VARIoT IoT vulnerabilities database
| VAR-201603-0271 | CVE-2016-0988 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
Use-after-free vulnerability in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-0987, CVE-2016-0990, CVE-2016-0991, CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998, CVE-2016-0999, and CVE-2016-1000. This vulnerability CVE-2016-0987 , CVE-2016-0990 , CVE-2016-0991 , CVE-2016-0994 , CVE-2016-0995 , CVE-2016-0996 , CVE-2016-0997 , CVE-2016-0998 , CVE-2016-0999 ,and CVE-2016-1000 Is a different vulnerability. Supplementary information : CWE Vulnerability type by CWE-416: Use-after-free ( Use of freed memory ) Has been identified. http://cwe.mitre.org/data/definitions/416.htmlAn attacker could execute arbitrary code. A use-after-free vulnerability exists in several Adobe products. The following versions are affected: Adobe Flash Player Desktop Runtime 20.0.0.306 and earlier versions based on Windows and Macintosh platforms, Adobe Flash Player Extended Support Release 18.0.0.329 and earlier versions, AIR Desktop Runtime 20.0.0.260 and earlier versions, based on Windows, Macintosh , Adobe Flash Player for Google Chrome 20.0.0.306 and earlier versions on Linux and ChromeOS platforms, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 20.0.0.306 and earlier versions based on Windows 10 platform, and Adobe Flash Player for Windows 8.1-based platforms Internet Explorer 11 20.0.0.306 and earlier versions, Adobe Flash Player for Linux 11.2.202.569 and earlier versions based on Linux platforms, AIR SDK 20.0.0.260 and earlier versions based on Windows, Macintosh, Android and iOS platforms, AIR SDK & Compiler 20.0 .0.260 and earlier, AIR for Android 20.0.0.233 and earlier.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information, or bypass security restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v "www-plugins/adobe-flash-11.2.202.577"
References
==========
[ 1 ] CVE-2016-0960
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0960
[ 2 ] CVE-2016-0961
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0961
[ 3 ] CVE-2016-0962
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0962
[ 4 ] CVE-2016-0963
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0963
[ 5 ] CVE-2016-0964
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0964
[ 6 ] CVE-2016-0965
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0965
[ 7 ] CVE-2016-0966
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0966
[ 8 ] CVE-2016-0967
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0967
[ 9 ] CVE-2016-0968
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0968
[ 10 ] CVE-2016-0969
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0969
[ 11 ] CVE-2016-0970
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0970
[ 12 ] CVE-2016-0971
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0971
[ 13 ] CVE-2016-0972
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0972
[ 14 ] CVE-2016-0973
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0973
[ 15 ] CVE-2016-0974
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0974
[ 16 ] CVE-2016-0975
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0975
[ 17 ] CVE-2016-0976
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0976
[ 18 ] CVE-2016-0977
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0977
[ 19 ] CVE-2016-0978
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0978
[ 20 ] CVE-2016-0979
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0979
[ 21 ] CVE-2016-0980
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0980
[ 22 ] CVE-2016-0981
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0981
[ 23 ] CVE-2016-0982
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0982
[ 24 ] CVE-2016-0983
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0983
[ 25 ] CVE-2016-0984
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0984
[ 26 ] CVE-2016-0985
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0985
[ 27 ] CVE-2016-0986
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0986
[ 28 ] CVE-2016-0987
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0987
[ 29 ] CVE-2016-0988
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0988
[ 30 ] CVE-2016-0989
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0989
[ 31 ] CVE-2016-0990
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0990
[ 32 ] CVE-2016-0991
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0991
[ 33 ] CVE-2016-0992
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0992
[ 34 ] CVE-2016-0993
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0993
[ 35 ] CVE-2016-0994
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0994
[ 36 ] CVE-2016-0995
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0995
[ 37 ] CVE-2016-0996
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0996
[ 38 ] CVE-2016-0997
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0997
[ 39 ] CVE-2016-0998
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0998
[ 40 ] CVE-2016-0999
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0999
[ 41 ] CVE-2016-1000
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1000
[ 42 ] CVE-2016-1001
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1001
[ 43 ] CVE-2016-1002
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1002
[ 44 ] CVE-2016-1005
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1005
[ 45 ] CVE-2016-1010
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1010
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201603-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2016 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2016:0438-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-0438.html
Issue date: 2016-03-11
CVE Names: CVE-2016-0960 CVE-2016-0961 CVE-2016-0962
CVE-2016-0963 CVE-2016-0986 CVE-2016-0987
CVE-2016-0988 CVE-2016-0989 CVE-2016-0990
CVE-2016-0991 CVE-2016-0992 CVE-2016-0993
CVE-2016-0994 CVE-2016-0995 CVE-2016-0996
CVE-2016-0997 CVE-2016-0998 CVE-2016-0999
CVE-2016-1000 CVE-2016-1001 CVE-2016-1002
CVE-2016-1005 CVE-2016-1010
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities, detailed in the Adobe Security Bulletin APSB16-08 listed
in the References section, could allow an attacker to create a specially
crafted SWF file that would cause flash-plugin to crash, execute arbitrary
code, or disclose sensitive information when the victim loaded a page
containing the malicious SWF content. (CVE-2016-0960, CVE-2016-0961,
CVE-2016-0962, CVE-2016-0963, CVE-2016-0986, CVE-2016-0987, CVE-2016-0988,
CVE-2016-0989, CVE-2016-0990, CVE-2016-0991, CVE-2016-0992, CVE-2016-0993,
CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998,
CVE-2016-0999, CVE-2016-1000, CVE-2016-1001, CVE-2016-1002, CVE-2016-1005,
CVE-2016-1010)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 11.2.202.577.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1316809 - flash-plugin: multiple code execution issues fixed in APSB16-08
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-0960
https://access.redhat.com/security/cve/CVE-2016-0961
https://access.redhat.com/security/cve/CVE-2016-0962
https://access.redhat.com/security/cve/CVE-2016-0963
https://access.redhat.com/security/cve/CVE-2016-0986
https://access.redhat.com/security/cve/CVE-2016-0987
https://access.redhat.com/security/cve/CVE-2016-0988
https://access.redhat.com/security/cve/CVE-2016-0989
https://access.redhat.com/security/cve/CVE-2016-0990
https://access.redhat.com/security/cve/CVE-2016-0991
https://access.redhat.com/security/cve/CVE-2016-0992
https://access.redhat.com/security/cve/CVE-2016-0993
https://access.redhat.com/security/cve/CVE-2016-0994
https://access.redhat.com/security/cve/CVE-2016-0995
https://access.redhat.com/security/cve/CVE-2016-0996
https://access.redhat.com/security/cve/CVE-2016-0997
https://access.redhat.com/security/cve/CVE-2016-0998
https://access.redhat.com/security/cve/CVE-2016-0999
https://access.redhat.com/security/cve/CVE-2016-1000
https://access.redhat.com/security/cve/CVE-2016-1001
https://access.redhat.com/security/cve/CVE-2016-1002
https://access.redhat.com/security/cve/CVE-2016-1005
https://access.redhat.com/security/cve/CVE-2016-1010
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb16-08.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFW4xBVXlSAg2UNWIIRAkCgAKCHw64puWPWdM5cVPU2vBI1mHZyFgCeI2Rx
fg/pDiOCh9x1HJhk/a+BDeA=
=4hyN
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201603-0270 | CVE-2016-0987 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
Use-after-free vulnerability in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-0988, CVE-2016-0990, CVE-2016-0991, CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998, CVE-2016-0999, and CVE-2016-1000. This vulnerability CVE-2016-0988 , CVE-2016-0990 , CVE-2016-0991 , CVE-2016-0994 , CVE-2016-0995 , CVE-2016-0996 , CVE-2016-0997 , CVE-2016-0998 , CVE-2016-0999 ,and CVE-2016-1000 Is a different vulnerability. Supplementary information : CWE Vulnerability type by CWE-416: Use-after-free ( Use of freed memory ) Has been identified. http://cwe.mitre.org/data/definitions/416.htmlAn attacker could execute arbitrary code. A use-after-free vulnerability exists in several Adobe products. The following versions are affected: Adobe Flash Player Desktop Runtime 20.0.0.306 and earlier versions based on Windows and Macintosh platforms, Adobe Flash Player Extended Support Release 18.0.0.329 and earlier versions, AIR Desktop Runtime 20.0.0.260 and earlier versions, based on Windows, Macintosh , Adobe Flash Player for Google Chrome 20.0.0.306 and earlier versions on Linux and ChromeOS platforms, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 20.0.0.306 and earlier versions based on Windows 10 platform, and Adobe Flash Player for Windows 8.1-based platforms Internet Explorer 11 20.0.0.306 and earlier versions, Adobe Flash Player for Linux 11.2.202.569 and earlier versions based on Linux platforms, AIR SDK 20.0.0.260 and earlier versions based on Windows, Macintosh, Android and iOS platforms, AIR SDK & Compiler 20.0 .0.260 and earlier, AIR for Android 20.0.0.233 and earlier.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information, or bypass security restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v "www-plugins/adobe-flash-11.2.202.577"
References
==========
[ 1 ] CVE-2016-0960
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0960
[ 2 ] CVE-2016-0961
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0961
[ 3 ] CVE-2016-0962
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0962
[ 4 ] CVE-2016-0963
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0963
[ 5 ] CVE-2016-0964
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0964
[ 6 ] CVE-2016-0965
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0965
[ 7 ] CVE-2016-0966
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0966
[ 8 ] CVE-2016-0967
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0967
[ 9 ] CVE-2016-0968
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0968
[ 10 ] CVE-2016-0969
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0969
[ 11 ] CVE-2016-0970
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0970
[ 12 ] CVE-2016-0971
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0971
[ 13 ] CVE-2016-0972
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0972
[ 14 ] CVE-2016-0973
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0973
[ 15 ] CVE-2016-0974
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0974
[ 16 ] CVE-2016-0975
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0975
[ 17 ] CVE-2016-0976
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0976
[ 18 ] CVE-2016-0977
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0977
[ 19 ] CVE-2016-0978
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0978
[ 20 ] CVE-2016-0979
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0979
[ 21 ] CVE-2016-0980
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0980
[ 22 ] CVE-2016-0981
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0981
[ 23 ] CVE-2016-0982
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0982
[ 24 ] CVE-2016-0983
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0983
[ 25 ] CVE-2016-0984
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0984
[ 26 ] CVE-2016-0985
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0985
[ 27 ] CVE-2016-0986
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0986
[ 28 ] CVE-2016-0987
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0987
[ 29 ] CVE-2016-0988
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0988
[ 30 ] CVE-2016-0989
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0989
[ 31 ] CVE-2016-0990
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0990
[ 32 ] CVE-2016-0991
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0991
[ 33 ] CVE-2016-0992
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0992
[ 34 ] CVE-2016-0993
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0993
[ 35 ] CVE-2016-0994
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0994
[ 36 ] CVE-2016-0995
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0995
[ 37 ] CVE-2016-0996
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0996
[ 38 ] CVE-2016-0997
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0997
[ 39 ] CVE-2016-0998
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0998
[ 40 ] CVE-2016-0999
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0999
[ 41 ] CVE-2016-1000
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1000
[ 42 ] CVE-2016-1001
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1001
[ 43 ] CVE-2016-1002
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1002
[ 44 ] CVE-2016-1005
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1005
[ 45 ] CVE-2016-1010
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1010
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201603-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2016 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2016:0438-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-0438.html
Issue date: 2016-03-11
CVE Names: CVE-2016-0960 CVE-2016-0961 CVE-2016-0962
CVE-2016-0963 CVE-2016-0986 CVE-2016-0987
CVE-2016-0988 CVE-2016-0989 CVE-2016-0990
CVE-2016-0991 CVE-2016-0992 CVE-2016-0993
CVE-2016-0994 CVE-2016-0995 CVE-2016-0996
CVE-2016-0997 CVE-2016-0998 CVE-2016-0999
CVE-2016-1000 CVE-2016-1001 CVE-2016-1002
CVE-2016-1005 CVE-2016-1010
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities, detailed in the Adobe Security Bulletin APSB16-08 listed
in the References section, could allow an attacker to create a specially
crafted SWF file that would cause flash-plugin to crash, execute arbitrary
code, or disclose sensitive information when the victim loaded a page
containing the malicious SWF content. (CVE-2016-0960, CVE-2016-0961,
CVE-2016-0962, CVE-2016-0963, CVE-2016-0986, CVE-2016-0987, CVE-2016-0988,
CVE-2016-0989, CVE-2016-0990, CVE-2016-0991, CVE-2016-0992, CVE-2016-0993,
CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998,
CVE-2016-0999, CVE-2016-1000, CVE-2016-1001, CVE-2016-1002, CVE-2016-1005,
CVE-2016-1010)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 11.2.202.577.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1316809 - flash-plugin: multiple code execution issues fixed in APSB16-08
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-0960
https://access.redhat.com/security/cve/CVE-2016-0961
https://access.redhat.com/security/cve/CVE-2016-0962
https://access.redhat.com/security/cve/CVE-2016-0963
https://access.redhat.com/security/cve/CVE-2016-0986
https://access.redhat.com/security/cve/CVE-2016-0987
https://access.redhat.com/security/cve/CVE-2016-0988
https://access.redhat.com/security/cve/CVE-2016-0989
https://access.redhat.com/security/cve/CVE-2016-0990
https://access.redhat.com/security/cve/CVE-2016-0991
https://access.redhat.com/security/cve/CVE-2016-0992
https://access.redhat.com/security/cve/CVE-2016-0993
https://access.redhat.com/security/cve/CVE-2016-0994
https://access.redhat.com/security/cve/CVE-2016-0995
https://access.redhat.com/security/cve/CVE-2016-0996
https://access.redhat.com/security/cve/CVE-2016-0997
https://access.redhat.com/security/cve/CVE-2016-0998
https://access.redhat.com/security/cve/CVE-2016-0999
https://access.redhat.com/security/cve/CVE-2016-1000
https://access.redhat.com/security/cve/CVE-2016-1001
https://access.redhat.com/security/cve/CVE-2016-1002
https://access.redhat.com/security/cve/CVE-2016-1005
https://access.redhat.com/security/cve/CVE-2016-1010
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb16-08.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFW4xBVXlSAg2UNWIIRAkCgAKCHw64puWPWdM5cVPU2vBI1mHZyFgCeI2Rx
fg/pDiOCh9x1HJhk/a+BDeA=
=4hyN
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201603-0269 | CVE-2016-0986 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2016-0960, CVE-2016-0961, CVE-2016-0962, CVE-2016-0989, CVE-2016-0992, CVE-2016-1002, and CVE-2016-1005. This vulnerability CVE-2016-0960 , CVE-2016-0961 , CVE-2016-0962 , CVE-2016-0989 , CVE-2016-0992 , CVE-2016-1002 ,and CVE-2016-1005 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state. The following versions are affected: Adobe Flash Player Desktop Runtime 20.0.0.306 and earlier versions based on Windows and Macintosh platforms, Adobe Flash Player Extended Support Release 18.0.0.329 and earlier versions, AIR Desktop Runtime 20.0.0.260 and earlier versions, based on Windows, Macintosh , Adobe Flash Player for Google Chrome 20.0.0.306 and earlier versions on Linux and ChromeOS platforms, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 20.0.0.306 and earlier versions based on Windows 10 platform, and Adobe Flash Player for Windows 8.1-based platforms Internet Explorer 11 20.0.0.306 and earlier versions, Adobe Flash Player for Linux 11.2.202.569 and earlier versions based on Linux platforms, AIR SDK 20.0.0.260 and earlier versions based on Windows, Macintosh, Android and iOS platforms, AIR SDK & Compiler 20.0 .0.260 and earlier, AIR for Android 20.0.0.233 and earlier.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v "www-plugins/adobe-flash-11.2.202.577"
References
==========
[ 1 ] CVE-2016-0960
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0960
[ 2 ] CVE-2016-0961
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0961
[ 3 ] CVE-2016-0962
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0962
[ 4 ] CVE-2016-0963
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0963
[ 5 ] CVE-2016-0964
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0964
[ 6 ] CVE-2016-0965
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0965
[ 7 ] CVE-2016-0966
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0966
[ 8 ] CVE-2016-0967
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0967
[ 9 ] CVE-2016-0968
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0968
[ 10 ] CVE-2016-0969
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0969
[ 11 ] CVE-2016-0970
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0970
[ 12 ] CVE-2016-0971
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0971
[ 13 ] CVE-2016-0972
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0972
[ 14 ] CVE-2016-0973
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0973
[ 15 ] CVE-2016-0974
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0974
[ 16 ] CVE-2016-0975
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0975
[ 17 ] CVE-2016-0976
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0976
[ 18 ] CVE-2016-0977
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0977
[ 19 ] CVE-2016-0978
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0978
[ 20 ] CVE-2016-0979
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0979
[ 21 ] CVE-2016-0980
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0980
[ 22 ] CVE-2016-0981
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0981
[ 23 ] CVE-2016-0982
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0982
[ 24 ] CVE-2016-0983
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0983
[ 25 ] CVE-2016-0984
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0984
[ 26 ] CVE-2016-0985
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0985
[ 27 ] CVE-2016-0986
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0986
[ 28 ] CVE-2016-0987
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0987
[ 29 ] CVE-2016-0988
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0988
[ 30 ] CVE-2016-0989
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0989
[ 31 ] CVE-2016-0990
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0990
[ 32 ] CVE-2016-0991
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0991
[ 33 ] CVE-2016-0992
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0992
[ 34 ] CVE-2016-0993
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0993
[ 35 ] CVE-2016-0994
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0994
[ 36 ] CVE-2016-0995
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0995
[ 37 ] CVE-2016-0996
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0996
[ 38 ] CVE-2016-0997
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0997
[ 39 ] CVE-2016-0998
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0998
[ 40 ] CVE-2016-0999
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0999
[ 41 ] CVE-2016-1000
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1000
[ 42 ] CVE-2016-1001
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1001
[ 43 ] CVE-2016-1002
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1002
[ 44 ] CVE-2016-1005
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1005
[ 45 ] CVE-2016-1010
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1010
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201603-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2016 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2016:0438-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-0438.html
Issue date: 2016-03-11
CVE Names: CVE-2016-0960 CVE-2016-0961 CVE-2016-0962
CVE-2016-0963 CVE-2016-0986 CVE-2016-0987
CVE-2016-0988 CVE-2016-0989 CVE-2016-0990
CVE-2016-0991 CVE-2016-0992 CVE-2016-0993
CVE-2016-0994 CVE-2016-0995 CVE-2016-0996
CVE-2016-0997 CVE-2016-0998 CVE-2016-0999
CVE-2016-1000 CVE-2016-1001 CVE-2016-1002
CVE-2016-1005 CVE-2016-1010
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities, detailed in the Adobe Security Bulletin APSB16-08 listed
in the References section, could allow an attacker to create a specially
crafted SWF file that would cause flash-plugin to crash, execute arbitrary
code, or disclose sensitive information when the victim loaded a page
containing the malicious SWF content. (CVE-2016-0960, CVE-2016-0961,
CVE-2016-0962, CVE-2016-0963, CVE-2016-0986, CVE-2016-0987, CVE-2016-0988,
CVE-2016-0989, CVE-2016-0990, CVE-2016-0991, CVE-2016-0992, CVE-2016-0993,
CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998,
CVE-2016-0999, CVE-2016-1000, CVE-2016-1001, CVE-2016-1002, CVE-2016-1005,
CVE-2016-1010)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 11.2.202.577.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1316809 - flash-plugin: multiple code execution issues fixed in APSB16-08
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-0960
https://access.redhat.com/security/cve/CVE-2016-0961
https://access.redhat.com/security/cve/CVE-2016-0962
https://access.redhat.com/security/cve/CVE-2016-0963
https://access.redhat.com/security/cve/CVE-2016-0986
https://access.redhat.com/security/cve/CVE-2016-0987
https://access.redhat.com/security/cve/CVE-2016-0988
https://access.redhat.com/security/cve/CVE-2016-0989
https://access.redhat.com/security/cve/CVE-2016-0990
https://access.redhat.com/security/cve/CVE-2016-0991
https://access.redhat.com/security/cve/CVE-2016-0992
https://access.redhat.com/security/cve/CVE-2016-0993
https://access.redhat.com/security/cve/CVE-2016-0994
https://access.redhat.com/security/cve/CVE-2016-0995
https://access.redhat.com/security/cve/CVE-2016-0996
https://access.redhat.com/security/cve/CVE-2016-0997
https://access.redhat.com/security/cve/CVE-2016-0998
https://access.redhat.com/security/cve/CVE-2016-0999
https://access.redhat.com/security/cve/CVE-2016-1000
https://access.redhat.com/security/cve/CVE-2016-1001
https://access.redhat.com/security/cve/CVE-2016-1002
https://access.redhat.com/security/cve/CVE-2016-1005
https://access.redhat.com/security/cve/CVE-2016-1010
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb16-08.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFW4xBVXlSAg2UNWIIRAkCgAKCHw64puWPWdM5cVPU2vBI1mHZyFgCeI2Rx
fg/pDiOCh9x1HJhk/a+BDeA=
=4hyN
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201603-0266 | CVE-2016-1000 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
Use-after-free vulnerability in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-0987, CVE-2016-0988, CVE-2016-0990, CVE-2016-0991, CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998, and CVE-2016-0999. This vulnerability CVE-2016-0987 , CVE-2016-0988 , CVE-2016-0990 , CVE-2016-0991 , CVE-2016-0994 , CVE-2016-0995 , CVE-2016-0996 , CVE-2016-0997 , CVE-2016-0998 ,and CVE-2016-0999 Is a different vulnerability. Supplementary information : CWE Vulnerability type by CWE-416: Use-after-free ( Use of freed memory ) Has been identified. http://cwe.mitre.org/data/definitions/416.htmlAn attacker could execute arbitrary code. The product enables viewing of applications, content and video across screens and browsers. A use-after-free vulnerability exists in several Adobe products. The following versions are affected: Adobe Flash Player Desktop Runtime 20.0.0.306 and earlier versions based on Windows and Macintosh platforms, Adobe Flash Player Extended Support Release 18.0.0.329 and earlier versions, AIR Desktop Runtime 20.0.0.260 and earlier versions, based on Windows, Macintosh , Adobe Flash Player for Google Chrome 20.0.0.306 and earlier versions on Linux and ChromeOS platforms, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 20.0.0.306 and earlier versions based on Windows 10 platform, and Adobe Flash Player for Windows 8.1-based platforms Internet Explorer 11 20.0.0.306 and earlier versions, Adobe Flash Player for Linux 11.2.202.569 and earlier versions based on Linux platforms, AIR SDK 20.0.0.260 and earlier versions based on Windows, Macintosh, Android and iOS platforms, AIR SDK & Compiler 20.0 .0.260 and earlier, AIR for Android 20.0.0.233 and earlier.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information, or bypass security restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v "www-plugins/adobe-flash-11.2.202.577"
References
==========
[ 1 ] CVE-2016-0960
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0960
[ 2 ] CVE-2016-0961
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0961
[ 3 ] CVE-2016-0962
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0962
[ 4 ] CVE-2016-0963
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0963
[ 5 ] CVE-2016-0964
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0964
[ 6 ] CVE-2016-0965
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0965
[ 7 ] CVE-2016-0966
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0966
[ 8 ] CVE-2016-0967
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0967
[ 9 ] CVE-2016-0968
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0968
[ 10 ] CVE-2016-0969
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0969
[ 11 ] CVE-2016-0970
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0970
[ 12 ] CVE-2016-0971
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0971
[ 13 ] CVE-2016-0972
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0972
[ 14 ] CVE-2016-0973
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0973
[ 15 ] CVE-2016-0974
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0974
[ 16 ] CVE-2016-0975
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0975
[ 17 ] CVE-2016-0976
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0976
[ 18 ] CVE-2016-0977
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0977
[ 19 ] CVE-2016-0978
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0978
[ 20 ] CVE-2016-0979
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0979
[ 21 ] CVE-2016-0980
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0980
[ 22 ] CVE-2016-0981
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0981
[ 23 ] CVE-2016-0982
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0982
[ 24 ] CVE-2016-0983
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0983
[ 25 ] CVE-2016-0984
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0984
[ 26 ] CVE-2016-0985
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0985
[ 27 ] CVE-2016-0986
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0986
[ 28 ] CVE-2016-0987
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0987
[ 29 ] CVE-2016-0988
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0988
[ 30 ] CVE-2016-0989
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0989
[ 31 ] CVE-2016-0990
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0990
[ 32 ] CVE-2016-0991
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0991
[ 33 ] CVE-2016-0992
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0992
[ 34 ] CVE-2016-0993
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0993
[ 35 ] CVE-2016-0994
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0994
[ 36 ] CVE-2016-0995
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0995
[ 37 ] CVE-2016-0996
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0996
[ 38 ] CVE-2016-0997
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0997
[ 39 ] CVE-2016-0998
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0998
[ 40 ] CVE-2016-0999
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0999
[ 41 ] CVE-2016-1000
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1000
[ 42 ] CVE-2016-1001
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1001
[ 43 ] CVE-2016-1002
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1002
[ 44 ] CVE-2016-1005
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1005
[ 45 ] CVE-2016-1010
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1010
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201603-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2016 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2016:0438-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-0438.html
Issue date: 2016-03-11
CVE Names: CVE-2016-0960 CVE-2016-0961 CVE-2016-0962
CVE-2016-0963 CVE-2016-0986 CVE-2016-0987
CVE-2016-0988 CVE-2016-0989 CVE-2016-0990
CVE-2016-0991 CVE-2016-0992 CVE-2016-0993
CVE-2016-0994 CVE-2016-0995 CVE-2016-0996
CVE-2016-0997 CVE-2016-0998 CVE-2016-0999
CVE-2016-1000 CVE-2016-1001 CVE-2016-1002
CVE-2016-1005 CVE-2016-1010
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities, detailed in the Adobe Security Bulletin APSB16-08 listed
in the References section, could allow an attacker to create a specially
crafted SWF file that would cause flash-plugin to crash, execute arbitrary
code, or disclose sensitive information when the victim loaded a page
containing the malicious SWF content. (CVE-2016-0960, CVE-2016-0961,
CVE-2016-0962, CVE-2016-0963, CVE-2016-0986, CVE-2016-0987, CVE-2016-0988,
CVE-2016-0989, CVE-2016-0990, CVE-2016-0991, CVE-2016-0992, CVE-2016-0993,
CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998,
CVE-2016-0999, CVE-2016-1000, CVE-2016-1001, CVE-2016-1002, CVE-2016-1005,
CVE-2016-1010)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 11.2.202.577.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1316809 - flash-plugin: multiple code execution issues fixed in APSB16-08
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-0960
https://access.redhat.com/security/cve/CVE-2016-0961
https://access.redhat.com/security/cve/CVE-2016-0962
https://access.redhat.com/security/cve/CVE-2016-0963
https://access.redhat.com/security/cve/CVE-2016-0986
https://access.redhat.com/security/cve/CVE-2016-0987
https://access.redhat.com/security/cve/CVE-2016-0988
https://access.redhat.com/security/cve/CVE-2016-0989
https://access.redhat.com/security/cve/CVE-2016-0990
https://access.redhat.com/security/cve/CVE-2016-0991
https://access.redhat.com/security/cve/CVE-2016-0992
https://access.redhat.com/security/cve/CVE-2016-0993
https://access.redhat.com/security/cve/CVE-2016-0994
https://access.redhat.com/security/cve/CVE-2016-0995
https://access.redhat.com/security/cve/CVE-2016-0996
https://access.redhat.com/security/cve/CVE-2016-0997
https://access.redhat.com/security/cve/CVE-2016-0998
https://access.redhat.com/security/cve/CVE-2016-0999
https://access.redhat.com/security/cve/CVE-2016-1000
https://access.redhat.com/security/cve/CVE-2016-1001
https://access.redhat.com/security/cve/CVE-2016-1002
https://access.redhat.com/security/cve/CVE-2016-1005
https://access.redhat.com/security/cve/CVE-2016-1010
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb16-08.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFW4xBVXlSAg2UNWIIRAkCgAKCHw64puWPWdM5cVPU2vBI1mHZyFgCeI2Rx
fg/pDiOCh9x1HJhk/a+BDeA=
=4hyN
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201603-0268 | CVE-2016-0960 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2016-0961, CVE-2016-0962, CVE-2016-0986, CVE-2016-0989, CVE-2016-0992, CVE-2016-1002, and CVE-2016-1005. This vulnerability CVE-2016-0961 , CVE-2016-0962 , CVE-2016-0986 , CVE-2016-0989 , CVE-2016-0992 , CVE-2016-1002 ,and CVE-2016-1005 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state. The following versions are affected: Adobe Flash Player Desktop Runtime 20.0.0.306 and earlier versions based on Windows and Macintosh platforms, Adobe Flash Player Extended Support Release 18.0.0.329 and earlier versions, AIR Desktop Runtime 20.0.0.260 and earlier versions, based on Windows, Macintosh , Adobe Flash Player for Google Chrome 20.0.0.306 and earlier versions on Linux and ChromeOS platforms, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 20.0.0.306 and earlier versions based on Windows 10 platform, and Adobe Flash Player for Windows 8.1-based platforms Internet Explorer 11 20.0.0.306 and earlier versions, Adobe Flash Player for Linux 11.2.202.569 and earlier versions based on Linux platforms, AIR SDK 20.0.0.260 and earlier versions based on Windows, Macintosh, Android and iOS platforms, AIR SDK & Compiler 20.0 .0.260 and earlier, AIR for Android 20.0.0.233 and earlier.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v "www-plugins/adobe-flash-11.2.202.577"
References
==========
[ 1 ] CVE-2016-0960
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0960
[ 2 ] CVE-2016-0961
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0961
[ 3 ] CVE-2016-0962
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0962
[ 4 ] CVE-2016-0963
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0963
[ 5 ] CVE-2016-0964
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0964
[ 6 ] CVE-2016-0965
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0965
[ 7 ] CVE-2016-0966
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0966
[ 8 ] CVE-2016-0967
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0967
[ 9 ] CVE-2016-0968
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0968
[ 10 ] CVE-2016-0969
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0969
[ 11 ] CVE-2016-0970
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0970
[ 12 ] CVE-2016-0971
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0971
[ 13 ] CVE-2016-0972
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0972
[ 14 ] CVE-2016-0973
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0973
[ 15 ] CVE-2016-0974
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0974
[ 16 ] CVE-2016-0975
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0975
[ 17 ] CVE-2016-0976
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0976
[ 18 ] CVE-2016-0977
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0977
[ 19 ] CVE-2016-0978
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0978
[ 20 ] CVE-2016-0979
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0979
[ 21 ] CVE-2016-0980
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0980
[ 22 ] CVE-2016-0981
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0981
[ 23 ] CVE-2016-0982
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0982
[ 24 ] CVE-2016-0983
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0983
[ 25 ] CVE-2016-0984
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0984
[ 26 ] CVE-2016-0985
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0985
[ 27 ] CVE-2016-0986
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0986
[ 28 ] CVE-2016-0987
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0987
[ 29 ] CVE-2016-0988
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0988
[ 30 ] CVE-2016-0989
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0989
[ 31 ] CVE-2016-0990
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0990
[ 32 ] CVE-2016-0991
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0991
[ 33 ] CVE-2016-0992
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0992
[ 34 ] CVE-2016-0993
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0993
[ 35 ] CVE-2016-0994
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0994
[ 36 ] CVE-2016-0995
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0995
[ 37 ] CVE-2016-0996
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0996
[ 38 ] CVE-2016-0997
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0997
[ 39 ] CVE-2016-0998
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0998
[ 40 ] CVE-2016-0999
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0999
[ 41 ] CVE-2016-1000
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1000
[ 42 ] CVE-2016-1001
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1001
[ 43 ] CVE-2016-1002
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1002
[ 44 ] CVE-2016-1005
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1005
[ 45 ] CVE-2016-1010
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1010
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201603-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2016 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2016:0438-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-0438.html
Issue date: 2016-03-11
CVE Names: CVE-2016-0960 CVE-2016-0961 CVE-2016-0962
CVE-2016-0963 CVE-2016-0986 CVE-2016-0987
CVE-2016-0988 CVE-2016-0989 CVE-2016-0990
CVE-2016-0991 CVE-2016-0992 CVE-2016-0993
CVE-2016-0994 CVE-2016-0995 CVE-2016-0996
CVE-2016-0997 CVE-2016-0998 CVE-2016-0999
CVE-2016-1000 CVE-2016-1001 CVE-2016-1002
CVE-2016-1005 CVE-2016-1010
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities, detailed in the Adobe Security Bulletin APSB16-08 listed
in the References section, could allow an attacker to create a specially
crafted SWF file that would cause flash-plugin to crash, execute arbitrary
code, or disclose sensitive information when the victim loaded a page
containing the malicious SWF content. (CVE-2016-0960, CVE-2016-0961,
CVE-2016-0962, CVE-2016-0963, CVE-2016-0986, CVE-2016-0987, CVE-2016-0988,
CVE-2016-0989, CVE-2016-0990, CVE-2016-0991, CVE-2016-0992, CVE-2016-0993,
CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998,
CVE-2016-0999, CVE-2016-1000, CVE-2016-1001, CVE-2016-1002, CVE-2016-1005,
CVE-2016-1010)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 11.2.202.577.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1316809 - flash-plugin: multiple code execution issues fixed in APSB16-08
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-0960
https://access.redhat.com/security/cve/CVE-2016-0961
https://access.redhat.com/security/cve/CVE-2016-0962
https://access.redhat.com/security/cve/CVE-2016-0963
https://access.redhat.com/security/cve/CVE-2016-0986
https://access.redhat.com/security/cve/CVE-2016-0987
https://access.redhat.com/security/cve/CVE-2016-0988
https://access.redhat.com/security/cve/CVE-2016-0989
https://access.redhat.com/security/cve/CVE-2016-0990
https://access.redhat.com/security/cve/CVE-2016-0991
https://access.redhat.com/security/cve/CVE-2016-0992
https://access.redhat.com/security/cve/CVE-2016-0993
https://access.redhat.com/security/cve/CVE-2016-0994
https://access.redhat.com/security/cve/CVE-2016-0995
https://access.redhat.com/security/cve/CVE-2016-0996
https://access.redhat.com/security/cve/CVE-2016-0997
https://access.redhat.com/security/cve/CVE-2016-0998
https://access.redhat.com/security/cve/CVE-2016-0999
https://access.redhat.com/security/cve/CVE-2016-1000
https://access.redhat.com/security/cve/CVE-2016-1001
https://access.redhat.com/security/cve/CVE-2016-1002
https://access.redhat.com/security/cve/CVE-2016-1005
https://access.redhat.com/security/cve/CVE-2016-1010
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb16-08.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFW4xBVXlSAg2UNWIIRAkCgAKCHw64puWPWdM5cVPU2vBI1mHZyFgCeI2Rx
fg/pDiOCh9x1HJhk/a+BDeA=
=4hyN
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201603-0265 | CVE-2016-0999 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
Use-after-free vulnerability in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-0987, CVE-2016-0988, CVE-2016-0990, CVE-2016-0991, CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998, and CVE-2016-1000. This vulnerability CVE-2016-0987 , CVE-2016-0988 , CVE-2016-0990 , CVE-2016-0991 , CVE-2016-0994 , CVE-2016-0995 , CVE-2016-0996 , CVE-2016-0997 , CVE-2016-0998 ,and CVE-2016-1000 Is a different vulnerability. Supplementary information : CWE Vulnerability type by CWE-416: Use-after-free ( Use of freed memory ) Has been identified. http://cwe.mitre.org/data/definitions/416.htmlAn attacker could execute arbitrary code. A use-after-free vulnerability exists in several Adobe products. The following versions are affected: Adobe Flash Player Desktop Runtime 20.0.0.306 and earlier versions based on Windows and Macintosh platforms, Adobe Flash Player Extended Support Release 18.0.0.329 and earlier versions, AIR Desktop Runtime 20.0.0.260 and earlier versions, based on Windows, Macintosh , Adobe Flash Player for Google Chrome 20.0.0.306 and earlier versions on Linux and ChromeOS platforms, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 20.0.0.306 and earlier versions based on Windows 10 platform, and Adobe Flash Player for Windows 8.1-based platforms Internet Explorer 11 20.0.0.306 and earlier versions, Adobe Flash Player for Linux 11.2.202.569 and earlier versions based on Linux platforms, AIR SDK 20.0.0.260 and earlier versions based on Windows, Macintosh, Android and iOS platforms, AIR SDK & Compiler 20.0 .0.260 and earlier, AIR for Android 20.0.0.233 and earlier.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information, or bypass security restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v "www-plugins/adobe-flash-11.2.202.577"
References
==========
[ 1 ] CVE-2016-0960
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0960
[ 2 ] CVE-2016-0961
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0961
[ 3 ] CVE-2016-0962
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0962
[ 4 ] CVE-2016-0963
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0963
[ 5 ] CVE-2016-0964
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0964
[ 6 ] CVE-2016-0965
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0965
[ 7 ] CVE-2016-0966
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0966
[ 8 ] CVE-2016-0967
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0967
[ 9 ] CVE-2016-0968
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0968
[ 10 ] CVE-2016-0969
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0969
[ 11 ] CVE-2016-0970
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0970
[ 12 ] CVE-2016-0971
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0971
[ 13 ] CVE-2016-0972
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0972
[ 14 ] CVE-2016-0973
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0973
[ 15 ] CVE-2016-0974
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0974
[ 16 ] CVE-2016-0975
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0975
[ 17 ] CVE-2016-0976
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0976
[ 18 ] CVE-2016-0977
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0977
[ 19 ] CVE-2016-0978
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0978
[ 20 ] CVE-2016-0979
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0979
[ 21 ] CVE-2016-0980
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0980
[ 22 ] CVE-2016-0981
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0981
[ 23 ] CVE-2016-0982
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0982
[ 24 ] CVE-2016-0983
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0983
[ 25 ] CVE-2016-0984
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0984
[ 26 ] CVE-2016-0985
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0985
[ 27 ] CVE-2016-0986
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0986
[ 28 ] CVE-2016-0987
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0987
[ 29 ] CVE-2016-0988
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0988
[ 30 ] CVE-2016-0989
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0989
[ 31 ] CVE-2016-0990
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0990
[ 32 ] CVE-2016-0991
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0991
[ 33 ] CVE-2016-0992
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0992
[ 34 ] CVE-2016-0993
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0993
[ 35 ] CVE-2016-0994
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0994
[ 36 ] CVE-2016-0995
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0995
[ 37 ] CVE-2016-0996
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0996
[ 38 ] CVE-2016-0997
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0997
[ 39 ] CVE-2016-0998
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0998
[ 40 ] CVE-2016-0999
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0999
[ 41 ] CVE-2016-1000
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1000
[ 42 ] CVE-2016-1001
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1001
[ 43 ] CVE-2016-1002
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1002
[ 44 ] CVE-2016-1005
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1005
[ 45 ] CVE-2016-1010
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1010
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201603-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2016 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2016:0438-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-0438.html
Issue date: 2016-03-11
CVE Names: CVE-2016-0960 CVE-2016-0961 CVE-2016-0962
CVE-2016-0963 CVE-2016-0986 CVE-2016-0987
CVE-2016-0988 CVE-2016-0989 CVE-2016-0990
CVE-2016-0991 CVE-2016-0992 CVE-2016-0993
CVE-2016-0994 CVE-2016-0995 CVE-2016-0996
CVE-2016-0997 CVE-2016-0998 CVE-2016-0999
CVE-2016-1000 CVE-2016-1001 CVE-2016-1002
CVE-2016-1005 CVE-2016-1010
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities, detailed in the Adobe Security Bulletin APSB16-08 listed
in the References section, could allow an attacker to create a specially
crafted SWF file that would cause flash-plugin to crash, execute arbitrary
code, or disclose sensitive information when the victim loaded a page
containing the malicious SWF content. (CVE-2016-0960, CVE-2016-0961,
CVE-2016-0962, CVE-2016-0963, CVE-2016-0986, CVE-2016-0987, CVE-2016-0988,
CVE-2016-0989, CVE-2016-0990, CVE-2016-0991, CVE-2016-0992, CVE-2016-0993,
CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998,
CVE-2016-0999, CVE-2016-1000, CVE-2016-1001, CVE-2016-1002, CVE-2016-1005,
CVE-2016-1010)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 11.2.202.577.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1316809 - flash-plugin: multiple code execution issues fixed in APSB16-08
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-0960
https://access.redhat.com/security/cve/CVE-2016-0961
https://access.redhat.com/security/cve/CVE-2016-0962
https://access.redhat.com/security/cve/CVE-2016-0963
https://access.redhat.com/security/cve/CVE-2016-0986
https://access.redhat.com/security/cve/CVE-2016-0987
https://access.redhat.com/security/cve/CVE-2016-0988
https://access.redhat.com/security/cve/CVE-2016-0989
https://access.redhat.com/security/cve/CVE-2016-0990
https://access.redhat.com/security/cve/CVE-2016-0991
https://access.redhat.com/security/cve/CVE-2016-0992
https://access.redhat.com/security/cve/CVE-2016-0993
https://access.redhat.com/security/cve/CVE-2016-0994
https://access.redhat.com/security/cve/CVE-2016-0995
https://access.redhat.com/security/cve/CVE-2016-0996
https://access.redhat.com/security/cve/CVE-2016-0997
https://access.redhat.com/security/cve/CVE-2016-0998
https://access.redhat.com/security/cve/CVE-2016-0999
https://access.redhat.com/security/cve/CVE-2016-1000
https://access.redhat.com/security/cve/CVE-2016-1001
https://access.redhat.com/security/cve/CVE-2016-1002
https://access.redhat.com/security/cve/CVE-2016-1005
https://access.redhat.com/security/cve/CVE-2016-1010
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb16-08.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFW4xBVXlSAg2UNWIIRAkCgAKCHw64puWPWdM5cVPU2vBI1mHZyFgCeI2Rx
fg/pDiOCh9x1HJhk/a+BDeA=
=4hyN
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201603-0264 | CVE-2016-0998 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
Use-after-free vulnerability in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-0987, CVE-2016-0988, CVE-2016-0990, CVE-2016-0991, CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0999, and CVE-2016-1000. This vulnerability CVE-2016-0987 , CVE-2016-0988 , CVE-2016-0990 , CVE-2016-0991 , CVE-2016-0994 , CVE-2016-0995 , CVE-2016-0996 , CVE-2016-0997 , CVE-2016-0999 ,and CVE-2016-1000 Is a different vulnerability. Supplementary information : CWE Vulnerability type by CWE-416: Use-after-free ( Use of freed memory ) Has been identified. http://cwe.mitre.org/data/definitions/416.htmlAn attacker could execute arbitrary code. A use-after-free vulnerability exists in several Adobe products. The following versions are affected: Adobe Flash Player Desktop Runtime 20.0.0.306 and earlier versions based on Windows and Macintosh platforms, Adobe Flash Player Extended Support Release 18.0.0.329 and earlier versions, AIR Desktop Runtime 20.0.0.260 and earlier versions, based on Windows, Macintosh , Adobe Flash Player for Google Chrome 20.0.0.306 and earlier versions on Linux and ChromeOS platforms, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 20.0.0.306 and earlier versions based on Windows 10 platform, and Adobe Flash Player for Windows 8.1-based platforms Internet Explorer 11 20.0.0.306 and earlier versions, Adobe Flash Player for Linux 11.2.202.569 and earlier versions based on Linux platforms, AIR SDK 20.0.0.260 and earlier versions based on Windows, Macintosh, Android and iOS platforms, AIR SDK & Compiler 20.0 .0.260 and earlier, AIR for Android 20.0.0.233 and earlier.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information, or bypass security restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v "www-plugins/adobe-flash-11.2.202.577"
References
==========
[ 1 ] CVE-2016-0960
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0960
[ 2 ] CVE-2016-0961
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0961
[ 3 ] CVE-2016-0962
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0962
[ 4 ] CVE-2016-0963
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0963
[ 5 ] CVE-2016-0964
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0964
[ 6 ] CVE-2016-0965
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0965
[ 7 ] CVE-2016-0966
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0966
[ 8 ] CVE-2016-0967
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0967
[ 9 ] CVE-2016-0968
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0968
[ 10 ] CVE-2016-0969
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0969
[ 11 ] CVE-2016-0970
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0970
[ 12 ] CVE-2016-0971
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0971
[ 13 ] CVE-2016-0972
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0972
[ 14 ] CVE-2016-0973
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0973
[ 15 ] CVE-2016-0974
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0974
[ 16 ] CVE-2016-0975
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0975
[ 17 ] CVE-2016-0976
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0976
[ 18 ] CVE-2016-0977
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0977
[ 19 ] CVE-2016-0978
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0978
[ 20 ] CVE-2016-0979
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0979
[ 21 ] CVE-2016-0980
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0980
[ 22 ] CVE-2016-0981
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0981
[ 23 ] CVE-2016-0982
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0982
[ 24 ] CVE-2016-0983
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0983
[ 25 ] CVE-2016-0984
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0984
[ 26 ] CVE-2016-0985
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0985
[ 27 ] CVE-2016-0986
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0986
[ 28 ] CVE-2016-0987
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0987
[ 29 ] CVE-2016-0988
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0988
[ 30 ] CVE-2016-0989
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0989
[ 31 ] CVE-2016-0990
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0990
[ 32 ] CVE-2016-0991
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0991
[ 33 ] CVE-2016-0992
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0992
[ 34 ] CVE-2016-0993
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0993
[ 35 ] CVE-2016-0994
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0994
[ 36 ] CVE-2016-0995
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0995
[ 37 ] CVE-2016-0996
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0996
[ 38 ] CVE-2016-0997
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0997
[ 39 ] CVE-2016-0998
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0998
[ 40 ] CVE-2016-0999
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0999
[ 41 ] CVE-2016-1000
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1000
[ 42 ] CVE-2016-1001
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1001
[ 43 ] CVE-2016-1002
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1002
[ 44 ] CVE-2016-1005
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1005
[ 45 ] CVE-2016-1010
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1010
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201603-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2016 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2016:0438-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-0438.html
Issue date: 2016-03-11
CVE Names: CVE-2016-0960 CVE-2016-0961 CVE-2016-0962
CVE-2016-0963 CVE-2016-0986 CVE-2016-0987
CVE-2016-0988 CVE-2016-0989 CVE-2016-0990
CVE-2016-0991 CVE-2016-0992 CVE-2016-0993
CVE-2016-0994 CVE-2016-0995 CVE-2016-0996
CVE-2016-0997 CVE-2016-0998 CVE-2016-0999
CVE-2016-1000 CVE-2016-1001 CVE-2016-1002
CVE-2016-1005 CVE-2016-1010
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities, detailed in the Adobe Security Bulletin APSB16-08 listed
in the References section, could allow an attacker to create a specially
crafted SWF file that would cause flash-plugin to crash, execute arbitrary
code, or disclose sensitive information when the victim loaded a page
containing the malicious SWF content. (CVE-2016-0960, CVE-2016-0961,
CVE-2016-0962, CVE-2016-0963, CVE-2016-0986, CVE-2016-0987, CVE-2016-0988,
CVE-2016-0989, CVE-2016-0990, CVE-2016-0991, CVE-2016-0992, CVE-2016-0993,
CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998,
CVE-2016-0999, CVE-2016-1000, CVE-2016-1001, CVE-2016-1002, CVE-2016-1005,
CVE-2016-1010)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 11.2.202.577.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1316809 - flash-plugin: multiple code execution issues fixed in APSB16-08
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-0960
https://access.redhat.com/security/cve/CVE-2016-0961
https://access.redhat.com/security/cve/CVE-2016-0962
https://access.redhat.com/security/cve/CVE-2016-0963
https://access.redhat.com/security/cve/CVE-2016-0986
https://access.redhat.com/security/cve/CVE-2016-0987
https://access.redhat.com/security/cve/CVE-2016-0988
https://access.redhat.com/security/cve/CVE-2016-0989
https://access.redhat.com/security/cve/CVE-2016-0990
https://access.redhat.com/security/cve/CVE-2016-0991
https://access.redhat.com/security/cve/CVE-2016-0992
https://access.redhat.com/security/cve/CVE-2016-0993
https://access.redhat.com/security/cve/CVE-2016-0994
https://access.redhat.com/security/cve/CVE-2016-0995
https://access.redhat.com/security/cve/CVE-2016-0996
https://access.redhat.com/security/cve/CVE-2016-0997
https://access.redhat.com/security/cve/CVE-2016-0998
https://access.redhat.com/security/cve/CVE-2016-0999
https://access.redhat.com/security/cve/CVE-2016-1000
https://access.redhat.com/security/cve/CVE-2016-1001
https://access.redhat.com/security/cve/CVE-2016-1002
https://access.redhat.com/security/cve/CVE-2016-1005
https://access.redhat.com/security/cve/CVE-2016-1010
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb16-08.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFW4xBVXlSAg2UNWIIRAkCgAKCHw64puWPWdM5cVPU2vBI1mHZyFgCeI2Rx
fg/pDiOCh9x1HJhk/a+BDeA=
=4hyN
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201603-0263 | CVE-2016-0997 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
Use-after-free vulnerability in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-0987, CVE-2016-0988, CVE-2016-0990, CVE-2016-0991, CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0998, CVE-2016-0999, and CVE-2016-1000. This vulnerability CVE-2016-0987 , CVE-2016-0988 , CVE-2016-0990 , CVE-2016-0991 , CVE-2016-0994 , CVE-2016-0995 , CVE-2016-0996 , CVE-2016-0998 , CVE-2016-0999 ,and CVE-2016-1000 Is a different vulnerability. Supplementary information : CWE Vulnerability type by CWE-416: Use-after-free ( Use of freed memory ) Has been identified. http://cwe.mitre.org/data/definitions/416.htmlAn attacker could execute arbitrary code. A use-after-free vulnerability exists in several Adobe products. The following versions are affected: Adobe Flash Player Desktop Runtime 20.0.0.306 and earlier versions based on Windows and Macintosh platforms, Adobe Flash Player Extended Support Release 18.0.0.329 and earlier versions, AIR Desktop Runtime 20.0.0.260 and earlier versions, based on Windows, Macintosh , Adobe Flash Player for Google Chrome 20.0.0.306 and earlier versions on Linux and ChromeOS platforms, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 20.0.0.306 and earlier versions based on Windows 10 platform, and Adobe Flash Player for Windows 8.1-based platforms Internet Explorer 11 20.0.0.306 and earlier versions, Adobe Flash Player for Linux 11.2.202.569 and earlier versions based on Linux platforms, AIR SDK 20.0.0.260 and earlier versions based on Windows, Macintosh, Android and iOS platforms, AIR SDK & Compiler 20.0 .0.260 and earlier, AIR for Android 20.0.0.233 and earlier.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information, or bypass security restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v "www-plugins/adobe-flash-11.2.202.577"
References
==========
[ 1 ] CVE-2016-0960
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0960
[ 2 ] CVE-2016-0961
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0961
[ 3 ] CVE-2016-0962
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0962
[ 4 ] CVE-2016-0963
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0963
[ 5 ] CVE-2016-0964
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0964
[ 6 ] CVE-2016-0965
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0965
[ 7 ] CVE-2016-0966
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0966
[ 8 ] CVE-2016-0967
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0967
[ 9 ] CVE-2016-0968
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0968
[ 10 ] CVE-2016-0969
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0969
[ 11 ] CVE-2016-0970
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0970
[ 12 ] CVE-2016-0971
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0971
[ 13 ] CVE-2016-0972
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0972
[ 14 ] CVE-2016-0973
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0973
[ 15 ] CVE-2016-0974
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0974
[ 16 ] CVE-2016-0975
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0975
[ 17 ] CVE-2016-0976
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0976
[ 18 ] CVE-2016-0977
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0977
[ 19 ] CVE-2016-0978
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0978
[ 20 ] CVE-2016-0979
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0979
[ 21 ] CVE-2016-0980
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0980
[ 22 ] CVE-2016-0981
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0981
[ 23 ] CVE-2016-0982
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0982
[ 24 ] CVE-2016-0983
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0983
[ 25 ] CVE-2016-0984
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0984
[ 26 ] CVE-2016-0985
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0985
[ 27 ] CVE-2016-0986
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0986
[ 28 ] CVE-2016-0987
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0987
[ 29 ] CVE-2016-0988
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0988
[ 30 ] CVE-2016-0989
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0989
[ 31 ] CVE-2016-0990
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0990
[ 32 ] CVE-2016-0991
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0991
[ 33 ] CVE-2016-0992
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0992
[ 34 ] CVE-2016-0993
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0993
[ 35 ] CVE-2016-0994
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0994
[ 36 ] CVE-2016-0995
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0995
[ 37 ] CVE-2016-0996
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0996
[ 38 ] CVE-2016-0997
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0997
[ 39 ] CVE-2016-0998
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0998
[ 40 ] CVE-2016-0999
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0999
[ 41 ] CVE-2016-1000
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1000
[ 42 ] CVE-2016-1001
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1001
[ 43 ] CVE-2016-1002
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1002
[ 44 ] CVE-2016-1005
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1005
[ 45 ] CVE-2016-1010
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1010
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201603-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2016 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2016:0438-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-0438.html
Issue date: 2016-03-11
CVE Names: CVE-2016-0960 CVE-2016-0961 CVE-2016-0962
CVE-2016-0963 CVE-2016-0986 CVE-2016-0987
CVE-2016-0988 CVE-2016-0989 CVE-2016-0990
CVE-2016-0991 CVE-2016-0992 CVE-2016-0993
CVE-2016-0994 CVE-2016-0995 CVE-2016-0996
CVE-2016-0997 CVE-2016-0998 CVE-2016-0999
CVE-2016-1000 CVE-2016-1001 CVE-2016-1002
CVE-2016-1005 CVE-2016-1010
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities, detailed in the Adobe Security Bulletin APSB16-08 listed
in the References section, could allow an attacker to create a specially
crafted SWF file that would cause flash-plugin to crash, execute arbitrary
code, or disclose sensitive information when the victim loaded a page
containing the malicious SWF content. (CVE-2016-0960, CVE-2016-0961,
CVE-2016-0962, CVE-2016-0963, CVE-2016-0986, CVE-2016-0987, CVE-2016-0988,
CVE-2016-0989, CVE-2016-0990, CVE-2016-0991, CVE-2016-0992, CVE-2016-0993,
CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998,
CVE-2016-0999, CVE-2016-1000, CVE-2016-1001, CVE-2016-1002, CVE-2016-1005,
CVE-2016-1010)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 11.2.202.577.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1316809 - flash-plugin: multiple code execution issues fixed in APSB16-08
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-0960
https://access.redhat.com/security/cve/CVE-2016-0961
https://access.redhat.com/security/cve/CVE-2016-0962
https://access.redhat.com/security/cve/CVE-2016-0963
https://access.redhat.com/security/cve/CVE-2016-0986
https://access.redhat.com/security/cve/CVE-2016-0987
https://access.redhat.com/security/cve/CVE-2016-0988
https://access.redhat.com/security/cve/CVE-2016-0989
https://access.redhat.com/security/cve/CVE-2016-0990
https://access.redhat.com/security/cve/CVE-2016-0991
https://access.redhat.com/security/cve/CVE-2016-0992
https://access.redhat.com/security/cve/CVE-2016-0993
https://access.redhat.com/security/cve/CVE-2016-0994
https://access.redhat.com/security/cve/CVE-2016-0995
https://access.redhat.com/security/cve/CVE-2016-0996
https://access.redhat.com/security/cve/CVE-2016-0997
https://access.redhat.com/security/cve/CVE-2016-0998
https://access.redhat.com/security/cve/CVE-2016-0999
https://access.redhat.com/security/cve/CVE-2016-1000
https://access.redhat.com/security/cve/CVE-2016-1001
https://access.redhat.com/security/cve/CVE-2016-1002
https://access.redhat.com/security/cve/CVE-2016-1005
https://access.redhat.com/security/cve/CVE-2016-1010
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb16-08.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFW4xBVXlSAg2UNWIIRAkCgAKCHw64puWPWdM5cVPU2vBI1mHZyFgCeI2Rx
fg/pDiOCh9x1HJhk/a+BDeA=
=4hyN
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201603-0261 | CVE-2016-0995 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
Use-after-free vulnerability in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-0987, CVE-2016-0988, CVE-2016-0990, CVE-2016-0991, CVE-2016-0994, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998, CVE-2016-0999, and CVE-2016-1000. This vulnerability CVE-2016-0987 , CVE-2016-0988 , CVE-2016-0990 , CVE-2016-0991 , CVE-2016-0994 , CVE-2016-0996 , CVE-2016-0997 , CVE-2016-0998 , CVE-2016-0999 ,and CVE-2016-1000 Is a different vulnerability. Supplementary information : CWE Vulnerability type by CWE-416: Use-after-free ( Use of freed memory ) Has been identified. http://cwe.mitre.org/data/definitions/416.htmlAn attacker could execute arbitrary code. A use-after-free vulnerability exists in several Adobe products. The following versions are affected: Adobe Flash Player Desktop Runtime 20.0.0.306 and earlier versions based on Windows and Macintosh platforms, Adobe Flash Player Extended Support Release 18.0.0.329 and earlier versions, AIR Desktop Runtime 20.0.0.260 and earlier versions, based on Windows, Macintosh , Adobe Flash Player for Google Chrome 20.0.0.306 and earlier versions on Linux and ChromeOS platforms, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 20.0.0.306 and earlier versions based on Windows 10 platform, and Adobe Flash Player for Windows 8.1-based platforms Internet Explorer 11 20.0.0.306 and earlier versions, Adobe Flash Player for Linux 11.2.202.569 and earlier versions based on Linux platforms, AIR SDK 20.0.0.260 and earlier versions based on Windows, Macintosh, Android and iOS platforms, AIR SDK & Compiler 20.0 .0.260 and earlier, AIR for Android 20.0.0.233 and earlier.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information, or bypass security restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v "www-plugins/adobe-flash-11.2.202.577"
References
==========
[ 1 ] CVE-2016-0960
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0960
[ 2 ] CVE-2016-0961
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0961
[ 3 ] CVE-2016-0962
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0962
[ 4 ] CVE-2016-0963
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0963
[ 5 ] CVE-2016-0964
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0964
[ 6 ] CVE-2016-0965
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0965
[ 7 ] CVE-2016-0966
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0966
[ 8 ] CVE-2016-0967
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0967
[ 9 ] CVE-2016-0968
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0968
[ 10 ] CVE-2016-0969
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0969
[ 11 ] CVE-2016-0970
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0970
[ 12 ] CVE-2016-0971
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0971
[ 13 ] CVE-2016-0972
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0972
[ 14 ] CVE-2016-0973
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0973
[ 15 ] CVE-2016-0974
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0974
[ 16 ] CVE-2016-0975
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0975
[ 17 ] CVE-2016-0976
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0976
[ 18 ] CVE-2016-0977
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0977
[ 19 ] CVE-2016-0978
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0978
[ 20 ] CVE-2016-0979
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0979
[ 21 ] CVE-2016-0980
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0980
[ 22 ] CVE-2016-0981
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0981
[ 23 ] CVE-2016-0982
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0982
[ 24 ] CVE-2016-0983
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0983
[ 25 ] CVE-2016-0984
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0984
[ 26 ] CVE-2016-0985
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0985
[ 27 ] CVE-2016-0986
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0986
[ 28 ] CVE-2016-0987
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0987
[ 29 ] CVE-2016-0988
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0988
[ 30 ] CVE-2016-0989
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0989
[ 31 ] CVE-2016-0990
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0990
[ 32 ] CVE-2016-0991
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0991
[ 33 ] CVE-2016-0992
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0992
[ 34 ] CVE-2016-0993
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0993
[ 35 ] CVE-2016-0994
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0994
[ 36 ] CVE-2016-0995
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0995
[ 37 ] CVE-2016-0996
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0996
[ 38 ] CVE-2016-0997
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0997
[ 39 ] CVE-2016-0998
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0998
[ 40 ] CVE-2016-0999
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0999
[ 41 ] CVE-2016-1000
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1000
[ 42 ] CVE-2016-1001
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1001
[ 43 ] CVE-2016-1002
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1002
[ 44 ] CVE-2016-1005
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1005
[ 45 ] CVE-2016-1010
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1010
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201603-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2016 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2016:0438-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-0438.html
Issue date: 2016-03-11
CVE Names: CVE-2016-0960 CVE-2016-0961 CVE-2016-0962
CVE-2016-0963 CVE-2016-0986 CVE-2016-0987
CVE-2016-0988 CVE-2016-0989 CVE-2016-0990
CVE-2016-0991 CVE-2016-0992 CVE-2016-0993
CVE-2016-0994 CVE-2016-0995 CVE-2016-0996
CVE-2016-0997 CVE-2016-0998 CVE-2016-0999
CVE-2016-1000 CVE-2016-1001 CVE-2016-1002
CVE-2016-1005 CVE-2016-1010
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities, detailed in the Adobe Security Bulletin APSB16-08 listed
in the References section, could allow an attacker to create a specially
crafted SWF file that would cause flash-plugin to crash, execute arbitrary
code, or disclose sensitive information when the victim loaded a page
containing the malicious SWF content. (CVE-2016-0960, CVE-2016-0961,
CVE-2016-0962, CVE-2016-0963, CVE-2016-0986, CVE-2016-0987, CVE-2016-0988,
CVE-2016-0989, CVE-2016-0990, CVE-2016-0991, CVE-2016-0992, CVE-2016-0993,
CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998,
CVE-2016-0999, CVE-2016-1000, CVE-2016-1001, CVE-2016-1002, CVE-2016-1005,
CVE-2016-1010)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 11.2.202.577.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1316809 - flash-plugin: multiple code execution issues fixed in APSB16-08
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-0960
https://access.redhat.com/security/cve/CVE-2016-0961
https://access.redhat.com/security/cve/CVE-2016-0962
https://access.redhat.com/security/cve/CVE-2016-0963
https://access.redhat.com/security/cve/CVE-2016-0986
https://access.redhat.com/security/cve/CVE-2016-0987
https://access.redhat.com/security/cve/CVE-2016-0988
https://access.redhat.com/security/cve/CVE-2016-0989
https://access.redhat.com/security/cve/CVE-2016-0990
https://access.redhat.com/security/cve/CVE-2016-0991
https://access.redhat.com/security/cve/CVE-2016-0992
https://access.redhat.com/security/cve/CVE-2016-0993
https://access.redhat.com/security/cve/CVE-2016-0994
https://access.redhat.com/security/cve/CVE-2016-0995
https://access.redhat.com/security/cve/CVE-2016-0996
https://access.redhat.com/security/cve/CVE-2016-0997
https://access.redhat.com/security/cve/CVE-2016-0998
https://access.redhat.com/security/cve/CVE-2016-0999
https://access.redhat.com/security/cve/CVE-2016-1000
https://access.redhat.com/security/cve/CVE-2016-1001
https://access.redhat.com/security/cve/CVE-2016-1002
https://access.redhat.com/security/cve/CVE-2016-1005
https://access.redhat.com/security/cve/CVE-2016-1010
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb16-08.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFW4xBVXlSAg2UNWIIRAkCgAKCHw64puWPWdM5cVPU2vBI1mHZyFgCeI2Rx
fg/pDiOCh9x1HJhk/a+BDeA=
=4hyN
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201603-0205 | CVE-2016-1010 | Adobe Flash Player and Adobe AIR Vulnerable to integer overflow |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
Integer overflow in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-0963 and CVE-2016-0993. This vulnerability is CVE-2016-0963 and CVE-2016-0993 This is a different vulnerability.An attacker could execute arbitrary code. The following versions are affected: Adobe Flash Player Desktop Runtime 20.0.0.306 and earlier versions based on Windows and Macintosh platforms, Adobe Flash Player Extended Support Release 18.0.0.329 and earlier versions, AIR Desktop Runtime 20.0.0.260 and earlier versions, based on Windows, Macintosh , Adobe Flash Player for Google Chrome 20.0.0.306 and earlier versions on Linux and ChromeOS platforms, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 20.0.0.306 and earlier versions based on Windows 10 platform, and Adobe Flash Player for Windows 8.1-based platforms Internet Explorer 11 20.0.0.306 and earlier versions, Adobe Flash Player for Linux 11.2.202.569 and earlier versions based on Linux platforms, AIR SDK 20.0.0.260 and earlier versions based on Windows, Macintosh, Android and iOS platforms, AIR SDK & Compiler 20.0 .0.260 and earlier, AIR for Android 20.0.0.233 and earlier.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information, or bypass security restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v "www-plugins/adobe-flash-11.2.202.577"
References
==========
[ 1 ] CVE-2016-0960
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0960
[ 2 ] CVE-2016-0961
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0961
[ 3 ] CVE-2016-0962
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0962
[ 4 ] CVE-2016-0963
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0963
[ 5 ] CVE-2016-0964
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0964
[ 6 ] CVE-2016-0965
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0965
[ 7 ] CVE-2016-0966
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0966
[ 8 ] CVE-2016-0967
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0967
[ 9 ] CVE-2016-0968
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0968
[ 10 ] CVE-2016-0969
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0969
[ 11 ] CVE-2016-0970
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0970
[ 12 ] CVE-2016-0971
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0971
[ 13 ] CVE-2016-0972
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0972
[ 14 ] CVE-2016-0973
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0973
[ 15 ] CVE-2016-0974
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0974
[ 16 ] CVE-2016-0975
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0975
[ 17 ] CVE-2016-0976
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0976
[ 18 ] CVE-2016-0977
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0977
[ 19 ] CVE-2016-0978
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0978
[ 20 ] CVE-2016-0979
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0979
[ 21 ] CVE-2016-0980
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0980
[ 22 ] CVE-2016-0981
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0981
[ 23 ] CVE-2016-0982
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0982
[ 24 ] CVE-2016-0983
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0983
[ 25 ] CVE-2016-0984
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0984
[ 26 ] CVE-2016-0985
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0985
[ 27 ] CVE-2016-0986
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0986
[ 28 ] CVE-2016-0987
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0987
[ 29 ] CVE-2016-0988
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0988
[ 30 ] CVE-2016-0989
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0989
[ 31 ] CVE-2016-0990
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0990
[ 32 ] CVE-2016-0991
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0991
[ 33 ] CVE-2016-0992
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0992
[ 34 ] CVE-2016-0993
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0993
[ 35 ] CVE-2016-0994
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0994
[ 36 ] CVE-2016-0995
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0995
[ 37 ] CVE-2016-0996
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0996
[ 38 ] CVE-2016-0997
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0997
[ 39 ] CVE-2016-0998
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0998
[ 40 ] CVE-2016-0999
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0999
[ 41 ] CVE-2016-1000
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1000
[ 42 ] CVE-2016-1001
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1001
[ 43 ] CVE-2016-1002
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1002
[ 44 ] CVE-2016-1005
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1005
[ 45 ] CVE-2016-1010
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1010
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201603-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2016 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2016:0438-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-0438.html
Issue date: 2016-03-11
CVE Names: CVE-2016-0960 CVE-2016-0961 CVE-2016-0962
CVE-2016-0963 CVE-2016-0986 CVE-2016-0987
CVE-2016-0988 CVE-2016-0989 CVE-2016-0990
CVE-2016-0991 CVE-2016-0992 CVE-2016-0993
CVE-2016-0994 CVE-2016-0995 CVE-2016-0996
CVE-2016-0997 CVE-2016-0998 CVE-2016-0999
CVE-2016-1000 CVE-2016-1001 CVE-2016-1002
CVE-2016-1005 CVE-2016-1010
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities, detailed in the Adobe Security Bulletin APSB16-08 listed
in the References section, could allow an attacker to create a specially
crafted SWF file that would cause flash-plugin to crash, execute arbitrary
code, or disclose sensitive information when the victim loaded a page
containing the malicious SWF content. (CVE-2016-0960, CVE-2016-0961,
CVE-2016-0962, CVE-2016-0963, CVE-2016-0986, CVE-2016-0987, CVE-2016-0988,
CVE-2016-0989, CVE-2016-0990, CVE-2016-0991, CVE-2016-0992, CVE-2016-0993,
CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998,
CVE-2016-0999, CVE-2016-1000, CVE-2016-1001, CVE-2016-1002, CVE-2016-1005,
CVE-2016-1010)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 11.2.202.577.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1316809 - flash-plugin: multiple code execution issues fixed in APSB16-08
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-0960
https://access.redhat.com/security/cve/CVE-2016-0961
https://access.redhat.com/security/cve/CVE-2016-0962
https://access.redhat.com/security/cve/CVE-2016-0963
https://access.redhat.com/security/cve/CVE-2016-0986
https://access.redhat.com/security/cve/CVE-2016-0987
https://access.redhat.com/security/cve/CVE-2016-0988
https://access.redhat.com/security/cve/CVE-2016-0989
https://access.redhat.com/security/cve/CVE-2016-0990
https://access.redhat.com/security/cve/CVE-2016-0991
https://access.redhat.com/security/cve/CVE-2016-0992
https://access.redhat.com/security/cve/CVE-2016-0993
https://access.redhat.com/security/cve/CVE-2016-0994
https://access.redhat.com/security/cve/CVE-2016-0995
https://access.redhat.com/security/cve/CVE-2016-0996
https://access.redhat.com/security/cve/CVE-2016-0997
https://access.redhat.com/security/cve/CVE-2016-0998
https://access.redhat.com/security/cve/CVE-2016-0999
https://access.redhat.com/security/cve/CVE-2016-1000
https://access.redhat.com/security/cve/CVE-2016-1001
https://access.redhat.com/security/cve/CVE-2016-1002
https://access.redhat.com/security/cve/CVE-2016-1005
https://access.redhat.com/security/cve/CVE-2016-1010
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb16-08.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFW4xBVXlSAg2UNWIIRAkCgAKCHw64puWPWdM5cVPU2vBI1mHZyFgCeI2Rx
fg/pDiOCh9x1HJhk/a+BDeA=
=4hyN
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201603-0201 | CVE-2016-1002 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2016-0960, CVE-2016-0961, CVE-2016-0962, CVE-2016-0986, CVE-2016-0989, CVE-2016-0992, and CVE-2016-1005. This vulnerability CVE-2016-0960 , CVE-2016-0961 , CVE-2016-0962 , CVE-2016-0986 , CVE-2016-0989 , CVE-2016-0992 ,and CVE-2016-1005 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state. The following versions are affected: Adobe Flash Player Desktop Runtime 20.0.0.306 and earlier versions based on Windows and Macintosh platforms, Adobe Flash Player Extended Support Release 18.0.0.329 and earlier versions, AIR Desktop Runtime 20.0.0.260 and earlier versions, based on Windows, Macintosh , Adobe Flash Player for Google Chrome 20.0.0.306 and earlier versions on Linux and ChromeOS platforms, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 20.0.0.306 and earlier versions based on Windows 10 platform, and Adobe Flash Player for Windows 8.1-based platforms Internet Explorer 11 20.0.0.306 and earlier versions, Adobe Flash Player for Linux 11.2.202.569 and earlier versions based on Linux platforms, AIR SDK 20.0.0.260 and earlier versions based on Windows, Macintosh, Android and iOS platforms, AIR SDK & Compiler 20.0 .0.260 and earlier, AIR for Android 20.0.0.233 and earlier.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v "www-plugins/adobe-flash-11.2.202.577"
References
==========
[ 1 ] CVE-2016-0960
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0960
[ 2 ] CVE-2016-0961
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0961
[ 3 ] CVE-2016-0962
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0962
[ 4 ] CVE-2016-0963
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0963
[ 5 ] CVE-2016-0964
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0964
[ 6 ] CVE-2016-0965
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0965
[ 7 ] CVE-2016-0966
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0966
[ 8 ] CVE-2016-0967
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0967
[ 9 ] CVE-2016-0968
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0968
[ 10 ] CVE-2016-0969
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0969
[ 11 ] CVE-2016-0970
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0970
[ 12 ] CVE-2016-0971
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0971
[ 13 ] CVE-2016-0972
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0972
[ 14 ] CVE-2016-0973
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0973
[ 15 ] CVE-2016-0974
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0974
[ 16 ] CVE-2016-0975
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0975
[ 17 ] CVE-2016-0976
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0976
[ 18 ] CVE-2016-0977
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0977
[ 19 ] CVE-2016-0978
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0978
[ 20 ] CVE-2016-0979
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0979
[ 21 ] CVE-2016-0980
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0980
[ 22 ] CVE-2016-0981
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0981
[ 23 ] CVE-2016-0982
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0982
[ 24 ] CVE-2016-0983
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0983
[ 25 ] CVE-2016-0984
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0984
[ 26 ] CVE-2016-0985
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0985
[ 27 ] CVE-2016-0986
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0986
[ 28 ] CVE-2016-0987
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0987
[ 29 ] CVE-2016-0988
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0988
[ 30 ] CVE-2016-0989
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0989
[ 31 ] CVE-2016-0990
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0990
[ 32 ] CVE-2016-0991
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0991
[ 33 ] CVE-2016-0992
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0992
[ 34 ] CVE-2016-0993
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0993
[ 35 ] CVE-2016-0994
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0994
[ 36 ] CVE-2016-0995
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0995
[ 37 ] CVE-2016-0996
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0996
[ 38 ] CVE-2016-0997
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0997
[ 39 ] CVE-2016-0998
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0998
[ 40 ] CVE-2016-0999
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0999
[ 41 ] CVE-2016-1000
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1000
[ 42 ] CVE-2016-1001
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1001
[ 43 ] CVE-2016-1002
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1002
[ 44 ] CVE-2016-1005
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1005
[ 45 ] CVE-2016-1010
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1010
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201603-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2016 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2016:0438-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-0438.html
Issue date: 2016-03-11
CVE Names: CVE-2016-0960 CVE-2016-0961 CVE-2016-0962
CVE-2016-0963 CVE-2016-0986 CVE-2016-0987
CVE-2016-0988 CVE-2016-0989 CVE-2016-0990
CVE-2016-0991 CVE-2016-0992 CVE-2016-0993
CVE-2016-0994 CVE-2016-0995 CVE-2016-0996
CVE-2016-0997 CVE-2016-0998 CVE-2016-0999
CVE-2016-1000 CVE-2016-1001 CVE-2016-1002
CVE-2016-1005 CVE-2016-1010
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities, detailed in the Adobe Security Bulletin APSB16-08 listed
in the References section, could allow an attacker to create a specially
crafted SWF file that would cause flash-plugin to crash, execute arbitrary
code, or disclose sensitive information when the victim loaded a page
containing the malicious SWF content. (CVE-2016-0960, CVE-2016-0961,
CVE-2016-0962, CVE-2016-0963, CVE-2016-0986, CVE-2016-0987, CVE-2016-0988,
CVE-2016-0989, CVE-2016-0990, CVE-2016-0991, CVE-2016-0992, CVE-2016-0993,
CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998,
CVE-2016-0999, CVE-2016-1000, CVE-2016-1001, CVE-2016-1002, CVE-2016-1005,
CVE-2016-1010)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 11.2.202.577.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1316809 - flash-plugin: multiple code execution issues fixed in APSB16-08
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-0960
https://access.redhat.com/security/cve/CVE-2016-0961
https://access.redhat.com/security/cve/CVE-2016-0962
https://access.redhat.com/security/cve/CVE-2016-0963
https://access.redhat.com/security/cve/CVE-2016-0986
https://access.redhat.com/security/cve/CVE-2016-0987
https://access.redhat.com/security/cve/CVE-2016-0988
https://access.redhat.com/security/cve/CVE-2016-0989
https://access.redhat.com/security/cve/CVE-2016-0990
https://access.redhat.com/security/cve/CVE-2016-0991
https://access.redhat.com/security/cve/CVE-2016-0992
https://access.redhat.com/security/cve/CVE-2016-0993
https://access.redhat.com/security/cve/CVE-2016-0994
https://access.redhat.com/security/cve/CVE-2016-0995
https://access.redhat.com/security/cve/CVE-2016-0996
https://access.redhat.com/security/cve/CVE-2016-0997
https://access.redhat.com/security/cve/CVE-2016-0998
https://access.redhat.com/security/cve/CVE-2016-0999
https://access.redhat.com/security/cve/CVE-2016-1000
https://access.redhat.com/security/cve/CVE-2016-1001
https://access.redhat.com/security/cve/CVE-2016-1002
https://access.redhat.com/security/cve/CVE-2016-1005
https://access.redhat.com/security/cve/CVE-2016-1010
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb16-08.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFW4xBVXlSAg2UNWIIRAkCgAKCHw64puWPWdM5cVPU2vBI1mHZyFgCeI2Rx
fg/pDiOCh9x1HJhk/a+BDeA=
=4hyN
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201603-0200 | CVE-2016-1001 | Adobe Flash Player and Adobe AIR Heap-based buffer overflow vulnerability |
CVSS V2: 6.8 CVSS V3: 8.8 Severity: HIGH |
Heap-based buffer overflow in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allows attackers to execute arbitrary code via unspecified vectors. An attacker could exploit this vulnerability to execute arbitrary code. The following versions are affected: Adobe Flash Player Desktop Runtime 20.0.0.306 and earlier versions based on Windows and Macintosh platforms, Adobe Flash Player Extended Support Release 18.0.0.329 and earlier versions, AIR Desktop Runtime 20.0.0.260 and earlier versions, based on Windows, Macintosh , Adobe Flash Player for Google Chrome 20.0.0.306 and earlier versions on Linux and ChromeOS platforms, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 20.0.0.306 and earlier versions based on Windows 10 platform, and Adobe Flash Player for Windows 8.1-based platforms Internet Explorer 11 20.0.0.306 and earlier versions, Adobe Flash Player for Linux 11.2.202.569 and earlier versions based on Linux platforms, AIR SDK 20.0.0.260 and earlier versions based on Windows, Macintosh, Android and iOS platforms, AIR SDK & Compiler 20.0 .0.260 and earlier, AIR for Android 20.0.0.233 and earlier.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information, or bypass security restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v "www-plugins/adobe-flash-11.2.202.577"
References
==========
[ 1 ] CVE-2016-0960
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0960
[ 2 ] CVE-2016-0961
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0961
[ 3 ] CVE-2016-0962
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0962
[ 4 ] CVE-2016-0963
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0963
[ 5 ] CVE-2016-0964
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0964
[ 6 ] CVE-2016-0965
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0965
[ 7 ] CVE-2016-0966
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0966
[ 8 ] CVE-2016-0967
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0967
[ 9 ] CVE-2016-0968
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0968
[ 10 ] CVE-2016-0969
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0969
[ 11 ] CVE-2016-0970
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0970
[ 12 ] CVE-2016-0971
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0971
[ 13 ] CVE-2016-0972
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0972
[ 14 ] CVE-2016-0973
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0973
[ 15 ] CVE-2016-0974
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0974
[ 16 ] CVE-2016-0975
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0975
[ 17 ] CVE-2016-0976
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0976
[ 18 ] CVE-2016-0977
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0977
[ 19 ] CVE-2016-0978
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0978
[ 20 ] CVE-2016-0979
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0979
[ 21 ] CVE-2016-0980
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0980
[ 22 ] CVE-2016-0981
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0981
[ 23 ] CVE-2016-0982
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0982
[ 24 ] CVE-2016-0983
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0983
[ 25 ] CVE-2016-0984
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0984
[ 26 ] CVE-2016-0985
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0985
[ 27 ] CVE-2016-0986
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0986
[ 28 ] CVE-2016-0987
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0987
[ 29 ] CVE-2016-0988
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0988
[ 30 ] CVE-2016-0989
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0989
[ 31 ] CVE-2016-0990
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0990
[ 32 ] CVE-2016-0991
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0991
[ 33 ] CVE-2016-0992
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0992
[ 34 ] CVE-2016-0993
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0993
[ 35 ] CVE-2016-0994
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0994
[ 36 ] CVE-2016-0995
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0995
[ 37 ] CVE-2016-0996
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0996
[ 38 ] CVE-2016-0997
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0997
[ 39 ] CVE-2016-0998
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0998
[ 40 ] CVE-2016-0999
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0999
[ 41 ] CVE-2016-1000
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1000
[ 42 ] CVE-2016-1001
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1001
[ 43 ] CVE-2016-1002
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1002
[ 44 ] CVE-2016-1005
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1005
[ 45 ] CVE-2016-1010
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1010
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201603-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2016 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2016:0438-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-0438.html
Issue date: 2016-03-11
CVE Names: CVE-2016-0960 CVE-2016-0961 CVE-2016-0962
CVE-2016-0963 CVE-2016-0986 CVE-2016-0987
CVE-2016-0988 CVE-2016-0989 CVE-2016-0990
CVE-2016-0991 CVE-2016-0992 CVE-2016-0993
CVE-2016-0994 CVE-2016-0995 CVE-2016-0996
CVE-2016-0997 CVE-2016-0998 CVE-2016-0999
CVE-2016-1000 CVE-2016-1001 CVE-2016-1002
CVE-2016-1005 CVE-2016-1010
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities, detailed in the Adobe Security Bulletin APSB16-08 listed
in the References section, could allow an attacker to create a specially
crafted SWF file that would cause flash-plugin to crash, execute arbitrary
code, or disclose sensitive information when the victim loaded a page
containing the malicious SWF content. (CVE-2016-0960, CVE-2016-0961,
CVE-2016-0962, CVE-2016-0963, CVE-2016-0986, CVE-2016-0987, CVE-2016-0988,
CVE-2016-0989, CVE-2016-0990, CVE-2016-0991, CVE-2016-0992, CVE-2016-0993,
CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998,
CVE-2016-0999, CVE-2016-1000, CVE-2016-1001, CVE-2016-1002, CVE-2016-1005,
CVE-2016-1010)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 11.2.202.577.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1316809 - flash-plugin: multiple code execution issues fixed in APSB16-08
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-0960
https://access.redhat.com/security/cve/CVE-2016-0961
https://access.redhat.com/security/cve/CVE-2016-0962
https://access.redhat.com/security/cve/CVE-2016-0963
https://access.redhat.com/security/cve/CVE-2016-0986
https://access.redhat.com/security/cve/CVE-2016-0987
https://access.redhat.com/security/cve/CVE-2016-0988
https://access.redhat.com/security/cve/CVE-2016-0989
https://access.redhat.com/security/cve/CVE-2016-0990
https://access.redhat.com/security/cve/CVE-2016-0991
https://access.redhat.com/security/cve/CVE-2016-0992
https://access.redhat.com/security/cve/CVE-2016-0993
https://access.redhat.com/security/cve/CVE-2016-0994
https://access.redhat.com/security/cve/CVE-2016-0995
https://access.redhat.com/security/cve/CVE-2016-0996
https://access.redhat.com/security/cve/CVE-2016-0997
https://access.redhat.com/security/cve/CVE-2016-0998
https://access.redhat.com/security/cve/CVE-2016-0999
https://access.redhat.com/security/cve/CVE-2016-1000
https://access.redhat.com/security/cve/CVE-2016-1001
https://access.redhat.com/security/cve/CVE-2016-1002
https://access.redhat.com/security/cve/CVE-2016-1005
https://access.redhat.com/security/cve/CVE-2016-1010
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb16-08.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFW4xBVXlSAg2UNWIIRAkCgAKCHw64puWPWdM5cVPU2vBI1mHZyFgCeI2Rx
fg/pDiOCh9x1HJhk/a+BDeA=
=4hyN
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201603-0024 | CVE-2016-0819 | Android of Qualcomm Privileged vulnerability in performance component |
CVSS V2: 9.3 CVSS V3: 7.8 Severity: HIGH |
The Qualcomm performance component in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49H, and 6.x before 2016-03-01 allows attackers to gain privileges via a crafted application, aka internal bug 25364034. Android of Qualcomm The performance component contains a privileged vulnerability. Vendors have confirmed this vulnerability Bug 25364034 It is released as.An attacker could gain privileges through a crafted application. GoogleNexus is a series of smart devices based on the Android operating system, including mobile phones and tablets. The smart device is powered by Google and licensed to partner hardware vendors for manufacturing. Qualcommperformance is one of the Qualcomm performance components. A local attacker can exploit this vulnerability to execute arbitrary code in the kernel
| VAR-201603-0277 | CVE-2016-0994 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
Use-after-free vulnerability in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allows attackers to execute arbitrary code by using the actionCallMethod opcode with crafted arguments, a different vulnerability than CVE-2016-0987, CVE-2016-0988, CVE-2016-0990, CVE-2016-0991, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998, CVE-2016-0999, and CVE-2016-1000. This vulnerability CVE-2016-0987 , CVE-2016-0988 , CVE-2016-0990 , CVE-2016-0991 , CVE-2016-0995 , CVE-2016-0996 , CVE-2016-0997 , CVE-2016-0998 , CVE-2016-0999 ,and CVE-2016-1000 Is a different vulnerability. Supplementary information : CWE Vulnerability type by CWE-416: Use-after-free ( Use of freed memory ) Has been identified. http://cwe.mitre.org/data/definitions/416.htmlHave crafted arguments by the attacker actionCallMethod By using opcodes, arbitrary code may be executed. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the actionCallMethod opcode. By manipulating the arguments passed to the actionCallMethod opcode, an attacker can force a dangling pointer to be reused after it has been freed. A use-after-free vulnerability exists in several Adobe products. The following versions are affected: Adobe Flash Player Desktop Runtime 20.0.0.306 and earlier versions based on Windows and Macintosh platforms, Adobe Flash Player Extended Support Release 18.0.0.329 and earlier versions, AIR Desktop Runtime 20.0.0.260 and earlier versions, based on Windows, Macintosh , Adobe Flash Player for Google Chrome 20.0.0.306 and earlier versions on Linux and ChromeOS platforms, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 20.0.0.306 and earlier versions based on Windows 10 platform, and Adobe Flash Player for Windows 8.1-based platforms Internet Explorer 11 20.0.0.306 and earlier versions, Adobe Flash Player for Linux 11.2.202.569 and earlier versions based on Linux platforms, AIR SDK 20.0.0.260 and earlier versions based on Windows, Macintosh, Android and iOS platforms, AIR SDK & Compiler 20.0 .0.260 and earlier versions, AIR for Android 20.0.0.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v "www-plugins/adobe-flash-11.2.202.577"
References
==========
[ 1 ] CVE-2016-0960
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0960
[ 2 ] CVE-2016-0961
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0961
[ 3 ] CVE-2016-0962
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0962
[ 4 ] CVE-2016-0963
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0963
[ 5 ] CVE-2016-0964
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0964
[ 6 ] CVE-2016-0965
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0965
[ 7 ] CVE-2016-0966
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0966
[ 8 ] CVE-2016-0967
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0967
[ 9 ] CVE-2016-0968
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0968
[ 10 ] CVE-2016-0969
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0969
[ 11 ] CVE-2016-0970
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0970
[ 12 ] CVE-2016-0971
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0971
[ 13 ] CVE-2016-0972
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0972
[ 14 ] CVE-2016-0973
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0973
[ 15 ] CVE-2016-0974
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0974
[ 16 ] CVE-2016-0975
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0975
[ 17 ] CVE-2016-0976
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0976
[ 18 ] CVE-2016-0977
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0977
[ 19 ] CVE-2016-0978
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0978
[ 20 ] CVE-2016-0979
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0979
[ 21 ] CVE-2016-0980
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0980
[ 22 ] CVE-2016-0981
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0981
[ 23 ] CVE-2016-0982
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0982
[ 24 ] CVE-2016-0983
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0983
[ 25 ] CVE-2016-0984
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0984
[ 26 ] CVE-2016-0985
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0985
[ 27 ] CVE-2016-0986
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0986
[ 28 ] CVE-2016-0987
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0987
[ 29 ] CVE-2016-0988
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0988
[ 30 ] CVE-2016-0989
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0989
[ 31 ] CVE-2016-0990
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0990
[ 32 ] CVE-2016-0991
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0991
[ 33 ] CVE-2016-0992
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0992
[ 34 ] CVE-2016-0993
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0993
[ 35 ] CVE-2016-0994
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0994
[ 36 ] CVE-2016-0995
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0995
[ 37 ] CVE-2016-0996
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0996
[ 38 ] CVE-2016-0997
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0997
[ 39 ] CVE-2016-0998
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0998
[ 40 ] CVE-2016-0999
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0999
[ 41 ] CVE-2016-1000
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1000
[ 42 ] CVE-2016-1001
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1001
[ 43 ] CVE-2016-1002
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1002
[ 44 ] CVE-2016-1005
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1005
[ 45 ] CVE-2016-1010
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1010
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201603-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2016 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2016:0438-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-0438.html
Issue date: 2016-03-11
CVE Names: CVE-2016-0960 CVE-2016-0961 CVE-2016-0962
CVE-2016-0963 CVE-2016-0986 CVE-2016-0987
CVE-2016-0988 CVE-2016-0989 CVE-2016-0990
CVE-2016-0991 CVE-2016-0992 CVE-2016-0993
CVE-2016-0994 CVE-2016-0995 CVE-2016-0996
CVE-2016-0997 CVE-2016-0998 CVE-2016-0999
CVE-2016-1000 CVE-2016-1001 CVE-2016-1002
CVE-2016-1005 CVE-2016-1010
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities, detailed in the Adobe Security Bulletin APSB16-08 listed
in the References section, could allow an attacker to create a specially
crafted SWF file that would cause flash-plugin to crash, execute arbitrary
code, or disclose sensitive information when the victim loaded a page
containing the malicious SWF content. (CVE-2016-0960, CVE-2016-0961,
CVE-2016-0962, CVE-2016-0963, CVE-2016-0986, CVE-2016-0987, CVE-2016-0988,
CVE-2016-0989, CVE-2016-0990, CVE-2016-0991, CVE-2016-0992, CVE-2016-0993,
CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998,
CVE-2016-0999, CVE-2016-1000, CVE-2016-1001, CVE-2016-1002, CVE-2016-1005,
CVE-2016-1010)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 11.2.202.577.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1316809 - flash-plugin: multiple code execution issues fixed in APSB16-08
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-0960
https://access.redhat.com/security/cve/CVE-2016-0961
https://access.redhat.com/security/cve/CVE-2016-0962
https://access.redhat.com/security/cve/CVE-2016-0963
https://access.redhat.com/security/cve/CVE-2016-0986
https://access.redhat.com/security/cve/CVE-2016-0987
https://access.redhat.com/security/cve/CVE-2016-0988
https://access.redhat.com/security/cve/CVE-2016-0989
https://access.redhat.com/security/cve/CVE-2016-0990
https://access.redhat.com/security/cve/CVE-2016-0991
https://access.redhat.com/security/cve/CVE-2016-0992
https://access.redhat.com/security/cve/CVE-2016-0993
https://access.redhat.com/security/cve/CVE-2016-0994
https://access.redhat.com/security/cve/CVE-2016-0995
https://access.redhat.com/security/cve/CVE-2016-0996
https://access.redhat.com/security/cve/CVE-2016-0997
https://access.redhat.com/security/cve/CVE-2016-0998
https://access.redhat.com/security/cve/CVE-2016-0999
https://access.redhat.com/security/cve/CVE-2016-1000
https://access.redhat.com/security/cve/CVE-2016-1001
https://access.redhat.com/security/cve/CVE-2016-1002
https://access.redhat.com/security/cve/CVE-2016-1005
https://access.redhat.com/security/cve/CVE-2016-1010
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb16-08.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFW4xBVXlSAg2UNWIIRAkCgAKCHw64puWPWdM5cVPU2vBI1mHZyFgCeI2Rx
fg/pDiOCh9x1HJhk/a+BDeA=
=4hyN
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201603-0262 | CVE-2016-0996 | Adobe Flash Player and Adobe AIR of setInterval Vulnerability in arbitrary code execution in method |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
Use-after-free vulnerability in the setInterval method in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allows attackers to execute arbitrary code via crafted arguments, a different vulnerability than CVE-2016-0987, CVE-2016-0988, CVE-2016-0990, CVE-2016-0991, CVE-2016-0994, CVE-2016-0995, CVE-2016-0997, CVE-2016-0998, CVE-2016-0999, and CVE-2016-1000. This vulnerability CVE-2016-0987 , CVE-2016-0988 , CVE-2016-0990 , CVE-2016-0991 , CVE-2016-0994 , CVE-2016-0995 , CVE-2016-0997 , CVE-2016-0998 , CVE-2016-0999 ,and CVE-2016-1000 Is a different vulnerability. Supplementary information : CWE Vulnerability type by CWE-416: Use-after-free ( Use of freed memory ) Has been identified. http://cwe.mitre.org/data/definitions/416.htmlAn attacker could execute arbitrary code via crafted arguments. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the setInterval method. By calling setInterval with specific arguments, an attacker can force a dangling pointer to be reused after it has been freed. A use-after-free vulnerability exists in several Adobe products. The following versions are affected: Adobe Flash Player Desktop Runtime 20.0.0.306 and earlier versions based on Windows and Macintosh platforms, Adobe Flash Player Extended Support Release 18.0.0.329 and earlier versions, AIR Desktop Runtime 20.0.0.260 and earlier versions, based on Windows, Macintosh , Adobe Flash Player for Google Chrome 20.0.0.306 and earlier versions on Linux and ChromeOS platforms, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 20.0.0.306 and earlier versions based on Windows 10 platform, and Adobe Flash Player for Windows 8.1-based platforms Internet Explorer 11 20.0.0.306 and earlier versions, Adobe Flash Player for Linux 11.2.202.569 and earlier versions based on Linux platforms, AIR SDK 20.0.0.260 and earlier versions based on Windows, Macintosh, Android and iOS platforms, AIR SDK & Compiler 20.0 .0.260 and earlier versions, AIR for Android 20.0.0.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v "www-plugins/adobe-flash-11.2.202.577"
References
==========
[ 1 ] CVE-2016-0960
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0960
[ 2 ] CVE-2016-0961
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0961
[ 3 ] CVE-2016-0962
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0962
[ 4 ] CVE-2016-0963
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0963
[ 5 ] CVE-2016-0964
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0964
[ 6 ] CVE-2016-0965
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0965
[ 7 ] CVE-2016-0966
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0966
[ 8 ] CVE-2016-0967
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0967
[ 9 ] CVE-2016-0968
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0968
[ 10 ] CVE-2016-0969
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0969
[ 11 ] CVE-2016-0970
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0970
[ 12 ] CVE-2016-0971
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0971
[ 13 ] CVE-2016-0972
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0972
[ 14 ] CVE-2016-0973
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0973
[ 15 ] CVE-2016-0974
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0974
[ 16 ] CVE-2016-0975
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0975
[ 17 ] CVE-2016-0976
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0976
[ 18 ] CVE-2016-0977
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0977
[ 19 ] CVE-2016-0978
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0978
[ 20 ] CVE-2016-0979
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0979
[ 21 ] CVE-2016-0980
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0980
[ 22 ] CVE-2016-0981
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0981
[ 23 ] CVE-2016-0982
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0982
[ 24 ] CVE-2016-0983
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0983
[ 25 ] CVE-2016-0984
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0984
[ 26 ] CVE-2016-0985
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0985
[ 27 ] CVE-2016-0986
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0986
[ 28 ] CVE-2016-0987
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0987
[ 29 ] CVE-2016-0988
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0988
[ 30 ] CVE-2016-0989
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0989
[ 31 ] CVE-2016-0990
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0990
[ 32 ] CVE-2016-0991
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0991
[ 33 ] CVE-2016-0992
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0992
[ 34 ] CVE-2016-0993
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0993
[ 35 ] CVE-2016-0994
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0994
[ 36 ] CVE-2016-0995
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0995
[ 37 ] CVE-2016-0996
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0996
[ 38 ] CVE-2016-0997
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0997
[ 39 ] CVE-2016-0998
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0998
[ 40 ] CVE-2016-0999
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0999
[ 41 ] CVE-2016-1000
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1000
[ 42 ] CVE-2016-1001
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1001
[ 43 ] CVE-2016-1002
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1002
[ 44 ] CVE-2016-1005
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1005
[ 45 ] CVE-2016-1010
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1010
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201603-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2016 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2016:0438-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-0438.html
Issue date: 2016-03-11
CVE Names: CVE-2016-0960 CVE-2016-0961 CVE-2016-0962
CVE-2016-0963 CVE-2016-0986 CVE-2016-0987
CVE-2016-0988 CVE-2016-0989 CVE-2016-0990
CVE-2016-0991 CVE-2016-0992 CVE-2016-0993
CVE-2016-0994 CVE-2016-0995 CVE-2016-0996
CVE-2016-0997 CVE-2016-0998 CVE-2016-0999
CVE-2016-1000 CVE-2016-1001 CVE-2016-1002
CVE-2016-1005 CVE-2016-1010
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities, detailed in the Adobe Security Bulletin APSB16-08 listed
in the References section, could allow an attacker to create a specially
crafted SWF file that would cause flash-plugin to crash, execute arbitrary
code, or disclose sensitive information when the victim loaded a page
containing the malicious SWF content. (CVE-2016-0960, CVE-2016-0961,
CVE-2016-0962, CVE-2016-0963, CVE-2016-0986, CVE-2016-0987, CVE-2016-0988,
CVE-2016-0989, CVE-2016-0990, CVE-2016-0991, CVE-2016-0992, CVE-2016-0993,
CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998,
CVE-2016-0999, CVE-2016-1000, CVE-2016-1001, CVE-2016-1002, CVE-2016-1005,
CVE-2016-1010)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 11.2.202.577.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1316809 - flash-plugin: multiple code execution issues fixed in APSB16-08
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-0960
https://access.redhat.com/security/cve/CVE-2016-0961
https://access.redhat.com/security/cve/CVE-2016-0962
https://access.redhat.com/security/cve/CVE-2016-0963
https://access.redhat.com/security/cve/CVE-2016-0986
https://access.redhat.com/security/cve/CVE-2016-0987
https://access.redhat.com/security/cve/CVE-2016-0988
https://access.redhat.com/security/cve/CVE-2016-0989
https://access.redhat.com/security/cve/CVE-2016-0990
https://access.redhat.com/security/cve/CVE-2016-0991
https://access.redhat.com/security/cve/CVE-2016-0992
https://access.redhat.com/security/cve/CVE-2016-0993
https://access.redhat.com/security/cve/CVE-2016-0994
https://access.redhat.com/security/cve/CVE-2016-0995
https://access.redhat.com/security/cve/CVE-2016-0996
https://access.redhat.com/security/cve/CVE-2016-0997
https://access.redhat.com/security/cve/CVE-2016-0998
https://access.redhat.com/security/cve/CVE-2016-0999
https://access.redhat.com/security/cve/CVE-2016-1000
https://access.redhat.com/security/cve/CVE-2016-1001
https://access.redhat.com/security/cve/CVE-2016-1002
https://access.redhat.com/security/cve/CVE-2016-1005
https://access.redhat.com/security/cve/CVE-2016-1010
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb16-08.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFW4xBVXlSAg2UNWIIRAkCgAKCHw64puWPWdM5cVPU2vBI1mHZyFgCeI2Rx
fg/pDiOCh9x1HJhk/a+BDeA=
=4hyN
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201603-0199 | CVE-2016-1005 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allow attackers to execute arbitrary code or cause a denial of service (uninitialized pointer dereference and memory corruption) via crafted MPEG-4 data, a different vulnerability than CVE-2016-0960, CVE-2016-0961, CVE-2016-0962, CVE-2016-0986, CVE-2016-0989, CVE-2016-0992, and CVE-2016-1002. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Flash. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within MPEG-4 parsing. A specially crafted MP4 file can force the dereference of an uninitialized pointer. An attacker can leverage this vulnerability to execute arbitrary code under the context of the current process. A memory corruption vulnerability exists in several Adobe products. The following versions are affected: Adobe Flash Player Desktop Runtime 20.0.0.306 and earlier versions based on Windows and Macintosh platforms, Adobe Flash Player Extended Support Release 18.0.0.329 and earlier versions, AIR Desktop Runtime 20.0.0.260 and earlier versions, based on Windows, Macintosh , Adobe Flash Player for Google Chrome 20.0.0.306 and earlier versions on Linux and ChromeOS platforms, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 20.0.0.306 and earlier versions based on Windows 10 platform, and Adobe Flash Player for Windows 8.1-based platforms Internet Explorer 11 20.0.0.306 and earlier versions, Adobe Flash Player for Linux 11.2.202.569 and earlier versions based on Linux platforms, AIR SDK 20.0.0.260 and earlier versions based on Windows, Macintosh, Android and iOS platforms, AIR SDK & Compiler 20.0 .0.260 and earlier versions, AIR for Android 20.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v "www-plugins/adobe-flash-11.2.202.577"
References
==========
[ 1 ] CVE-2016-0960
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0960
[ 2 ] CVE-2016-0961
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0961
[ 3 ] CVE-2016-0962
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0962
[ 4 ] CVE-2016-0963
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0963
[ 5 ] CVE-2016-0964
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0964
[ 6 ] CVE-2016-0965
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0965
[ 7 ] CVE-2016-0966
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0966
[ 8 ] CVE-2016-0967
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0967
[ 9 ] CVE-2016-0968
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0968
[ 10 ] CVE-2016-0969
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0969
[ 11 ] CVE-2016-0970
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0970
[ 12 ] CVE-2016-0971
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0971
[ 13 ] CVE-2016-0972
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0972
[ 14 ] CVE-2016-0973
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0973
[ 15 ] CVE-2016-0974
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0974
[ 16 ] CVE-2016-0975
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0975
[ 17 ] CVE-2016-0976
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0976
[ 18 ] CVE-2016-0977
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0977
[ 19 ] CVE-2016-0978
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0978
[ 20 ] CVE-2016-0979
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0979
[ 21 ] CVE-2016-0980
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0980
[ 22 ] CVE-2016-0981
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0981
[ 23 ] CVE-2016-0982
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0982
[ 24 ] CVE-2016-0983
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0983
[ 25 ] CVE-2016-0984
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0984
[ 26 ] CVE-2016-0985
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0985
[ 27 ] CVE-2016-0986
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0986
[ 28 ] CVE-2016-0987
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0987
[ 29 ] CVE-2016-0988
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0988
[ 30 ] CVE-2016-0989
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0989
[ 31 ] CVE-2016-0990
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0990
[ 32 ] CVE-2016-0991
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0991
[ 33 ] CVE-2016-0992
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0992
[ 34 ] CVE-2016-0993
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0993
[ 35 ] CVE-2016-0994
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0994
[ 36 ] CVE-2016-0995
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0995
[ 37 ] CVE-2016-0996
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0996
[ 38 ] CVE-2016-0997
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0997
[ 39 ] CVE-2016-0998
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0998
[ 40 ] CVE-2016-0999
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0999
[ 41 ] CVE-2016-1000
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1000
[ 42 ] CVE-2016-1001
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1001
[ 43 ] CVE-2016-1002
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1002
[ 44 ] CVE-2016-1005
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1005
[ 45 ] CVE-2016-1010
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1010
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201603-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2016 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2016:0438-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-0438.html
Issue date: 2016-03-11
CVE Names: CVE-2016-0960 CVE-2016-0961 CVE-2016-0962
CVE-2016-0963 CVE-2016-0986 CVE-2016-0987
CVE-2016-0988 CVE-2016-0989 CVE-2016-0990
CVE-2016-0991 CVE-2016-0992 CVE-2016-0993
CVE-2016-0994 CVE-2016-0995 CVE-2016-0996
CVE-2016-0997 CVE-2016-0998 CVE-2016-0999
CVE-2016-1000 CVE-2016-1001 CVE-2016-1002
CVE-2016-1005 CVE-2016-1010
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities, detailed in the Adobe Security Bulletin APSB16-08 listed
in the References section, could allow an attacker to create a specially
crafted SWF file that would cause flash-plugin to crash, execute arbitrary
code, or disclose sensitive information when the victim loaded a page
containing the malicious SWF content. (CVE-2016-0960, CVE-2016-0961,
CVE-2016-0962, CVE-2016-0963, CVE-2016-0986, CVE-2016-0987, CVE-2016-0988,
CVE-2016-0989, CVE-2016-0990, CVE-2016-0991, CVE-2016-0992, CVE-2016-0993,
CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998,
CVE-2016-0999, CVE-2016-1000, CVE-2016-1001, CVE-2016-1002, CVE-2016-1005,
CVE-2016-1010)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 11.2.202.577.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1316809 - flash-plugin: multiple code execution issues fixed in APSB16-08
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.577-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.577-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.577-1.el6_7.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-0960
https://access.redhat.com/security/cve/CVE-2016-0961
https://access.redhat.com/security/cve/CVE-2016-0962
https://access.redhat.com/security/cve/CVE-2016-0963
https://access.redhat.com/security/cve/CVE-2016-0986
https://access.redhat.com/security/cve/CVE-2016-0987
https://access.redhat.com/security/cve/CVE-2016-0988
https://access.redhat.com/security/cve/CVE-2016-0989
https://access.redhat.com/security/cve/CVE-2016-0990
https://access.redhat.com/security/cve/CVE-2016-0991
https://access.redhat.com/security/cve/CVE-2016-0992
https://access.redhat.com/security/cve/CVE-2016-0993
https://access.redhat.com/security/cve/CVE-2016-0994
https://access.redhat.com/security/cve/CVE-2016-0995
https://access.redhat.com/security/cve/CVE-2016-0996
https://access.redhat.com/security/cve/CVE-2016-0997
https://access.redhat.com/security/cve/CVE-2016-0998
https://access.redhat.com/security/cve/CVE-2016-0999
https://access.redhat.com/security/cve/CVE-2016-1000
https://access.redhat.com/security/cve/CVE-2016-1001
https://access.redhat.com/security/cve/CVE-2016-1002
https://access.redhat.com/security/cve/CVE-2016-1005
https://access.redhat.com/security/cve/CVE-2016-1010
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb16-08.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFW4xBVXlSAg2UNWIIRAkCgAKCHw64puWPWdM5cVPU2vBI1mHZyFgCeI2Rx
fg/pDiOCh9x1HJhk/a+BDeA=
=4hyN
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201603-0244 | CVE-2016-1950 | Mozilla Firefox Used in Network Security Services Heap-based buffer overflow vulnerability |
CVSS V2: 6.8 CVSS V3: 8.8 Severity: HIGH |
Heap-based buffer overflow in Mozilla Network Security Services (NSS) before 3.19.2.3 and 3.20.x and 3.21.x before 3.21.1, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to execute arbitrary code via crafted ASN.1 data in an X.509 certificate. Both Mozilla Firefox and Firefox ESR are developed by the Mozilla Foundation in the United States. The following products and versions are affected: Mozilla Firefox prior to 45.0, Firefox ESR prior to 38.7 38.x, Mozilla NSS prior to 3.19.2.3, 3.20.x, 3.21.1 prior to 3.21.x.
CVE-2015-4000
David Adrian et al. reported that it may be feasible to attack
Diffie-Hellman-based cipher suites in certain circumstances,
compromising the confidentiality and integrity of data encrypted
with Transport Layer Security (TLS).
CVE-2015-7181
CVE-2015-7182
CVE-2016-1950
Tyson Smith, David Keeler, and Francis Gabriel discovered
heap-based buffer overflows in the ASN.1 DER parser, potentially
leading to arbitrary code execution.
CVE-2015-7575
Karthikeyan Bhargavan discovered that TLS client implementation
accepted MD5-based signatures for TLS 1.2 connections with forward
secrecy, weakening the intended security strength of TLS
connections.
CVE-2016-1938
Hanno Boeck discovered that NSS miscomputed the result of integer
division for certain inputs. This could weaken the cryptographic
protections provided by NSS. However, NSS implements RSA-CRT leak
hardening, so RSA private keys are not directly disclosed by this
issue.
CVE-2016-1978
Eric Rescorla discovered a user-after-free vulnerability in the
implementation of ECDH-based TLS handshakes, with unknown
consequences.
CVE-2016-1979
Tim Taubert discovered a use-after-free vulnerability in ASN.1 DER
processing, with application-specific impact.
CVE-2016-2834
Tyson Smith and Jed Davis discovered unspecified memory-safety
bugs in NSS.
In addition, the NSS library did not ignore environment variables in
processes which underwent a SUID/SGID/AT_SECURE transition at process
start. In certain system configurations, this allowed local users to
escalate their privileges.
For the stable distribution (jessie), these problems have been fixed in
version 2:3.26-1+debu8u1.
For the unstable distribution (sid), these problems have been fixed in
version 2:3.23-1.
We recommend that you upgrade your nss packages. ============================================================================
Ubuntu Security Notice USN-2917-2
April 07, 2016
firefox regressions
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
USN-2917-1 introduced several regressions in Firefox.
Software Description:
- firefox: Mozilla Open Source web browser
Details:
USN-2917-1 fixed vulnerabilities in Firefox. This update caused several
regressions that could result in search engine settings being lost, the
list of search providers appearing empty or the location bar breaking
after typing an invalid URL. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Francis Gabriel discovered a buffer overflow during ASN.1 decoding in NSS.
If a user were tricked in to opening a specially crafted website, an
attacker could potentially exploit this to cause a denial of service via
application crash, or execute arbitrary code with the privileges of the
user invoking Firefox. (CVE-2016-1950)
Bob Clary, Christoph Diehl, Christian Holler, Andrew McCreight, Daniel
Holbert, Jesse Ruderman, Randell Jesup, Carsten Book, Gian-Carlo Pascutto,
Tyson Smith, Andrea Marchesini, and Jukka Jyl=C3=A4nki discovered multiple
memory safety issues in Firefox. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit these to
cause a denial of service via application crash, or execute arbitrary code
with the privileges of the user invoking Firefox. (CVE-2016-1952,
CVE-2016-1953)
Nicolas Golubovic discovered that CSP violation reports can be used to
overwrite local files. If a user were tricked in to opening a specially
crafted website with addon signing disabled and unpacked addons installed,
an attacker could potentially exploit this to gain additional privileges.
(CVE-2016-1954)
Muneaki Nishimura discovered that CSP violation reports contained full
paths for cross-origin iframe navigations. An attacker could potentially
exploit this to steal confidential data. (CVE-2016-1955)
Ucha Gobejishvili discovered that performing certain WebGL operations
resulted in memory resource exhaustion with some Intel GPUs, requiring
a reboot. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial
of service. (CVE-2016-1956)
Jose Martinez and Romina Santillan discovered a memory leak in
libstagefright during MPEG4 video file processing in some circumstances.
If a user were tricked in to opening a specially crafted website, an
attacker could potentially exploit this to cause a denial of service via
memory exhaustion. (CVE-2016-1957)
Abdulrahman Alqabandi discovered that the addressbar could be blank or
filled with page defined content in some circumstances. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit this to conduct URL spoofing attacks. (CVE-2016-1958)
Looben Yang discovered an out-of-bounds read in Service Worker Manager. If
a user were tricked in to opening a specially crafted website, an attacker
could potentially exploit this to cause a denial of service via
application crash, or execute arbitrary code with the privileges of the
user invoking Firefox. (CVE-2016-1959)
A use-after-free was discovered in the HTML5 string parser. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit this to cause a denial of service via application
crash, or execute arbitrary code with the privileges of the user invoking
Firefox. (CVE-2016-1960)
A use-after-free was discovered in the SetBody function of HTMLDocument.
If a user were tricked in to opening a specially crafted website, an
attacker could potentially exploit this to cause a denial of service via
application crash, or execute arbitrary code with the privileges of the
user invoking Firefox. (CVE-2016-1961)
Dominique Haza=C3=ABl-Massieux discovered a use-after-free when using multiple
WebRTC data channels. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to cause a
denial of service via application crash, or execute arbitrary code with
the privileges of the user invoking Firefox. (CVE-2016-1962)
It was discovered that Firefox crashes when local files are modified
whilst being read by the FileReader API. If a user were tricked in to
opening a specially crafted website, an attacker could potentially exploit
this to execute arbitrary code with the privileges of the user invoking
Firefox. (CVE-2016-1963)
Nicolas Gr=C3=A9goire discovered a use-after-free during XML transformations.
If a user were tricked in to opening a specially crafted website, an
attacker could potentially exploit this to cause a denial of service via
application crash, or execute arbitrary code with the privileges of the
user invoking Firefox. (CVE-2016-1964)
Tsubasa Iinuma discovered a mechanism to cause the addressbar to display
an incorrect URL, using history navigations and the Location protocol
property. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to conduct URL
spoofing attacks. (CVE-2016-1965)
A memory corruption issues was discovered in the NPAPI subsystem. If
a user were tricked in to opening a specially crafted website with a
malicious plugin installed, an attacker could potentially exploit this
to cause a denial of service via application crash, or execute arbitrary
code with the privileges of the user invoking Firefox. (CVE-2016-1966)
Jordi Chancel discovered a same-origin-policy bypass when using
performance.getEntries and history navigation with session restore. If
a user were tricked in to opening a specially crafted website, an attacker
could potentially exploit this to steal confidential data. (CVE-2016-1967)
Luke Li discovered a buffer overflow during Brotli decompression in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code with the
privileges of the user invoking Firefox. (CVE-2016-1968)
Ronald Crane discovered a use-after-free in GetStaticInstance in WebRTC.
If a user were tricked in to opening a specially crafted website, an
attacker could potentially exploit this to cause a denial of service via
application crash, or execute arbitrary code with the privileges of the
user invoking Firefox. (CVE-2016-1973)
Ronald Crane discovered an out-of-bounds read following a failed
allocation in the HTML parser in some circumstances. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit this to cause a denial of service via application
crash, or execute arbitrary code with the privileges of the user invoking
Firefox. (CVE-2016-1974)
Holger Fuhrmannek, Tyson Smith and Holger Fuhrmannek reported multiple
memory safety issues in the Graphite 2 library. If a user were tricked in
to opening a specially crafted website, an attacker could potentially
exploit these to cause a denial of service via application crash, or
execute arbitrary code with the privileges of the user invoking Firefox.
(CVE-2016-1977, CVE-2016-2790, CVE-2016-2791, CVE-2016-2792,
CVE-2016-2793, CVE-2016-2794, CVE-2016-2795, CVE-2016-2796, CVE-2016-2797,
CVE-2016-2798, CVE-2016-2799, CVE-2016-2800, CVE-2016-2801, CVE-2016-2802)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.10:
firefox 45.0.1+build1-0ubuntu0.15.10.2
Ubuntu 14.04 LTS:
firefox 45.0.1+build1-0ubuntu0.14.04.2
Ubuntu 12.04 LTS:
firefox 45.0.1+build1-0ubuntu0.12.04.2
After a standard system update you need to restart Firefox to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2917-2
http://www.ubuntu.com/usn/usn-2917-1
https://launchpad.net/bugs/1567671
Package Information:
https://launchpad.net/ubuntu/+source/firefox/45.0.1+build1-0ubuntu0.15.10.2
https://launchpad.net/ubuntu/+source/firefox/45.0.1+build1-0ubuntu0.14.04.2
https://launchpad.net/ubuntu/+source/firefox/45.0.1+build1-0ubuntu0.12.04.2
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- -------------------------------------------------------------------------
Debian Security Advisory DSA-3510-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
March 09, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : iceweasel
CVE ID : CVE-2016-1950 CVE-2016-1952 CVE-2016-1954 CVE-2016-1957
CVE-2016-1958 CVE-2016-1960 CVE-2016-1961 CVE-2016-1962
CVE-2016-1964 CVE-2016-1965 CVE-2016-1966 CVE-2016-1974
CVE-2016-1977 CVE-2016-2790 CVE-2016-2791 CVE-2016-2792
CVE-2016-2793 CVE-2016-2794 CVE-2016-2795 CVE-2016-2796
CVE-2016-2797 CVE-2016-2798 CVE-2016-2799 CVE-2016-2800
CVE-2016-2801 CVE-2016-2802
Multiple security issues have been found in Iceweasel, Debian's version
of the Mozilla Firefox web browser: Multiple memory safety errors,
buffer overflows, use-after-frees and other implementation errors may
lead to the execution of arbitrary code, denial of service, address bar
spoofing and overwriting local files. 5 client) - i386, x86_64
3. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: nss-util security update
Advisory ID: RHSA-2016:0495-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-0495.html
Issue date: 2016-03-23
CVE Names: CVE-2016-1950
=====================================================================
1. Summary:
Updated nss-util packages that fix one security issue are now available for
Red Hat Enterprise Linux 6.2, 6.4, and 6.5 Advanced Update Support, and Red
Hat Enterprise Linux 6.6 and 7.1 Extended Update Support.
Red Hat Product Security has rated this update as having Critical security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux ComputeNode EUS (v. 7.1) - x86_64
Red Hat Enterprise Linux ComputeNode Optional EUS (v. 7.1) - x86_64
Red Hat Enterprise Linux HPC Node EUS (v. 6.6) - x86_64
Red Hat Enterprise Linux HPC Node Optional EUS (v. 6.6) - x86_64
Red Hat Enterprise Linux Server AUS (v. 6.2) - x86_64
Red Hat Enterprise Linux Server AUS (v. 6.4) - x86_64
Red Hat Enterprise Linux Server AUS (v. 6.5) - x86_64
Red Hat Enterprise Linux Server EUS (v. 6.6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server EUS (v. 7.1) - ppc64, ppc64le, s390x, x86_64
3. Description:
Network Security Services (NSS) is a set of libraries designed to support
the cross-platform development of security-enabled client and server
applications. The nss-util package provides a set of utilities for NSS and
the Softoken module.
A heap-based buffer overflow flaw was found in the way NSS parsed certain
ASN.1 structures. (CVE-2016-1950)
Red Hat would like to thank the Mozilla project for reporting this issue.
Upstream acknowledges Francis Gabriel as the original reporter.
All nss-util users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. For the update to take
effect, all applications linked to the nss and nss-util libraries must be
restarted, or the system rebooted.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1310509 - CVE-2016-1950 nss: Heap buffer overflow vulnerability in ASN1 certificate parsing (MFSA 2016-35)
6. Package List:
Red Hat Enterprise Linux HPC Node EUS (v. 6.6):
Source:
nss-util-3.19.1-3.el6_6.src.rpm
x86_64:
nss-util-3.19.1-3.el6_6.i686.rpm
nss-util-3.19.1-3.el6_6.x86_64.rpm
nss-util-debuginfo-3.19.1-3.el6_6.i686.rpm
nss-util-debuginfo-3.19.1-3.el6_6.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional EUS (v. 6.6):
x86_64:
nss-util-debuginfo-3.19.1-3.el6_6.i686.rpm
nss-util-debuginfo-3.19.1-3.el6_6.x86_64.rpm
nss-util-devel-3.19.1-3.el6_6.i686.rpm
nss-util-devel-3.19.1-3.el6_6.x86_64.rpm
Red Hat Enterprise Linux Server AUS (v. 6.2):
Source:
nss-util-3.13.1-10.el6_2.src.rpm
x86_64:
nss-util-3.13.1-10.el6_2.i686.rpm
nss-util-3.13.1-10.el6_2.x86_64.rpm
nss-util-debuginfo-3.13.1-10.el6_2.i686.rpm
nss-util-debuginfo-3.13.1-10.el6_2.x86_64.rpm
nss-util-devel-3.13.1-10.el6_2.i686.rpm
nss-util-devel-3.13.1-10.el6_2.x86_64.rpm
Red Hat Enterprise Linux Server AUS (v. 6.4):
Source:
nss-util-3.14.3-8.el6_4.src.rpm
x86_64:
nss-util-3.14.3-8.el6_4.i686.rpm
nss-util-3.14.3-8.el6_4.x86_64.rpm
nss-util-debuginfo-3.14.3-8.el6_4.i686.rpm
nss-util-debuginfo-3.14.3-8.el6_4.x86_64.rpm
nss-util-devel-3.14.3-8.el6_4.i686.rpm
nss-util-devel-3.14.3-8.el6_4.x86_64.rpm
Red Hat Enterprise Linux Server AUS (v. 6.5):
Source:
nss-util-3.16.1-4.el6_5.src.rpm
x86_64:
nss-util-3.16.1-4.el6_5.i686.rpm
nss-util-3.16.1-4.el6_5.x86_64.rpm
nss-util-debuginfo-3.16.1-4.el6_5.i686.rpm
nss-util-debuginfo-3.16.1-4.el6_5.x86_64.rpm
nss-util-devel-3.16.1-4.el6_5.i686.rpm
nss-util-devel-3.16.1-4.el6_5.x86_64.rpm
Red Hat Enterprise Linux Server EUS (v. 6.6):
Source:
nss-util-3.19.1-3.el6_6.src.rpm
i386:
nss-util-3.19.1-3.el6_6.i686.rpm
nss-util-debuginfo-3.19.1-3.el6_6.i686.rpm
nss-util-devel-3.19.1-3.el6_6.i686.rpm
ppc64:
nss-util-3.19.1-3.el6_6.ppc.rpm
nss-util-3.19.1-3.el6_6.ppc64.rpm
nss-util-debuginfo-3.19.1-3.el6_6.ppc.rpm
nss-util-debuginfo-3.19.1-3.el6_6.ppc64.rpm
nss-util-devel-3.19.1-3.el6_6.ppc.rpm
nss-util-devel-3.19.1-3.el6_6.ppc64.rpm
s390x:
nss-util-3.19.1-3.el6_6.s390.rpm
nss-util-3.19.1-3.el6_6.s390x.rpm
nss-util-debuginfo-3.19.1-3.el6_6.s390.rpm
nss-util-debuginfo-3.19.1-3.el6_6.s390x.rpm
nss-util-devel-3.19.1-3.el6_6.s390.rpm
nss-util-devel-3.19.1-3.el6_6.s390x.rpm
x86_64:
nss-util-3.19.1-3.el6_6.i686.rpm
nss-util-3.19.1-3.el6_6.x86_64.rpm
nss-util-debuginfo-3.19.1-3.el6_6.i686.rpm
nss-util-debuginfo-3.19.1-3.el6_6.x86_64.rpm
nss-util-devel-3.19.1-3.el6_6.i686.rpm
nss-util-devel-3.19.1-3.el6_6.x86_64.rpm
Red Hat Enterprise Linux ComputeNode EUS (v. 7.1):
Source:
nss-util-3.19.1-5.el7_1.src.rpm
x86_64:
nss-util-3.19.1-5.el7_1.i686.rpm
nss-util-3.19.1-5.el7_1.x86_64.rpm
nss-util-debuginfo-3.19.1-5.el7_1.i686.rpm
nss-util-debuginfo-3.19.1-5.el7_1.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional EUS (v. 7.1):
x86_64:
nss-util-debuginfo-3.19.1-5.el7_1.i686.rpm
nss-util-debuginfo-3.19.1-5.el7_1.x86_64.rpm
nss-util-devel-3.19.1-5.el7_1.i686.rpm
nss-util-devel-3.19.1-5.el7_1.x86_64.rpm
Red Hat Enterprise Linux Server EUS (v. 7.1):
Source:
nss-util-3.19.1-5.el7_1.src.rpm
ppc64:
nss-util-3.19.1-5.el7_1.ppc.rpm
nss-util-3.19.1-5.el7_1.ppc64.rpm
nss-util-debuginfo-3.19.1-5.el7_1.ppc.rpm
nss-util-debuginfo-3.19.1-5.el7_1.ppc64.rpm
nss-util-devel-3.19.1-5.el7_1.ppc.rpm
nss-util-devel-3.19.1-5.el7_1.ppc64.rpm
s390x:
nss-util-3.19.1-5.el7_1.s390.rpm
nss-util-3.19.1-5.el7_1.s390x.rpm
nss-util-debuginfo-3.19.1-5.el7_1.s390.rpm
nss-util-debuginfo-3.19.1-5.el7_1.s390x.rpm
nss-util-devel-3.19.1-5.el7_1.s390.rpm
nss-util-devel-3.19.1-5.el7_1.s390x.rpm
x86_64:
nss-util-3.19.1-5.el7_1.i686.rpm
nss-util-3.19.1-5.el7_1.x86_64.rpm
nss-util-debuginfo-3.19.1-5.el7_1.i686.rpm
nss-util-debuginfo-3.19.1-5.el7_1.x86_64.rpm
nss-util-devel-3.19.1-5.el7_1.i686.rpm
nss-util-devel-3.19.1-5.el7_1.x86_64.rpm
Red Hat Enterprise Linux Server EUS (v. 7.1):
Source:
nss-util-3.19.1-5.ael7b_1.src.rpm
ppc64le:
nss-util-3.19.1-5.ael7b_1.ppc64le.rpm
nss-util-debuginfo-3.19.1-5.ael7b_1.ppc64le.rpm
nss-util-devel-3.19.1-5.ael7b_1.ppc64le.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFW8mrxXlSAg2UNWIIRApd+AKC89tmaT/sw/qZV56m0D+wS0ksruwCgoZdA
LWDm7Ow/XWG3HaU1ic1EWh4=
=RGkL
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201603-0378 | No CVE | Thomson TWG850 has multiple vulnerabilities |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Thomson TWG850 is a router product from Thomson Reuters.
Thomson TWG850 has 1. HTML injection vulnerability 2. Authentication bypass vulnerability 3. Cross-site request forgery vulnerability. Attackers can use these vulnerabilities to steal cookie-based authentication, execute arbitrary code in the context of the affected application, bypass security restrictions, perform unauthorized operations, and may cause denial of service
| VAR-201604-0101 | CVE-2016-3973 | SAP NetWeaver Java AS Vulnerability in the acquisition of important user information in the chat function of the real-time collaboration service |
CVSS V2: 5.0 CVSS V3: 5.3 Severity: MEDIUM |
The chat feature in the Real-Time Collaboration (RTC) services 7.3 and 7.4 in SAP NetWeaver Java AS 7.1 through 7.5 allows remote attackers to obtain sensitive user information by visiting webdynpro/resources/sap.com/tc~rtc~coll.appl.rtc~wd_chat/Chat#, pressing "Add users", and doing a search, aka SAP Security Note 2255990. SAP NetWeaver is prone to an information-disclosure vulnerability.
Attackers can exploit this issue to obtain sensitive information that may lead to further attacks.
SAP Netweaver 7.4 is vulnerable; other versions may also be affected
| VAR-201603-0023 | CVE-2016-0818 | Android of Conscrypt of TrustManagerImpl.java of TrustManagerImpl Vulnerability impersonating server in class |
CVSS V2: 4.3 CVSS V3: 5.9 Severity: MEDIUM |
The caching functionality in the TrustManagerImpl class in TrustManagerImpl.java in Conscrypt in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49H, and 6.x before 2016-03-01 mishandles the distinction between an intermediate CA and a trusted root CA, which allows man-in-the-middle attackers to spoof servers by leveraging access to an intermediate CA to issue a certificate, aka internal bug 26232830. Vendors have confirmed this vulnerability Bug 26232830 It is released as. Supplementary information : CWE Vulnerability type by CWE-254: Security Features ( Security function ) ,and CWE-345: Insufficient Verification of Data Authenticity ( Inadequate verification of data reliability ) Has been identified. http://cwe.mitre.org/data/definitions/254.html http://cwe.mitre.org/data/definitions/345.htmlMan-in-the-middle attacks (man-in-the-middle attack) By the middle CA There is a possibility of impersonating a server by using access to and issuing a certificate. GoogleNexus is a series of smart devices based on the Android operating system developed by Google Inc. of the United States, including mobile phones and tablets. The smart device is powered by Google and licensed to partner hardware vendors for manufacturing. There is a security vulnerability in Concrypt, a version of GoogleNexusBuildsLMY49H. A remote attacker can exploit a vulnerability to implement a man-in-the-middle attack, gain access, or execute arbitrary code