe Flash Player Desktop Runtime 20.0.0.306 and earlier versions based on Windows and Macintosh platforms, Adobe Flash Player Extended Support Release 18.0.0.329 and earlier versions, AIR Desktop Runtime 20.0.0.260 and earlier versions, based on Windows, Macintosh , Adobe Flash Player for Google Chrome 20.0.0.306 and earlier versions on Linux and ChromeOS platforms, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 20.0.0.306 and earlier versions based on Windows 10 platform, and Adobe Flash Player for Windows 8.1-based platforms Internet Explorer 11 20.0.0.306 and earlier versions, Adobe Flash Player for Linux 11.2.202.569 and earlier versions based on Linux platforms, AIR SDK 20.0.0.260 and earlier versions based on Windows, Macintosh, Android and iOS platforms, AIR SDK & Compiler 20.0 .0.260 and earlier, AIR for Android 20.0.0.233 and earlier.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v "www-plugins/adobe-flash-11.2.202.577"
References
==========
[ 1 ] CVE-2016-0960
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0960
[ 2 ] CVE-2016-0961
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0961
[ 3 ] CVE-2016-0962
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0962
[ 4 ] CVE-2016-0963
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0963
[ 5 ] CVE-2016-0964
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0964
[ 6 ] CVE-2016-0965
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0965
[ 7 ] CVE-2016-0966
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0966
[ 8 ] CVE-2016-0967
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0967
[ 9 ] CVE-2016-0968
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0968
[ 10 ] CVE-2016-0969
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0969
[ 11 ] CVE-2016-0970
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0970
[ 12 ] CVE-2016-0971
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0971
[ 13 ] CVE-2016-0972
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0972
[ 14 ] CVE-2016-0973
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0973
[ 15 ] CVE-2016-0974
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0974
[ 16 ] CVE-2016-0975
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0975
[ 17 ] CVE-2016-0976
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0976
[ 18 ] CVE-2016-0977
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0977
[ 19 ] CVE-2016-0978
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0978
[ 20 ] CVE-2016-0979
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0979
[ 21 ] CVE-2016-0980
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0980
[ 22 ] CVE-2016-0981
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0981
[ 23 ] CVE-2016-0982
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0982
[ 24 ] CVE-2016-0983
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0983
[ 25 ] CVE-2016-0984
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0984
[ 26 ] CVE-2016-0985
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0985
[ 27 ] CVE-2016-0986
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0986
[ 28 ] CVE-2016-0987
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0987
[ 29 ] CVE-2016-0988
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0988
[ 30 ] CVE-2016-0989
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0989
[ 31 ] CVE-2016-0990
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0990
[ 32 ] CVE-2016-0991
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0991
[ 33 ] CVE-2016-0992
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0992
[ 34 ] CVE-2016-0993
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0993
[ 35 ] CVE-2016-0994
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0994
[ 36 ] CVE-2016-0995
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0995
[ 37 ] CVE-2016-0996
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0996
[ 38 ] CVE-2016-0997
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0997
[ 39 ] CVE-2016-0998
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0998
[ 40 ] CVE-2016-0999
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0999
[ 41 ] CVE-2016-1000
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1000
[ 42 ] CVE-2016-1001
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1001
[ 43 ] CVE-2016-1002
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1002
[ 44 ] CVE-2016-1005
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1005
[ 45 ] CVE-2016-1010
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1010
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201603-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2016 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2016:0438-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-0438.html
Issue date: 2016-03-11
CVE Names: CVE-2016-0960 CVE-2016-0961 CVE-2016-0962
CVE-2016-0963 CVE-2016-0986 CVE-2016-0987
CVE-2016-0988 CVE-2016-0989 CVE-2016-0990
CVE-2016-0991 CVE-2016-0992 CVE-2016-0993
CVE-2016-0994 CVE-2016-0995 CVE-2016-0996
CVE-2016-0997 CVE-2016-0998 CVE-2016-0999
CVE-2016-1000 CVE-2016-1001 CVE-2016-1002
CVE-2016-1005 CVE-2016-1010
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities, detailed in the Adobe Security Bulletin APSB16-08 listed
in the References section, could allow an attacker to create a specially
crafted SWF file that would cause flash-plugin to crash, execute arbitrary
code, or disclose sensitive information when the victim loaded a page
containing the malicious SWF content. (CVE-2016-0960, CVE-2016-0961,
CVE-2016-0962, CVE-2016-0963, CVE-2016-0986, CVE-2016-0987, CVE-2016-0988,
CVE-2016-0989, CVE-2016-0990, CVE-2016-0991, CVE-2016-0992, CVE-2016-0993,
CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998,
CVE-2016-0999, CVE-2016-1000, CVE-2016-1001, CVE-2016-1002, CVE-2016-1005,
CVE-2016-1010)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 11.2.202.577.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1316809 - flash-plugin: multiple code execution issues fixed in APSB16-08
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-0960
https://access.redhat.com/security/cve/CVE-2016-0961
https://access.redhat.com/security/cve/CVE-2016-0962
https://access.redhat.com/security/cve/CVE-2016-0963
https://access.redhat.com/security/cve/CVE-2016-0986
https://access.redhat.com/security/cve/CVE-2016-0987
https://access.redhat.com/security/cve/CVE-2016-0988
https://access.redhat.com/security/cve/CVE-2016-0989
https://access.redhat.com/security/cve/CVE-2016-0990
https://access.redhat.com/security/cve/CVE-2016-0991
https://access.redhat.com/security/cve/CVE-2016-0992
https://access.redhat.com/security/cve/CVE-2016-0993
https://access.redhat.com/security/cve/CVE-2016-0994
https://access.redhat.com/security/cve/CVE-2016-0995
https://access.redhat.com/security/cve/CVE-2016-0996
https://access.redhat.com/security/cve/CVE-2016-0997
https://access.redhat.com/security/cve/CVE-2016-0998
https://access.redhat.com/security/cve/CVE-2016-0999
https://access.redhat.com/security/cve/CVE-2016-1000
https://access.redhat.com/security/cve/CVE-2016-1001
https://access.redhat.com/security/cve/CVE-2016-1002
https://access.redhat.com/security/cve/CVE-2016-1005
https://access.redhat.com/security/cve/CVE-2016-1010
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb16-08.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFW4xBVXlSAg2UNWIIRAkCgAKCHw64puWPWdM5cVPU2vBI1mHZyFgCeI2Rx
fg/pDiOCh9x1HJhk/a+BDeA=
=4hyN
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201603-0278 | CVE-2016-0961 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2016-0960, CVE-2016-0962, CVE-2016-0986, CVE-2016-0989, CVE-2016-0992, CVE-2016-1002, and CVE-2016-1005. This vulnerability CVE-2016-0960 , CVE-2016-0962 , CVE-2016-0986 , CVE-2016-0989 , CVE-2016-0992 , CVE-2016-1002 ,and CVE-2016-1005 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state. The following versions are affected: Adobe Flash Player Desktop Runtime 20.0.0.306 and earlier versions based on Windows and Macintosh platforms, Adobe Flash Player Extended Support Release 18.0.0.329 and earlier versions, AIR Desktop Runtime 20.0.0.260 and earlier versions, based on Windows, Macintosh , Adobe Flash Player for Google Chrome 20.0.0.306 and earlier versions on Linux and ChromeOS platforms, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 20.0.0.306 and earlier versions based on Windows 10 platform, and Adobe Flash Player for Windows 8.1-based platforms Internet Explorer 11 20.0.0.306 and earlier versions, Adobe Flash Player for Linux 11.2.202.569 and earlier versions based on Linux platforms, AIR SDK 20.0.0.260 and earlier versions based on Windows, Macintosh, Android and iOS platforms, AIR SDK & Compiler 20.0 .0.260 and earlier, AIR for Android 20.0.0.233 and earlier.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v "www-plugins/adobe-flash-11.2.202.577"
References
==========
[ 1 ] CVE-2016-0960
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0960
[ 2 ] CVE-2016-0961
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0961
[ 3 ] CVE-2016-0962
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0962
[ 4 ] CVE-2016-0963
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0963
[ 5 ] CVE-2016-0964
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0964
[ 6 ] CVE-2016-0965
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0965
[ 7 ] CVE-2016-0966
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0966
[ 8 ] CVE-2016-0967
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0967
[ 9 ] CVE-2016-0968
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0968
[ 10 ] CVE-2016-0969
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0969
[ 11 ] CVE-2016-0970
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0970
[ 12 ] CVE-2016-0971
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0971
[ 13 ] CVE-2016-0972
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0972
[ 14 ] CVE-2016-0973
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0973
[ 15 ] CVE-2016-0974
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0974
[ 16 ] CVE-2016-0975
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0975
[ 17 ] CVE-2016-0976
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0976
[ 18 ] CVE-2016-0977
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0977
[ 19 ] CVE-2016-0978
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0978
[ 20 ] CVE-2016-0979
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0979
[ 21 ] CVE-2016-0980
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0980
[ 22 ] CVE-2016-0981
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0981
[ 23 ] CVE-2016-0982
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0982
[ 24 ] CVE-2016-0983
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0983
[ 25 ] CVE-2016-0984
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0984
[ 26 ] CVE-2016-0985
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0985
[ 27 ] CVE-2016-0986
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0986
[ 28 ] CVE-2016-0987
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0987
[ 29 ] CVE-2016-0988
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0988
[ 30 ] CVE-2016-0989
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0989
[ 31 ] CVE-2016-0990
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0990
[ 32 ] CVE-2016-0991
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0991
[ 33 ] CVE-2016-0992
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0992
[ 34 ] CVE-2016-0993
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0993
[ 35 ] CVE-2016-0994
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0994
[ 36 ] CVE-2016-0995
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0995
[ 37 ] CVE-2016-0996
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0996
[ 38 ] CVE-2016-0997
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0997
[ 39 ] CVE-2016-0998
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0998
[ 40 ] CVE-2016-0999
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0999
[ 41 ] CVE-2016-1000
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1000
[ 42 ] CVE-2016-1001
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1001
[ 43 ] CVE-2016-1002
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1002
[ 44 ] CVE-2016-1005
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1005
[ 45 ] CVE-2016-1010
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1010
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201603-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2016 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2016:0438-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-0438.html
Issue date: 2016-03-11
CVE Names: CVE-2016-0960 CVE-2016-0961 CVE-2016-0962
CVE-2016-0963 CVE-2016-0986 CVE-2016-0987
CVE-2016-0988 CVE-2016-0989 CVE-2016-0990
CVE-2016-0991 CVE-2016-0992 CVE-2016-0993
CVE-2016-0994 CVE-2016-0995 CVE-2016-0996
CVE-2016-0997 CVE-2016-0998 CVE-2016-0999
CVE-2016-1000 CVE-2016-1001 CVE-2016-1002
CVE-2016-1005 CVE-2016-1010
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities, detailed in the Adobe Security Bulletin APSB16-08 listed
in the References section, could allow an attacker to create a specially
crafted SWF file that would cause flash-plugin to crash, execute arbitrary
code, or disclose sensitive information when the victim loaded a page
containing the malicious SWF content. (CVE-2016-0960, CVE-2016-0961,
CVE-2016-0962, CVE-2016-0963, CVE-2016-0986, CVE-2016-0987, CVE-2016-0988,
CVE-2016-0989, CVE-2016-0990, CVE-2016-0991, CVE-2016-0992, CVE-2016-0993,
CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998,
CVE-2016-0999, CVE-2016-1000, CVE-2016-1001, CVE-2016-1002, CVE-2016-1005,
CVE-2016-1010)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 11.2.202.577.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1316809 - flash-plugin: multiple code execution issues fixed in APSB16-08
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-0960
https://access.redhat.com/security/cve/CVE-2016-0961
https://access.redhat.com/security/cve/CVE-2016-0962
https://access.redhat.com/security/cve/CVE-2016-0963
https://access.redhat.com/security/cve/CVE-2016-0986
https://access.redhat.com/security/cve/CVE-2016-0987
https://access.redhat.com/security/cve/CVE-2016-0988
https://access.redhat.com/security/cve/CVE-2016-0989
https://access.redhat.com/security/cve/CVE-2016-0990
https://access.redhat.com/security/cve/CVE-2016-0991
https://access.redhat.com/security/cve/CVE-2016-0992
https://access.redhat.com/security/cve/CVE-2016-0993
https://access.redhat.com/security/cve/CVE-2016-0994
https://access.redhat.com/security/cve/CVE-2016-0995
https://access.redhat.com/security/cve/CVE-2016-0996
https://access.redhat.com/security/cve/CVE-2016-0997
https://access.redhat.com/security/cve/CVE-2016-0998
https://access.redhat.com/security/cve/CVE-2016-0999
https://access.redhat.com/security/cve/CVE-2016-1000
https://access.redhat.com/security/cve/CVE-2016-1001
https://access.redhat.com/security/cve/CVE-2016-1002
https://access.redhat.com/security/cve/CVE-2016-1005
https://access.redhat.com/security/cve/CVE-2016-1010
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb16-08.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFW4xBVXlSAg2UNWIIRAkCgAKCHw64puWPWdM5cVPU2vBI1mHZyFgCeI2Rx
fg/pDiOCh9x1HJhk/a+BDeA=
=4hyN
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201603-0276 | CVE-2016-0993 | Adobe Flash Player and Adobe AIR Integer overflow vulnerability |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
Integer overflow in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-0963 and CVE-2016-1010. This vulnerability CVE-2016-0963 and CVE-2016-1010 Is a different vulnerability.An attacker could execute arbitrary code. The following versions are affected: Adobe Flash Player Desktop Runtime 20.0.0.306 and earlier versions based on Windows and Macintosh platforms, Adobe Flash Player Extended Support Release 18.0.0.329 and earlier versions, AIR Desktop Runtime 20.0.0.260 and earlier versions, based on Windows, Macintosh , Adobe Flash Player for Google Chrome 20.0.0.306 and earlier versions on Linux and ChromeOS platforms, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 20.0.0.306 and earlier versions based on Windows 10 platform, and Adobe Flash Player for Windows 8.1-based platforms Internet Explorer 11 20.0.0.306 and earlier versions, Adobe Flash Player for Linux 11.2.202.569 and earlier versions based on Linux platforms, AIR SDK 20.0.0.260 and earlier versions based on Windows, Macintosh, Android and iOS platforms, AIR SDK & Compiler 20.0 .0.260 and earlier, AIR for Android 20.0.0.233 and earlier.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information, or bypass security restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v "www-plugins/adobe-flash-11.2.202.577"
References
==========
[ 1 ] CVE-2016-0960
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0960
[ 2 ] CVE-2016-0961
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0961
[ 3 ] CVE-2016-0962
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0962
[ 4 ] CVE-2016-0963
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0963
[ 5 ] CVE-2016-0964
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0964
[ 6 ] CVE-2016-0965
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0965
[ 7 ] CVE-2016-0966
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0966
[ 8 ] CVE-2016-0967
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0967
[ 9 ] CVE-2016-0968
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0968
[ 10 ] CVE-2016-0969
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0969
[ 11 ] CVE-2016-0970
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0970
[ 12 ] CVE-2016-0971
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0971
[ 13 ] CVE-2016-0972
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0972
[ 14 ] CVE-2016-0973
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0973
[ 15 ] CVE-2016-0974
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0974
[ 16 ] CVE-2016-0975
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0975
[ 17 ] CVE-2016-0976
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0976
[ 18 ] CVE-2016-0977
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0977
[ 19 ] CVE-2016-0978
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0978
[ 20 ] CVE-2016-0979
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0979
[ 21 ] CVE-2016-0980
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0980
[ 22 ] CVE-2016-0981
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0981
[ 23 ] CVE-2016-0982
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0982
[ 24 ] CVE-2016-0983
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0983
[ 25 ] CVE-2016-0984
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0984
[ 26 ] CVE-2016-0985
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0985
[ 27 ] CVE-2016-0986
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0986
[ 28 ] CVE-2016-0987
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0987
[ 29 ] CVE-2016-0988
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0988
[ 30 ] CVE-2016-0989
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0989
[ 31 ] CVE-2016-0990
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0990
[ 32 ] CVE-2016-0991
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0991
[ 33 ] CVE-2016-0992
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0992
[ 34 ] CVE-2016-0993
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0993
[ 35 ] CVE-2016-0994
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0994
[ 36 ] CVE-2016-0995
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0995
[ 37 ] CVE-2016-0996
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0996
[ 38 ] CVE-2016-0997
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0997
[ 39 ] CVE-2016-0998
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0998
[ 40 ] CVE-2016-0999
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0999
[ 41 ] CVE-2016-1000
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1000
[ 42 ] CVE-2016-1001
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1001
[ 43 ] CVE-2016-1002
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1002
[ 44 ] CVE-2016-1005
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1005
[ 45 ] CVE-2016-1010
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1010
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201603-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2016 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2016:0438-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-0438.html
Issue date: 2016-03-11
CVE Names: CVE-2016-0960 CVE-2016-0961 CVE-2016-0962
CVE-2016-0963 CVE-2016-0986 CVE-2016-0987
CVE-2016-0988 CVE-2016-0989 CVE-2016-0990
CVE-2016-0991 CVE-2016-0992 CVE-2016-0993
CVE-2016-0994 CVE-2016-0995 CVE-2016-0996
CVE-2016-0997 CVE-2016-0998 CVE-2016-0999
CVE-2016-1000 CVE-2016-1001 CVE-2016-1002
CVE-2016-1005 CVE-2016-1010
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities, detailed in the Adobe Security Bulletin APSB16-08 listed
in the References section, could allow an attacker to create a specially
crafted SWF file that would cause flash-plugin to crash, execute arbitrary
code, or disclose sensitive information when the victim loaded a page
containing the malicious SWF content. (CVE-2016-0960, CVE-2016-0961,
CVE-2016-0962, CVE-2016-0963, CVE-2016-0986, CVE-2016-0987, CVE-2016-0988,
CVE-2016-0989, CVE-2016-0990, CVE-2016-0991, CVE-2016-0992, CVE-2016-0993,
CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998,
CVE-2016-0999, CVE-2016-1000, CVE-2016-1001, CVE-2016-1002, CVE-2016-1005,
CVE-2016-1010)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 11.2.202.577.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1316809 - flash-plugin: multiple code execution issues fixed in APSB16-08
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-0960
https://access.redhat.com/security/cve/CVE-2016-0961
https://access.redhat.com/security/cve/CVE-2016-0962
https://access.redhat.com/security/cve/CVE-2016-0963
https://access.redhat.com/security/cve/CVE-2016-0986
https://access.redhat.com/security/cve/CVE-2016-0987
https://access.redhat.com/security/cve/CVE-2016-0988
https://access.redhat.com/security/cve/CVE-2016-0989
https://access.redhat.com/security/cve/CVE-2016-0990
https://access.redhat.com/security/cve/CVE-2016-0991
https://access.redhat.com/security/cve/CVE-2016-0992
https://access.redhat.com/security/cve/CVE-2016-0993
https://access.redhat.com/security/cve/CVE-2016-0994
https://access.redhat.com/security/cve/CVE-2016-0995
https://access.redhat.com/security/cve/CVE-2016-0996
https://access.redhat.com/security/cve/CVE-2016-0997
https://access.redhat.com/security/cve/CVE-2016-0998
https://access.redhat.com/security/cve/CVE-2016-0999
https://access.redhat.com/security/cve/CVE-2016-1000
https://access.redhat.com/security/cve/CVE-2016-1001
https://access.redhat.com/security/cve/CVE-2016-1002
https://access.redhat.com/security/cve/CVE-2016-1005
https://access.redhat.com/security/cve/CVE-2016-1010
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb16-08.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFW4xBVXlSAg2UNWIIRAkCgAKCHw64puWPWdM5cVPU2vBI1mHZyFgCeI2Rx
fg/pDiOCh9x1HJhk/a+BDeA=
=4hyN
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201603-0275 | CVE-2016-0992 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2016-0960, CVE-2016-0961, CVE-2016-0962, CVE-2016-0986, CVE-2016-0989, CVE-2016-1002, and CVE-2016-1005. This vulnerability CVE-2016-0960 , CVE-2016-0961 , CVE-2016-0962 , CVE-2016-0986 , CVE-2016-0989 , CVE-2016-1002 ,and CVE-2016-1005 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state. The following versions are affected: Adobe Flash Player Desktop Runtime 20.0.0.306 and earlier versions based on Windows and Macintosh platforms, Adobe Flash Player Extended Support Release 18.0.0.329 and earlier versions, AIR Desktop Runtime 20.0.0.260 and earlier versions, based on Windows, Macintosh , Adobe Flash Player for Google Chrome 20.0.0.306 and earlier versions on Linux and ChromeOS platforms, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 20.0.0.306 and earlier versions based on Windows 10 platform, and Adobe Flash Player for Windows 8.1-based platforms Internet Explorer 11 20.0.0.306 and earlier versions, Adobe Flash Player for Linux 11.2.202.569 and earlier versions based on Linux platforms, AIR SDK 20.0.0.260 and earlier versions based on Windows, Macintosh, Android and iOS platforms, AIR SDK & Compiler 20.0 .0.260 and earlier versions, AIR for Android 20.0.0.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v "www-plugins/adobe-flash-11.2.202.577"
References
==========
[ 1 ] CVE-2016-0960
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0960
[ 2 ] CVE-2016-0961
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0961
[ 3 ] CVE-2016-0962
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0962
[ 4 ] CVE-2016-0963
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0963
[ 5 ] CVE-2016-0964
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0964
[ 6 ] CVE-2016-0965
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0965
[ 7 ] CVE-2016-0966
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0966
[ 8 ] CVE-2016-0967
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0967
[ 9 ] CVE-2016-0968
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0968
[ 10 ] CVE-2016-0969
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0969
[ 11 ] CVE-2016-0970
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0970
[ 12 ] CVE-2016-0971
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0971
[ 13 ] CVE-2016-0972
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0972
[ 14 ] CVE-2016-0973
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0973
[ 15 ] CVE-2016-0974
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0974
[ 16 ] CVE-2016-0975
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0975
[ 17 ] CVE-2016-0976
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0976
[ 18 ] CVE-2016-0977
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0977
[ 19 ] CVE-2016-0978
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0978
[ 20 ] CVE-2016-0979
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0979
[ 21 ] CVE-2016-0980
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0980
[ 22 ] CVE-2016-0981
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0981
[ 23 ] CVE-2016-0982
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0982
[ 24 ] CVE-2016-0983
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0983
[ 25 ] CVE-2016-0984
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0984
[ 26 ] CVE-2016-0985
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0985
[ 27 ] CVE-2016-0986
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0986
[ 28 ] CVE-2016-0987
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0987
[ 29 ] CVE-2016-0988
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0988
[ 30 ] CVE-2016-0989
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0989
[ 31 ] CVE-2016-0990
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0990
[ 32 ] CVE-2016-0991
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0991
[ 33 ] CVE-2016-0992
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0992
[ 34 ] CVE-2016-0993
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0993
[ 35 ] CVE-2016-0994
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0994
[ 36 ] CVE-2016-0995
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0995
[ 37 ] CVE-2016-0996
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0996
[ 38 ] CVE-2016-0997
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0997
[ 39 ] CVE-2016-0998
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0998
[ 40 ] CVE-2016-0999
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0999
[ 41 ] CVE-2016-1000
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1000
[ 42 ] CVE-2016-1001
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1001
[ 43 ] CVE-2016-1002
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1002
[ 44 ] CVE-2016-1005
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1005
[ 45 ] CVE-2016-1010
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1010
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201603-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2016 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2016:0438-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-0438.html
Issue date: 2016-03-11
CVE Names: CVE-2016-0960 CVE-2016-0961 CVE-2016-0962
CVE-2016-0963 CVE-2016-0986 CVE-2016-0987
CVE-2016-0988 CVE-2016-0989 CVE-2016-0990
CVE-2016-0991 CVE-2016-0992 CVE-2016-0993
CVE-2016-0994 CVE-2016-0995 CVE-2016-0996
CVE-2016-0997 CVE-2016-0998 CVE-2016-0999
CVE-2016-1000 CVE-2016-1001 CVE-2016-1002
CVE-2016-1005 CVE-2016-1010
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities, detailed in the Adobe Security Bulletin APSB16-08 listed
in the References section, could allow an attacker to create a specially
crafted SWF file that would cause flash-plugin to crash, execute arbitrary
code, or disclose sensitive information when the victim loaded a page
containing the malicious SWF content. (CVE-2016-0960, CVE-2016-0961,
CVE-2016-0962, CVE-2016-0963, CVE-2016-0986, CVE-2016-0987, CVE-2016-0988,
CVE-2016-0989, CVE-2016-0990, CVE-2016-0991, CVE-2016-0992, CVE-2016-0993,
CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998,
CVE-2016-0999, CVE-2016-1000, CVE-2016-1001, CVE-2016-1002, CVE-2016-1005,
CVE-2016-1010)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 11.2.202.577.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1316809 - flash-plugin: multiple code execution issues fixed in APSB16-08
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-0960
https://access.redhat.com/security/cve/CVE-2016-0961
https://access.redhat.com/security/cve/CVE-2016-0962
https://access.redhat.com/security/cve/CVE-2016-0963
https://access.redhat.com/security/cve/CVE-2016-0986
https://access.redhat.com/security/cve/CVE-2016-0987
https://access.redhat.com/security/cve/CVE-2016-0988
https://access.redhat.com/security/cve/CVE-2016-0989
https://access.redhat.com/security/cve/CVE-2016-0990
https://access.redhat.com/security/cve/CVE-2016-0991
https://access.redhat.com/security/cve/CVE-2016-0992
https://access.redhat.com/security/cve/CVE-2016-0993
https://access.redhat.com/security/cve/CVE-2016-0994
https://access.redhat.com/security/cve/CVE-2016-0995
https://access.redhat.com/security/cve/CVE-2016-0996
https://access.redhat.com/security/cve/CVE-2016-0997
https://access.redhat.com/security/cve/CVE-2016-0998
https://access.redhat.com/security/cve/CVE-2016-0999
https://access.redhat.com/security/cve/CVE-2016-1000
https://access.redhat.com/security/cve/CVE-2016-1001
https://access.redhat.com/security/cve/CVE-2016-1002
https://access.redhat.com/security/cve/CVE-2016-1005
https://access.redhat.com/security/cve/CVE-2016-1010
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb16-08.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFW4xBVXlSAg2UNWIIRAkCgAKCHw64puWPWdM5cVPU2vBI1mHZyFgCeI2Rx
fg/pDiOCh9x1HJhk/a+BDeA=
=4hyN
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201603-0274 | CVE-2016-0991 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
Use-after-free vulnerability in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-0987, CVE-2016-0988, CVE-2016-0990, CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998, CVE-2016-0999, and CVE-2016-1000. This vulnerability CVE-2016-0987 , CVE-2016-0988 , CVE-2016-0990 , CVE-2016-0994 , CVE-2016-0995 , CVE-2016-0996 , CVE-2016-0997 , CVE-2016-0998 , CVE-2016-0999 ,and CVE-2016-1000 Is a different vulnerability. Supplementary information : CWE Vulnerability type by CWE-416: Use-after-free ( Use of freed memory ) Has been identified. http://cwe.mitre.org/data/definitions/416.htmlAn attacker could execute arbitrary code. A use-after-free vulnerability exists in several Adobe products. The following versions are affected: Adobe Flash Player Desktop Runtime 20.0.0.306 and earlier versions based on Windows and Macintosh platforms, Adobe Flash Player Extended Support Release 18.0.0.329 and earlier versions, AIR Desktop Runtime 20.0.0.260 and earlier versions, based on Windows, Macintosh , Adobe Flash Player for Google Chrome 20.0.0.306 and earlier versions on Linux and ChromeOS platforms, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 20.0.0.306 and earlier versions based on Windows 10 platform, and Adobe Flash Player for Windows 8.1-based platforms Internet Explorer 11 20.0.0.306 and earlier versions, Adobe Flash Player for Linux 11.2.202.569 and earlier versions based on Linux platforms, AIR SDK 20.0.0.260 and earlier versions based on Windows, Macintosh, Android and iOS platforms, AIR SDK & Compiler 20.0 .0.260 and earlier, AIR for Android 20.0.0.233 and earlier.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information, or bypass security restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v "www-plugins/adobe-flash-11.2.202.577"
References
==========
[ 1 ] CVE-2016-0960
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0960
[ 2 ] CVE-2016-0961
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0961
[ 3 ] CVE-2016-0962
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0962
[ 4 ] CVE-2016-0963
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0963
[ 5 ] CVE-2016-0964
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0964
[ 6 ] CVE-2016-0965
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0965
[ 7 ] CVE-2016-0966
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0966
[ 8 ] CVE-2016-0967
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0967
[ 9 ] CVE-2016-0968
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0968
[ 10 ] CVE-2016-0969
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0969
[ 11 ] CVE-2016-0970
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0970
[ 12 ] CVE-2016-0971
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0971
[ 13 ] CVE-2016-0972
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0972
[ 14 ] CVE-2016-0973
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0973
[ 15 ] CVE-2016-0974
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0974
[ 16 ] CVE-2016-0975
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0975
[ 17 ] CVE-2016-0976
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0976
[ 18 ] CVE-2016-0977
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0977
[ 19 ] CVE-2016-0978
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0978
[ 20 ] CVE-2016-0979
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0979
[ 21 ] CVE-2016-0980
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0980
[ 22 ] CVE-2016-0981
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0981
[ 23 ] CVE-2016-0982
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0982
[ 24 ] CVE-2016-0983
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0983
[ 25 ] CVE-2016-0984
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0984
[ 26 ] CVE-2016-0985
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0985
[ 27 ] CVE-2016-0986
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0986
[ 28 ] CVE-2016-0987
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0987
[ 29 ] CVE-2016-0988
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0988
[ 30 ] CVE-2016-0989
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0989
[ 31 ] CVE-2016-0990
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0990
[ 32 ] CVE-2016-0991
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0991
[ 33 ] CVE-2016-0992
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0992
[ 34 ] CVE-2016-0993
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0993
[ 35 ] CVE-2016-0994
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0994
[ 36 ] CVE-2016-0995
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0995
[ 37 ] CVE-2016-0996
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0996
[ 38 ] CVE-2016-0997
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0997
[ 39 ] CVE-2016-0998
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0998
[ 40 ] CVE-2016-0999
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0999
[ 41 ] CVE-2016-1000
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1000
[ 42 ] CVE-2016-1001
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1001
[ 43 ] CVE-2016-1002
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1002
[ 44 ] CVE-2016-1005
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1005
[ 45 ] CVE-2016-1010
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1010
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201603-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2016 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2016:0438-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-0438.html
Issue date: 2016-03-11
CVE Names: CVE-2016-0960 CVE-2016-0961 CVE-2016-0962
CVE-2016-0963 CVE-2016-0986 CVE-2016-0987
CVE-2016-0988 CVE-2016-0989 CVE-2016-0990
CVE-2016-0991 CVE-2016-0992 CVE-2016-0993
CVE-2016-0994 CVE-2016-0995 CVE-2016-0996
CVE-2016-0997 CVE-2016-0998 CVE-2016-0999
CVE-2016-1000 CVE-2016-1001 CVE-2016-1002
CVE-2016-1005 CVE-2016-1010
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities, detailed in the Adobe Security Bulletin APSB16-08 listed
in the References section, could allow an attacker to create a specially
crafted SWF file that would cause flash-plugin to crash, execute arbitrary
code, or disclose sensitive information when the victim loaded a page
containing the malicious SWF content. (CVE-2016-0960, CVE-2016-0961,
CVE-2016-0962, CVE-2016-0963, CVE-2016-0986, CVE-2016-0987, CVE-2016-0988,
CVE-2016-0989, CVE-2016-0990, CVE-2016-0991, CVE-2016-0992, CVE-2016-0993,
CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998,
CVE-2016-0999, CVE-2016-1000, CVE-2016-1001, CVE-2016-1002, CVE-2016-1005,
CVE-2016-1010)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 11.2.202.577.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1316809 - flash-plugin: multiple code execution issues fixed in APSB16-08
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-0960
https://access.redhat.com/security/cve/CVE-2016-0961
https://access.redhat.com/security/cve/CVE-2016-0962
https://access.redhat.com/security/cve/CVE-2016-0963
https://access.redhat.com/security/cve/CVE-2016-0986
https://access.redhat.com/security/cve/CVE-2016-0987
https://access.redhat.com/security/cve/CVE-2016-0988
https://access.redhat.com/security/cve/CVE-2016-0989
https://access.redhat.com/security/cve/CVE-2016-0990
https://access.redhat.com/security/cve/CVE-2016-0991
https://access.redhat.com/security/cve/CVE-2016-0992
https://access.redhat.com/security/cve/CVE-2016-0993
https://access.redhat.com/security/cve/CVE-2016-0994
https://access.redhat.com/security/cve/CVE-2016-0995
https://access.redhat.com/security/cve/CVE-2016-0996
https://access.redhat.com/security/cve/CVE-2016-0997
https://access.redhat.com/security/cve/CVE-2016-0998
https://access.redhat.com/security/cve/CVE-2016-0999
https://access.redhat.com/security/cve/CVE-2016-1000
https://access.redhat.com/security/cve/CVE-2016-1001
https://access.redhat.com/security/cve/CVE-2016-1002
https://access.redhat.com/security/cve/CVE-2016-1005
https://access.redhat.com/security/cve/CVE-2016-1010
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb16-08.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFW4xBVXlSAg2UNWIIRAkCgAKCHw64puWPWdM5cVPU2vBI1mHZyFgCeI2Rx
fg/pDiOCh9x1HJhk/a+BDeA=
=4hyN
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201603-0273 | CVE-2016-0990 | Adobe Flash Player and Adobe AIR Vulnerabilities in arbitrary code execution |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
Use-after-free vulnerability in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-0987, CVE-2016-0988, CVE-2016-0991, CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998, CVE-2016-0999, and CVE-2016-1000. This vulnerability is CVE-2016-0987 , CVE-2016-0988 , CVE-2016-0991 , CVE-2016-0994 , CVE-2016-0995 , CVE-2016-0996 , CVE-2016-0997 , CVE-2016-0998 , CVE-2016-0999 ,and CVE-2016-1000 This is a different vulnerability. Supplementary information : CWE Vulnerability types by CWE-416: Use-after-free ( Using freed memory ) Has been identified. http://cwe.mitre.org/data/definitions/416.htmlAn attacker could execute arbitrary code. A use-after-free vulnerability exists in several Adobe products. The following versions are affected: Adobe Flash Player Desktop Runtime 20.0.0.306 and earlier versions based on Windows and Macintosh platforms, Adobe Flash Player Extended Support Release 18.0.0.329 and earlier versions, AIR Desktop Runtime 20.0.0.260 and earlier versions, based on Windows, Macintosh , Adobe Flash Player for Google Chrome 20.0.0.306 and earlier versions on Linux and ChromeOS platforms, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 20.0.0.306 and earlier versions based on Windows 10 platform, and Adobe Flash Player for Windows 8.1-based platforms Internet Explorer 11 20.0.0.306 and earlier versions, Adobe Flash Player for Linux 11.2.202.569 and earlier versions based on Linux platforms, AIR SDK 20.0.0.260 and earlier versions based on Windows, Macintosh, Android and iOS platforms, AIR SDK & Compiler 20.0 .0.260 and earlier, AIR for Android 20.0.0.233 and earlier.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information, or bypass security restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v "www-plugins/adobe-flash-11.2.202.577"
References
==========
[ 1 ] CVE-2016-0960
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0960
[ 2 ] CVE-2016-0961
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0961
[ 3 ] CVE-2016-0962
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0962
[ 4 ] CVE-2016-0963
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0963
[ 5 ] CVE-2016-0964
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0964
[ 6 ] CVE-2016-0965
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0965
[ 7 ] CVE-2016-0966
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0966
[ 8 ] CVE-2016-0967
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0967
[ 9 ] CVE-2016-0968
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0968
[ 10 ] CVE-2016-0969
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0969
[ 11 ] CVE-2016-0970
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0970
[ 12 ] CVE-2016-0971
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0971
[ 13 ] CVE-2016-0972
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0972
[ 14 ] CVE-2016-0973
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0973
[ 15 ] CVE-2016-0974
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0974
[ 16 ] CVE-2016-0975
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0975
[ 17 ] CVE-2016-0976
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0976
[ 18 ] CVE-2016-0977
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0977
[ 19 ] CVE-2016-0978
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0978
[ 20 ] CVE-2016-0979
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0979
[ 21 ] CVE-2016-0980
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0980
[ 22 ] CVE-2016-0981
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0981
[ 23 ] CVE-2016-0982
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0982
[ 24 ] CVE-2016-0983
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0983
[ 25 ] CVE-2016-0984
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0984
[ 26 ] CVE-2016-0985
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0985
[ 27 ] CVE-2016-0986
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0986
[ 28 ] CVE-2016-0987
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0987
[ 29 ] CVE-2016-0988
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0988
[ 30 ] CVE-2016-0989
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0989
[ 31 ] CVE-2016-0990
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0990
[ 32 ] CVE-2016-0991
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0991
[ 33 ] CVE-2016-0992
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0992
[ 34 ] CVE-2016-0993
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0993
[ 35 ] CVE-2016-0994
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0994
[ 36 ] CVE-2016-0995
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0995
[ 37 ] CVE-2016-0996
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0996
[ 38 ] CVE-2016-0997
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0997
[ 39 ] CVE-2016-0998
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0998
[ 40 ] CVE-2016-0999
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0999
[ 41 ] CVE-2016-1000
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1000
[ 42 ] CVE-2016-1001
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1001
[ 43 ] CVE-2016-1002
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1002
[ 44 ] CVE-2016-1005
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1005
[ 45 ] CVE-2016-1010
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1010
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201603-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2016 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2016:0438-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-0438.html
Issue date: 2016-03-11
CVE Names: CVE-2016-0960 CVE-2016-0961 CVE-2016-0962
CVE-2016-0963 CVE-2016-0986 CVE-2016-0987
CVE-2016-0988 CVE-2016-0989 CVE-2016-0990
CVE-2016-0991 CVE-2016-0992 CVE-2016-0993
CVE-2016-0994 CVE-2016-0995 CVE-2016-0996
CVE-2016-0997 CVE-2016-0998 CVE-2016-0999
CVE-2016-1000 CVE-2016-1001 CVE-2016-1002
CVE-2016-1005 CVE-2016-1010
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities, detailed in the Adobe Security Bulletin APSB16-08 listed
in the References section, could allow an attacker to create a specially
crafted SWF file that would cause flash-plugin to crash, execute arbitrary
code, or disclose sensitive information when the victim loaded a page
containing the malicious SWF content. (CVE-2016-0960, CVE-2016-0961,
CVE-2016-0962, CVE-2016-0963, CVE-2016-0986, CVE-2016-0987, CVE-2016-0988,
CVE-2016-0989, CVE-2016-0990, CVE-2016-0991, CVE-2016-0992, CVE-2016-0993,
CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998,
CVE-2016-0999, CVE-2016-1000, CVE-2016-1001, CVE-2016-1002, CVE-2016-1005,
CVE-2016-1010)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 11.2.202.577.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1316809 - flash-plugin: multiple code execution issues fixed in APSB16-08
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-0960
https://access.redhat.com/security/cve/CVE-2016-0961
https://access.redhat.com/security/cve/CVE-2016-0962
https://access.redhat.com/security/cve/CVE-2016-0963
https://access.redhat.com/security/cve/CVE-2016-0986
https://access.redhat.com/security/cve/CVE-2016-0987
https://access.redhat.com/security/cve/CVE-2016-0988
https://access.redhat.com/security/cve/CVE-2016-0989
https://access.redhat.com/security/cve/CVE-2016-0990
https://access.redhat.com/security/cve/CVE-2016-0991
https://access.redhat.com/security/cve/CVE-2016-0992
https://access.redhat.com/security/cve/CVE-2016-0993
https://access.redhat.com/security/cve/CVE-2016-0994
https://access.redhat.com/security/cve/CVE-2016-0995
https://access.redhat.com/security/cve/CVE-2016-0996
https://access.redhat.com/security/cve/CVE-2016-0997
https://access.redhat.com/security/cve/CVE-2016-0998
https://access.redhat.com/security/cve/CVE-2016-0999
https://access.redhat.com/security/cve/CVE-2016-1000
https://access.redhat.com/security/cve/CVE-2016-1001
https://access.redhat.com/security/cve/CVE-2016-1002
https://access.redhat.com/security/cve/CVE-2016-1005
https://access.redhat.com/security/cve/CVE-2016-1010
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb16-08.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFW4xBVXlSAg2UNWIIRAkCgAKCHw64puWPWdM5cVPU2vBI1mHZyFgCeI2Rx
fg/pDiOCh9x1HJhk/a+BDeA=
=4hyN
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201603-0272 | CVE-2016-0989 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2016-0960, CVE-2016-0961, CVE-2016-0962, CVE-2016-0986, CVE-2016-0992, CVE-2016-1002, and CVE-2016-1005. This vulnerability CVE-2016-0960 , CVE-2016-0961 , CVE-2016-0962 , CVE-2016-0986 , CVE-2016-0992 , CVE-2016-1002 ,and CVE-2016-1005 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state. The following versions are affected: Adobe Flash Player Desktop Runtime 20.0.0.306 and earlier versions based on Windows and Macintosh platforms, Adobe Flash Player Extended Support Release 18.0.0.329 and earlier versions, AIR Desktop Runtime 20.0.0.260 and earlier versions, based on Windows, Macintosh , Adobe Flash Player for Google Chrome 20.0.0.306 and earlier versions on Linux and ChromeOS platforms, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 20.0.0.306 and earlier versions based on Windows 10 platform, and Adobe Flash Player for Windows 8.1-based platforms Internet Explorer 11 20.0.0.306 and earlier versions, Adobe Flash Player for Linux 11.2.202.569 and earlier versions based on Linux platforms, AIR SDK 20.0.0.260 and earlier versions based on Windows, Macintosh, Android and iOS platforms, AIR SDK & Compiler 20.0 .0.260 and earlier, AIR for Android 20.0.0.233 and earlier.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v "www-plugins/adobe-flash-11.2.202.577"
References
==========
[ 1 ] CVE-2016-0960
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0960
[ 2 ] CVE-2016-0961
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0961
[ 3 ] CVE-2016-0962
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0962
[ 4 ] CVE-2016-0963
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0963
[ 5 ] CVE-2016-0964
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0964
[ 6 ] CVE-2016-0965
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0965
[ 7 ] CVE-2016-0966
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0966
[ 8 ] CVE-2016-0967
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0967
[ 9 ] CVE-2016-0968
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0968
[ 10 ] CVE-2016-0969
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0969
[ 11 ] CVE-2016-0970
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0970
[ 12 ] CVE-2016-0971
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0971
[ 13 ] CVE-2016-0972
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0972
[ 14 ] CVE-2016-0973
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0973
[ 15 ] CVE-2016-0974
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0974
[ 16 ] CVE-2016-0975
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0975
[ 17 ] CVE-2016-0976
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0976
[ 18 ] CVE-2016-0977
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0977
[ 19 ] CVE-2016-0978
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0978
[ 20 ] CVE-2016-0979
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0979
[ 21 ] CVE-2016-0980
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0980
[ 22 ] CVE-2016-0981
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0981
[ 23 ] CVE-2016-0982
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0982
[ 24 ] CVE-2016-0983
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0983
[ 25 ] CVE-2016-0984
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0984
[ 26 ] CVE-2016-0985
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0985
[ 27 ] CVE-2016-0986
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0986
[ 28 ] CVE-2016-0987
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0987
[ 29 ] CVE-2016-0988
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0988
[ 30 ] CVE-2016-0989
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0989
[ 31 ] CVE-2016-0990
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0990
[ 32 ] CVE-2016-0991
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0991
[ 33 ] CVE-2016-0992
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0992
[ 34 ] CVE-2016-0993
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0993
[ 35 ] CVE-2016-0994
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0994
[ 36 ] CVE-2016-0995
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0995
[ 37 ] CVE-2016-0996
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0996
[ 38 ] CVE-2016-0997
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0997
[ 39 ] CVE-2016-0998
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0998
[ 40 ] CVE-2016-0999
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0999
[ 41 ] CVE-2016-1000
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1000
[ 42 ] CVE-2016-1001
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1001
[ 43 ] CVE-2016-1002
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1002
[ 44 ] CVE-2016-1005
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1005
[ 45 ] CVE-2016-1010
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1010
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201603-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2016 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2016:0438-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-0438.html
Issue date: 2016-03-11
CVE Names: CVE-2016-0960 CVE-2016-0961 CVE-2016-0962
CVE-2016-0963 CVE-2016-0986 CVE-2016-0987
CVE-2016-0988 CVE-2016-0989 CVE-2016-0990
CVE-2016-0991 CVE-2016-0992 CVE-2016-0993
CVE-2016-0994 CVE-2016-0995 CVE-2016-0996
CVE-2016-0997 CVE-2016-0998 CVE-2016-0999
CVE-2016-1000 CVE-2016-1001 CVE-2016-1002
CVE-2016-1005 CVE-2016-1010
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities, detailed in the Adobe Security Bulletin APSB16-08 listed
in the References section, could allow an attacker to create a specially
crafted SWF file that would cause flash-plugin to crash, execute arbitrary
code, or disclose sensitive information when the victim loaded a page
containing the malicious SWF content. (CVE-2016-0960, CVE-2016-0961,
CVE-2016-0962, CVE-2016-0963, CVE-2016-0986, CVE-2016-0987, CVE-2016-0988,
CVE-2016-0989, CVE-2016-0990, CVE-2016-0991, CVE-2016-0992, CVE-2016-0993,
CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998,
CVE-2016-0999, CVE-2016-1000, CVE-2016-1001, CVE-2016-1002, CVE-2016-1005,
CVE-2016-1010)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 11.2.202.577.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1316809 - flash-plugin: multiple code execution issues fixed in APSB16-08
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-0960
https://access.redhat.com/security/cve/CVE-2016-0961
https://access.redhat.com/security/cve/CVE-2016-0962
https://access.redhat.com/security/cve/CVE-2016-0963
https://access.redhat.com/security/cve/CVE-2016-0986
https://access.redhat.com/security/cve/CVE-2016-0987
https://access.redhat.com/security/cve/CVE-2016-0988
https://access.redhat.com/security/cve/CVE-2016-0989
https://access.redhat.com/security/cve/CVE-2016-0990
https://access.redhat.com/security/cve/CVE-2016-0991
https://access.redhat.com/security/cve/CVE-2016-0992
https://access.redhat.com/security/cve/CVE-2016-0993
https://access.redhat.com/security/cve/CVE-2016-0994
https://access.redhat.com/security/cve/CVE-2016-0995
https://access.redhat.com/security/cve/CVE-2016-0996
https://access.redhat.com/security/cve/CVE-2016-0997
https://access.redhat.com/security/cve/CVE-2016-0998
https://access.redhat.com/security/cve/CVE-2016-0999
https://access.redhat.com/security/cve/CVE-2016-1000
https://access.redhat.com/security/cve/CVE-2016-1001
https://access.redhat.com/security/cve/CVE-2016-1002
https://access.redhat.com/security/cve/CVE-2016-1005
https://access.redhat.com/security/cve/CVE-2016-1010
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb16-08.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFW4xBVXlSAg2UNWIIRAkCgAKCHw64puWPWdM5cVPU2vBI1mHZyFgCeI2Rx
fg/pDiOCh9x1HJhk/a+BDeA=
=4hyN
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce