VARIoT IoT vulnerabilities database
| VAR-201510-0233 | CVE-2015-5923 | Apple iOS Vulnerable to reading user contact data |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
Apple iOS before 9.0.2 does not properly restrict the options available on the lock screen, which allows physically proximate attackers to read contact data or view photos via unspecified vectors. Apple iOS is prone to a local security-bypass vulnerability.
Attackers with physical access to the device can exploit this issue to bypass certain security restrictions and perform unauthorized actions; this may aid in launching further attacks. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. The vulnerability is caused by the program not properly restricting the options in the lock screen state. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2015-09-30-01 iOS 9.0.2
iOS 9.0.2 is now available and addresses the following:
Lock Screen
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A person with physical access to an iOS device may be able
to access photos and contacts from the lock screen
Description: A lock screen issue allowed access to photos and
contacts on a locked device. This issue was addressed by restricting
options offered on a locked device.
CVE-ID
CVE-2015-5923
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "9.0.2".
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJWCywnAAoJEBcWfLTuOo7tsbkP/A6aLss8SQXXBjrlKdLbAcWF
x/zkFEwnHVG77cfXPwyEHnlqssVV/oc3Ynds6VdUmB4LiIT56NJc7Yl2eteg+PN7
rVePaHZ2iHBqkdT6uoeFqTDirTcc/a01crBtIp9VS8vmbKovzdNwuaVHswX1dsWd
FnHA04tf/g028f+mZ5r+fvgvP35jVJZZem0aLln2EIaxB4qIwTLzLZlXt6Wwg54q
tf8xcGERemCzeiVHf3XUhZlZBwdGIya+MNNS7DZxQ9+9aqlinMmnlC8Ub66UAI9C
24FphpZfMibBFh/PEBYarFnEA4DxNbFSL6wivVD4vjlgiFLLlcXpPtBU0DseOVDu
spkUzYb0enjj0SZhxguxaIrUTqrtGLR0fqkQSOv1RITMalBeRvE6HDbO8U12Q5aM
C1VTu0nR/6rzFOjhI1RhMLCsceuSEGCEv10ODZGzYkV2FEYiBeFU3ROloW4NqYf4
MRKwMj2SVeySjzh6qh5i5fgFsd3YUug4AnLr0Uy5Rz9xsF3CaUkvdPfksVgh/IyF
fGKr/pKqqWTguTNWYoDSaf/l0jTKceke8HVd04o8nIUjw6yOTk1MsKZ2WWFuQiaE
V/ZCF+ssugHCm8k7zKnjYHhe4kp5v2Q4mJ/VzOGVcqOMABi33lm6yAnRFOPSld98
ACylj1OKP3rLyDKeEwRh
=7WtW
-----END PGP SIGNATURE-----
| VAR-201709-0026 | CVE-2015-7241 |
SAP NetWeaver In XML External entity vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-201509-0134 |
CVSS V2: 7.5 CVSS V3: 9.8 Severity: CRITICAL |
XML External Entity (XXE) vulnerability in SAP Netweaver before 7.01.
Successfully exploiting this issue may allow an attacker to gain unauthorized access and perform unauthorized actions; this may aid in further attacks.
Versions prior to SAP Netwaver 7.01 are vulnerable
| VAR-201708-0277 | CVE-2015-1800 | Samsung S4 Vulnerable to information disclosure |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
The samsung_extdisp driver in the Samsung S4 (GT-I9500) I9500XXUEMK8 kernel 3.4 and earlier allows attackers to potentially obtain sensitive information. Samsung S4 (GT-I9500) Contains an information disclosure vulnerability.Information may be obtained. The Samsung S4 GT-I9500 is a smartphone released by Samsung in South Korea.
Successful exploits may allow attackers to obtain sensitive information, corrupt memory with elevated privileges or cause denial-of-service conditions. samsung_extdisp driver is one of the font drivers
| VAR-201509-0022 | CVE-2015-6302 | Cisco Wireless LAN Controller Device software RADIUS Vulnerability to disconnect arbitrary sessions in functionality |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The RADIUS functionality on Cisco Wireless LAN Controller (WLC) devices with software 7.0(250.0) and 7.0(252.0) allows remote attackers to disconnect arbitrary sessions via crafted Disconnect-Request UDP packets, aka Bug ID CSCuw29419. Vendors have confirmed this vulnerability Bug ID CSCuw29419 It is released as.Skillfully crafted by a third party Disconnect-Request UDP Any session may be disconnected via the packet. The Cisco Wireless LAN Controller is a wireless LAN controller product.
Attackers can exploit this issue to cause a denial-of-service condition.
This issue is being tracked by Cisco Bug ID CSCuw29419. This product provides functions such as security policy and intrusion detection in wireless LAN. A remote attacker could exploit this vulnerability to disconnect arbitrary sessions
| VAR-201708-0278 | CVE-2015-1801 | Samsung S4 Buffer error vulnerability |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
The samsung_extdisp driver in the Samsung S4 (GT-I9500) I9500XXUEMK8 kernel 3.4 and earlier allows attackers to cause a denial of service (memory corruption) or gain privileges. Samsung S4 (GT-I9500) Contains a buffer error vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. The Samsung S4 GT-I9500 is a smartphone released by Samsung in South Korea. Samsung S4 GT-I9500 is prone to an information-disclosure vulnerability and multiple memory-corruption vulnerabilities. samsung_extdisp driver is one of the font drivers
| VAR-201510-0231 | CVE-2015-5919 | Apple watchOS of GasGauge Vulnerability gained in |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
GasGauge in Apple watchOS before 2 allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-5918. Apple watchOS is prone to multiple local memory-corruption vulnerabilities.
Attackers may be able to exploit these issues to execute arbitrary code with kernel-level privileges. Failed attack attempts will likely result in denial-of-service conditions. Apple watchOS is a smart watch operating system developed by Apple (Apple). GasGauge is one of the battery fuel gauge components. A security vulnerability exists in the GasGauge component of Apple watchOS 1.01 and earlier
| VAR-201510-0230 | CVE-2015-5918 | Apple watchOS of GasGauge Vulnerability gained in |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
GasGauge in Apple watchOS before 2 allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-5919. Apple watchOS is prone to multiple local memory-corruption vulnerabilities.
Attackers may be able to exploit these issues to execute arbitrary code with kernel-level privileges. Failed attack attempts will likely result in denial-of-service conditions. Apple watchOS is a smart watch operating system developed by Apple (Apple). GasGauge is one of the battery fuel gauge components. A security vulnerability exists in the GasGauge component of Apple watchOS 1.01 and earlier
| VAR-201509-0330 | CVE-2015-6679 | Adobe Flash Player and Adobe AIR Vulnerabilities that bypass the same origin policy |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Windows and OS X and before 11.2.202.521 on Linux, Adobe AIR before 19.0.0.190, Adobe AIR SDK before 19.0.0.190, and Adobe AIR SDK & Compiler before 19.0.0.190 allow attackers to bypass the Same Origin Policy and obtain sensitive information via unspecified vectors.
An attacker can exploit this issue to bypass certain same-origin policy restrictions and obtain sensitive information; this may aid in launching further attacks. Security flaws exist in several Adobe products. 0.233 and earlier versions, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 18.0.0.232 and earlier versions based on Windows 10 platform, Adobe Flash Player for Internet Explorer 10 and 11 18.0.0.232 and earlier versions based on Windows 8.0 and 8.1 platforms, Adobe Flash Player for Linux 11.2.202.508 and earlier versions based on Linux platforms, AIR Desktop Runtime 18.0.0.199 and earlier versions based on Windows and Macintosh platforms, AIR SDK 18.0.0.199 and earlier versions based on Windows, Macintosh, Android and iOS platforms and AIR SDK & Compiler 18.0.0.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.521"
References
==========
[ 1 ] CVE-2015-5567
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5567
[ 2 ] CVE-2015-5568
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5568
[ 3 ] CVE-2015-5570
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5570
[ 4 ] CVE-2015-5571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5571
[ 5 ] CVE-2015-5572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5572
[ 6 ] CVE-2015-5573
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5573
[ 7 ] CVE-2015-5574
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5574
[ 8 ] CVE-2015-5575
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5575
[ 9 ] CVE-2015-5576
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5576
[ 10 ] CVE-2015-5577
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5577
[ 11 ] CVE-2015-5578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5578
[ 12 ] CVE-2015-5579
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5579
[ 13 ] CVE-2015-5580
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5580
[ 14 ] CVE-2015-5581
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5581
[ 15 ] CVE-2015-5582
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5582
[ 16 ] CVE-2015-5584
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5584
[ 17 ] CVE-2015-5587
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5587
[ 18 ] CVE-2015-5588
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5588
[ 19 ] CVE-2015-6676
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6676
[ 20 ] CVE-2015-6677
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6677
[ 21 ] CVE-2015-6678
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6678
[ 22 ] CVE-2015-6679
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6679
[ 23 ] CVE-2015-6680
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6680
[ 24 ] CVE-2015-6681
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6681
[ 25 ] CVE-2015-6682
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6682
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201509-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:1814-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1814.html
Issue date: 2015-09-22
CVE Names: CVE-2015-5567 CVE-2015-5568 CVE-2015-5570
CVE-2015-5571 CVE-2015-5572 CVE-2015-5573
CVE-2015-5574 CVE-2015-5575 CVE-2015-5576
CVE-2015-5577 CVE-2015-5578 CVE-2015-5579
CVE-2015-5580 CVE-2015-5581 CVE-2015-5582
CVE-2015-5584 CVE-2015-5587 CVE-2015-5588
CVE-2015-6676 CVE-2015-6677 CVE-2015-6678
CVE-2015-6679 CVE-2015-6682
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities, detailed in the Adobe Security Bulletin APSB15-23 listed
in the References section, could allow an attacker to create a specially
crafted SWF file that would cause flash-plugin to crash, execute arbitrary
code, or disclose sensitive information when the victim loaded a page
containing the malicious SWF content. (CVE-2015-5567, CVE-2015-5568,
CVE-2015-5570, CVE-2015-5571, CVE-2015-5572, CVE-2015-5573, CVE-2015-5574,
CVE-2015-5575, CVE-2015-5576, CVE-2015-5577, CVE-2015-5578, CVE-2015-5579,
CVE-2015-5580, CVE-2015-5581, CVE-2015-5582, CVE-2015-5584, CVE-2015-5587,
CVE-2015-5588, CVE-2015-6676, CVE-2015-6677, CVE-2015-6678, CVE-2015-6679,
CVE-2015-6682)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 11.2.202.521.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1264992 - flash-plugin: multiple code execution issues fixed in APSB15-23
1265121 - flash-plugin: information leaks and hardening bypass fixed in APSB15-23
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.521-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.521-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.521-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.521-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-5567
https://access.redhat.com/security/cve/CVE-2015-5568
https://access.redhat.com/security/cve/CVE-2015-5570
https://access.redhat.com/security/cve/CVE-2015-5571
https://access.redhat.com/security/cve/CVE-2015-5572
https://access.redhat.com/security/cve/CVE-2015-5573
https://access.redhat.com/security/cve/CVE-2015-5574
https://access.redhat.com/security/cve/CVE-2015-5575
https://access.redhat.com/security/cve/CVE-2015-5576
https://access.redhat.com/security/cve/CVE-2015-5577
https://access.redhat.com/security/cve/CVE-2015-5578
https://access.redhat.com/security/cve/CVE-2015-5579
https://access.redhat.com/security/cve/CVE-2015-5580
https://access.redhat.com/security/cve/CVE-2015-5581
https://access.redhat.com/security/cve/CVE-2015-5582
https://access.redhat.com/security/cve/CVE-2015-5584
https://access.redhat.com/security/cve/CVE-2015-5587
https://access.redhat.com/security/cve/CVE-2015-5588
https://access.redhat.com/security/cve/CVE-2015-6676
https://access.redhat.com/security/cve/CVE-2015-6677
https://access.redhat.com/security/cve/CVE-2015-6678
https://access.redhat.com/security/cve/CVE-2015-6679
https://access.redhat.com/security/cve/CVE-2015-6682
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-23.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFWAUhqXlSAg2UNWIIRAtwLAJ9AIILXDTBc54JCyPGAJZPwlvTTbgCfRwgv
VC/tCEoNGrkMNfvhCrQ4wBs=
=9aOW
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n
a-c04939841
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c04939841
Version: 1
HPSBHF03535 rev.1 - HPE iMC OSS and iMC Plat running Adobe Flash, Multiple
Remote Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2016-01-13
Last Updated: 2016-01-13
Potential Security Impact: Remote Multiple Vulnerabilities
Source: Hewlett Packard Enterprise, Product Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HPE iMC OSS and
iMC Plat running Adobe Flash. The vulnerabilities could be exploited remotely
resulting in execution of code, Denial of Service (DoS), or other impacts to
affect confidentiality, integrity, and availability.
References:
CVE-2015-6679
CVE-2015-5568
CVE-2015-5570
CVE-2015-5573
CVE-2015-5574
CVE-2015-5575
CVE-2015-5577
CVE-2015-5578
CVE-2015-5579
CVE-2015-5580
CVE-2015-5581
CVE-2015-5582
CVE-2015-5584
CVE-2015-5587
CVE-2015-5588
CVE-2015-6676
CVE-2015-6677
CVE-2015-6678
CVE-2015-6682
CVE-2015-5572
CVE-2015-5576
CVE-2015-6679
CVE-2015-5571
SSRT102282
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
- iMC OSS prior to SHM 7.1 E0301P05
- iMC Plat prior to 7.2 E0403
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2015-6679 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5568 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5570 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5573 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5574 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5575 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5577 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5578 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5579 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5580 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5581 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5582 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5584 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5587 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5588 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6676 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6677 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6678 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6682 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5572 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5576 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-6679 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5571 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HPE has provided the following software updates to resolve the
vulnerabilities in iMC OSS and iMC Plat.
iMC OSS - SHM 7.2 E0402, 7.1 E0301P05 or later for the following
Products/SKUs:
- JD456A HP IMC WSM Software Module with 50-Access Point License
- JF414A HP IMC Wireless Service Manager Software Module with 50-Access
Point License
- JF414AAE HP IMC Wireless Service Manager Software Module with 50-Access
Point E-LTU
- JG551AAE HP PCM+ Mobility Manager to IMC Wireless Service Manager Module
Upgrade with 250 Access Point E-LTU
- JG758AAE HP IMC WSM/RTLS w/ 50-node E-LTU
- JG769AAE HP PCM Mobility Manager to IMC Wireless Service Manager Upg with
250-node E-LTU
- JG398A HP IMC Service Health Manager Software Module License
- JG398AAE HP IMC Service Health Manager Software Module E-LTU
iMC PLAT 7.2 E0403 for the following Products/SKUs:
- JD125A HP IMC Std S/W Platform w/100-node
- JD126A HP IMC Ent S/W Platform w/100-node
- JD808A HP IMC Ent Platform w/100-node License
- JD814A HP A-IMC Enterprise Edition Software DVD Media
- JD815A HP IMC Std Platform w/100-node License
- JD816A HP A-IMC Standard Edition Software DVD Media
- JF288AAE HP Network Director to Intelligent Management Center Upgrade
E-LTU
- JF289AAE HP Enterprise Management System to Intelligent Management Center
Upgrade E-LTU
- JF377A HP IMC Std S/W Platform w/100-node Lic
- JF377AAE HP IMC Std S/W Pltfrm w/100-node E-LTU
- JF378A HP IMC Ent S/W Platform w/200-node Lic
- JF378AAE HP IMC Ent S/W Pltfrm w/200-node E-LTU
- JG546AAE HP IMC Basic SW Platform w/50-node E-LTU
- JG548AAE HP PCM+ to IMC Bsc Upgr w/50-node E-LTU
- JG549AAE HP PCM+ to IMC Std Upgr w/200-node E-LTU
- JG550AAE HP PMM to IMC Bsc WLM Upgr w/150AP E-LTU
- JG590AAE HP IMC Bsc WLAN Mgr SW Pltfm 50 AP E-LTU
- JG659AAE HP IMC Smart Connect VAE E-LTU
- JG660AAE HP IMC Smart Connect w/WLM VAE E-LTU
- JG747AAE HP IMC Std SW Plat w/ 50 Nodes E-LTU
- JG748AAE HP IMC Ent SW Plat w/ 50 Nodes E-LTU
- JG766AAE HP IMC SmCnct Vrtl Applnc SW E-LTU
- JG767AAE HP IMC SmCnct WSM Vrtl Applnc SW E-LTU
- JG768AAE HP PCM+ to IMC Std Upg w/ 200-node E-LTU
HISTORY
Version:1 (rev.1) - 13 January 2016 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software
products should be applied in accordance with the customer's patch management
policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hpe.com.
Report: To report a potential security vulnerability with any HPE supported
product, send Email to: security-alert@hpe.com
Subscribe: To initiate a subscription to receive future HPE Security Bulletin
alerts via Email: http://www.hpe.com/support/Subscriber_Choice
Security Bulletin Archive: A list of recently released Security Bulletins is
available here: http://www.hpe.com/support/Security_Bulletin_Archive
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HPE General Software
HF = HPE Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX
Copyright 2016 Hewlett Packard Enterprise
Hewlett Packard Enterprise shall not be liable for technical or editorial
errors or omissions contained herein. The information provided is provided
"as is" without warranty of any kind. To the extent permitted by law, neither
HP or its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice. Hewlett
Packard Enterprise and the names of Hewlett Packard Enterprise products
referenced herein are trademarks of Hewlett Packard Enterprise in the United
States and other countries. Other product and company names mentioned herein
may be trademarks of their respective owners
| VAR-201509-0329 | CVE-2015-6678 | Adobe Flash Player and Adobe AIR Vulnerable to buffer overflow |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Buffer overflow in Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Windows and OS X and before 11.2.202.521 on Linux, Adobe AIR before 19.0.0.190, Adobe AIR SDK before 19.0.0.190, and Adobe AIR SDK & Compiler before 19.0.0.190 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-6676. This vulnerability is CVE-2015-6676 This is a different vulnerability.An attacker could execute arbitrary code. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the handling of the DefineText tag. A specially crafted DefineFont2 tag can overflow a buffer of size TotalNumberOfGlyph * 2 bytes. Adobe Flash Player and AIR are prone to multiple unspecified buffer-overflow vulnerabilities because they fail to adequately bounds-check user-supplied data before copying it to an insufficiently sized memory buffer. Failed exploit attempts will likely result in denial-of-service conditions. 0.233 and earlier versions, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 18.0.0.232 and earlier versions based on Windows 10 platform, Adobe Flash Player for Internet Explorer 10 and 11 18.0.0.232 and earlier versions based on Windows 8.0 and 8.1 platforms, Adobe Flash Player for Linux 11.2.202.508 and earlier versions based on Linux platforms, AIR Desktop Runtime 18.0.0.199 and earlier versions based on Windows and Macintosh platforms, AIR SDK 18.0.0.199 and earlier versions based on Windows, Macintosh, Android and iOS platforms and AIR SDK & Compiler 18.0.0.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information, or bypass security restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.521"
References
==========
[ 1 ] CVE-2015-5567
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5567
[ 2 ] CVE-2015-5568
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5568
[ 3 ] CVE-2015-5570
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5570
[ 4 ] CVE-2015-5571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5571
[ 5 ] CVE-2015-5572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5572
[ 6 ] CVE-2015-5573
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5573
[ 7 ] CVE-2015-5574
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5574
[ 8 ] CVE-2015-5575
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5575
[ 9 ] CVE-2015-5576
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5576
[ 10 ] CVE-2015-5577
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5577
[ 11 ] CVE-2015-5578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5578
[ 12 ] CVE-2015-5579
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5579
[ 13 ] CVE-2015-5580
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5580
[ 14 ] CVE-2015-5581
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5581
[ 15 ] CVE-2015-5582
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5582
[ 16 ] CVE-2015-5584
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5584
[ 17 ] CVE-2015-5587
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5587
[ 18 ] CVE-2015-5588
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5588
[ 19 ] CVE-2015-6676
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6676
[ 20 ] CVE-2015-6677
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6677
[ 21 ] CVE-2015-6678
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6678
[ 22 ] CVE-2015-6679
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6679
[ 23 ] CVE-2015-6680
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6680
[ 24 ] CVE-2015-6681
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6681
[ 25 ] CVE-2015-6682
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6682
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201509-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:1814-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1814.html
Issue date: 2015-09-22
CVE Names: CVE-2015-5567 CVE-2015-5568 CVE-2015-5570
CVE-2015-5571 CVE-2015-5572 CVE-2015-5573
CVE-2015-5574 CVE-2015-5575 CVE-2015-5576
CVE-2015-5577 CVE-2015-5578 CVE-2015-5579
CVE-2015-5580 CVE-2015-5581 CVE-2015-5582
CVE-2015-5584 CVE-2015-5587 CVE-2015-5588
CVE-2015-6676 CVE-2015-6677 CVE-2015-6678
CVE-2015-6679 CVE-2015-6682
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities, detailed in the Adobe Security Bulletin APSB15-23 listed
in the References section, could allow an attacker to create a specially
crafted SWF file that would cause flash-plugin to crash, execute arbitrary
code, or disclose sensitive information when the victim loaded a page
containing the malicious SWF content. (CVE-2015-5567, CVE-2015-5568,
CVE-2015-5570, CVE-2015-5571, CVE-2015-5572, CVE-2015-5573, CVE-2015-5574,
CVE-2015-5575, CVE-2015-5576, CVE-2015-5577, CVE-2015-5578, CVE-2015-5579,
CVE-2015-5580, CVE-2015-5581, CVE-2015-5582, CVE-2015-5584, CVE-2015-5587,
CVE-2015-5588, CVE-2015-6676, CVE-2015-6677, CVE-2015-6678, CVE-2015-6679,
CVE-2015-6682)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 11.2.202.521.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1264992 - flash-plugin: multiple code execution issues fixed in APSB15-23
1265121 - flash-plugin: information leaks and hardening bypass fixed in APSB15-23
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.521-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.521-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.521-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.521-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-5567
https://access.redhat.com/security/cve/CVE-2015-5568
https://access.redhat.com/security/cve/CVE-2015-5570
https://access.redhat.com/security/cve/CVE-2015-5571
https://access.redhat.com/security/cve/CVE-2015-5572
https://access.redhat.com/security/cve/CVE-2015-5573
https://access.redhat.com/security/cve/CVE-2015-5574
https://access.redhat.com/security/cve/CVE-2015-5575
https://access.redhat.com/security/cve/CVE-2015-5576
https://access.redhat.com/security/cve/CVE-2015-5577
https://access.redhat.com/security/cve/CVE-2015-5578
https://access.redhat.com/security/cve/CVE-2015-5579
https://access.redhat.com/security/cve/CVE-2015-5580
https://access.redhat.com/security/cve/CVE-2015-5581
https://access.redhat.com/security/cve/CVE-2015-5582
https://access.redhat.com/security/cve/CVE-2015-5584
https://access.redhat.com/security/cve/CVE-2015-5587
https://access.redhat.com/security/cve/CVE-2015-5588
https://access.redhat.com/security/cve/CVE-2015-6676
https://access.redhat.com/security/cve/CVE-2015-6677
https://access.redhat.com/security/cve/CVE-2015-6678
https://access.redhat.com/security/cve/CVE-2015-6679
https://access.redhat.com/security/cve/CVE-2015-6682
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-23.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFWAUhqXlSAg2UNWIIRAtwLAJ9AIILXDTBc54JCyPGAJZPwlvTTbgCfRwgv
VC/tCEoNGrkMNfvhCrQ4wBs=
=9aOW
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n
a-c04939841
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c04939841
Version: 1
HPSBHF03535 rev.1 - HPE iMC OSS and iMC Plat running Adobe Flash, Multiple
Remote Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2016-01-13
Last Updated: 2016-01-13
Potential Security Impact: Remote Multiple Vulnerabilities
Source: Hewlett Packard Enterprise, Product Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HPE iMC OSS and
iMC Plat running Adobe Flash. The vulnerabilities could be exploited remotely
resulting in execution of code, Denial of Service (DoS), or other impacts to
affect confidentiality, integrity, and availability.
References:
CVE-2015-6679
CVE-2015-5568
CVE-2015-5570
CVE-2015-5573
CVE-2015-5574
CVE-2015-5575
CVE-2015-5577
CVE-2015-5578
CVE-2015-5579
CVE-2015-5580
CVE-2015-5581
CVE-2015-5582
CVE-2015-5584
CVE-2015-5587
CVE-2015-5588
CVE-2015-6676
CVE-2015-6677
CVE-2015-6678
CVE-2015-6682
CVE-2015-5572
CVE-2015-5576
CVE-2015-6679
CVE-2015-5571
SSRT102282
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
- iMC OSS prior to SHM 7.1 E0301P05
- iMC Plat prior to 7.2 E0403
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2015-6679 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5568 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5570 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5573 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5574 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5575 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5577 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5578 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5579 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5580 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5581 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5582 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5584 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5587 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5588 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6676 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6677 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6678 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6682 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5572 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5576 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-6679 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5571 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HPE has provided the following software updates to resolve the
vulnerabilities in iMC OSS and iMC Plat.
iMC OSS - SHM 7.2 E0402, 7.1 E0301P05 or later for the following
Products/SKUs:
- JD456A HP IMC WSM Software Module with 50-Access Point License
- JF414A HP IMC Wireless Service Manager Software Module with 50-Access
Point License
- JF414AAE HP IMC Wireless Service Manager Software Module with 50-Access
Point E-LTU
- JG551AAE HP PCM+ Mobility Manager to IMC Wireless Service Manager Module
Upgrade with 250 Access Point E-LTU
- JG758AAE HP IMC WSM/RTLS w/ 50-node E-LTU
- JG769AAE HP PCM Mobility Manager to IMC Wireless Service Manager Upg with
250-node E-LTU
- JG398A HP IMC Service Health Manager Software Module License
- JG398AAE HP IMC Service Health Manager Software Module E-LTU
iMC PLAT 7.2 E0403 for the following Products/SKUs:
- JD125A HP IMC Std S/W Platform w/100-node
- JD126A HP IMC Ent S/W Platform w/100-node
- JD808A HP IMC Ent Platform w/100-node License
- JD814A HP A-IMC Enterprise Edition Software DVD Media
- JD815A HP IMC Std Platform w/100-node License
- JD816A HP A-IMC Standard Edition Software DVD Media
- JF288AAE HP Network Director to Intelligent Management Center Upgrade
E-LTU
- JF289AAE HP Enterprise Management System to Intelligent Management Center
Upgrade E-LTU
- JF377A HP IMC Std S/W Platform w/100-node Lic
- JF377AAE HP IMC Std S/W Pltfrm w/100-node E-LTU
- JF378A HP IMC Ent S/W Platform w/200-node Lic
- JF378AAE HP IMC Ent S/W Pltfrm w/200-node E-LTU
- JG546AAE HP IMC Basic SW Platform w/50-node E-LTU
- JG548AAE HP PCM+ to IMC Bsc Upgr w/50-node E-LTU
- JG549AAE HP PCM+ to IMC Std Upgr w/200-node E-LTU
- JG550AAE HP PMM to IMC Bsc WLM Upgr w/150AP E-LTU
- JG590AAE HP IMC Bsc WLAN Mgr SW Pltfm 50 AP E-LTU
- JG659AAE HP IMC Smart Connect VAE E-LTU
- JG660AAE HP IMC Smart Connect w/WLM VAE E-LTU
- JG747AAE HP IMC Std SW Plat w/ 50 Nodes E-LTU
- JG748AAE HP IMC Ent SW Plat w/ 50 Nodes E-LTU
- JG766AAE HP IMC SmCnct Vrtl Applnc SW E-LTU
- JG767AAE HP IMC SmCnct WSM Vrtl Applnc SW E-LTU
- JG768AAE HP PCM+ to IMC Std Upg w/ 200-node E-LTU
HISTORY
Version:1 (rev.1) - 13 January 2016 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software
products should be applied in accordance with the customer's patch management
policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hpe.com.
Report: To report a potential security vulnerability with any HPE supported
product, send Email to: security-alert@hpe.com
Subscribe: To initiate a subscription to receive future HPE Security Bulletin
alerts via Email: http://www.hpe.com/support/Subscriber_Choice
Security Bulletin Archive: A list of recently released Security Bulletins is
available here: http://www.hpe.com/support/Security_Bulletin_Archive
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HPE General Software
HF = HPE Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX
Copyright 2016 Hewlett Packard Enterprise
Hewlett Packard Enterprise shall not be liable for technical or editorial
errors or omissions contained herein. The information provided is provided
"as is" without warranty of any kind. To the extent permitted by law, neither
HP or its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice. Hewlett
Packard Enterprise and the names of Hewlett Packard Enterprise products
referenced herein are trademarks of Hewlett Packard Enterprise in the United
States and other countries. Other product and company names mentioned herein
may be trademarks of their respective owners
| VAR-201509-0333 | CVE-2015-6682 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Use-after-free vulnerability in Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Windows and OS X and before 11.2.202.521 on Linux, Adobe AIR before 19.0.0.190, Adobe AIR SDK before 19.0.0.190, and Adobe AIR SDK & Compiler before 19.0.0.190 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-5570, CVE-2015-5574, CVE-2015-5581, and CVE-2015-5584. This vulnerability CVE-2015-5570 , CVE-2015-5574 , CVE-2015-5581 ,and CVE-2015-5584 Is a different vulnerability. Supplementary information : CWE Vulnerability type by CWE-416: Use-after-free ( Use of freed memory ) Has been identified. http://cwe.mitre.org/data/definitions/416.htmlAn attacker could execute arbitrary code. Failed exploit attempts will likely cause a denial-of-service condition. A use-after-free vulnerability exists in several Adobe products. 0.233 and earlier versions, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 18.0.0.232 and earlier versions based on Windows 10 platform, Adobe Flash Player for Internet Explorer 10 and 11 18.0.0.232 and earlier versions based on Windows 8.0 and 8.1 platforms, Adobe Flash Player for Linux 11.2.202.508 and earlier versions based on Linux platforms, AIR Desktop Runtime 18.0.0.199 and earlier versions based on Windows and Macintosh platforms, AIR SDK 18.0.0.199 and earlier versions based on Windows, Macintosh, Android and iOS platforms and AIR SDK & Compiler 18.0.0.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information, or bypass security restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.521"
References
==========
[ 1 ] CVE-2015-5567
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5567
[ 2 ] CVE-2015-5568
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5568
[ 3 ] CVE-2015-5570
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5570
[ 4 ] CVE-2015-5571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5571
[ 5 ] CVE-2015-5572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5572
[ 6 ] CVE-2015-5573
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5573
[ 7 ] CVE-2015-5574
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5574
[ 8 ] CVE-2015-5575
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5575
[ 9 ] CVE-2015-5576
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5576
[ 10 ] CVE-2015-5577
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5577
[ 11 ] CVE-2015-5578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5578
[ 12 ] CVE-2015-5579
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5579
[ 13 ] CVE-2015-5580
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5580
[ 14 ] CVE-2015-5581
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5581
[ 15 ] CVE-2015-5582
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5582
[ 16 ] CVE-2015-5584
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5584
[ 17 ] CVE-2015-5587
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5587
[ 18 ] CVE-2015-5588
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5588
[ 19 ] CVE-2015-6676
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6676
[ 20 ] CVE-2015-6677
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6677
[ 21 ] CVE-2015-6678
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6678
[ 22 ] CVE-2015-6679
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6679
[ 23 ] CVE-2015-6680
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6680
[ 24 ] CVE-2015-6681
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6681
[ 25 ] CVE-2015-6682
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6682
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201509-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:1814-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1814.html
Issue date: 2015-09-22
CVE Names: CVE-2015-5567 CVE-2015-5568 CVE-2015-5570
CVE-2015-5571 CVE-2015-5572 CVE-2015-5573
CVE-2015-5574 CVE-2015-5575 CVE-2015-5576
CVE-2015-5577 CVE-2015-5578 CVE-2015-5579
CVE-2015-5580 CVE-2015-5581 CVE-2015-5582
CVE-2015-5584 CVE-2015-5587 CVE-2015-5588
CVE-2015-6676 CVE-2015-6677 CVE-2015-6678
CVE-2015-6679 CVE-2015-6682
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities, detailed in the Adobe Security Bulletin APSB15-23 listed
in the References section, could allow an attacker to create a specially
crafted SWF file that would cause flash-plugin to crash, execute arbitrary
code, or disclose sensitive information when the victim loaded a page
containing the malicious SWF content. (CVE-2015-5567, CVE-2015-5568,
CVE-2015-5570, CVE-2015-5571, CVE-2015-5572, CVE-2015-5573, CVE-2015-5574,
CVE-2015-5575, CVE-2015-5576, CVE-2015-5577, CVE-2015-5578, CVE-2015-5579,
CVE-2015-5580, CVE-2015-5581, CVE-2015-5582, CVE-2015-5584, CVE-2015-5587,
CVE-2015-5588, CVE-2015-6676, CVE-2015-6677, CVE-2015-6678, CVE-2015-6679,
CVE-2015-6682)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 11.2.202.521.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1264992 - flash-plugin: multiple code execution issues fixed in APSB15-23
1265121 - flash-plugin: information leaks and hardening bypass fixed in APSB15-23
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.521-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.521-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.521-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.521-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-5567
https://access.redhat.com/security/cve/CVE-2015-5568
https://access.redhat.com/security/cve/CVE-2015-5570
https://access.redhat.com/security/cve/CVE-2015-5571
https://access.redhat.com/security/cve/CVE-2015-5572
https://access.redhat.com/security/cve/CVE-2015-5573
https://access.redhat.com/security/cve/CVE-2015-5574
https://access.redhat.com/security/cve/CVE-2015-5575
https://access.redhat.com/security/cve/CVE-2015-5576
https://access.redhat.com/security/cve/CVE-2015-5577
https://access.redhat.com/security/cve/CVE-2015-5578
https://access.redhat.com/security/cve/CVE-2015-5579
https://access.redhat.com/security/cve/CVE-2015-5580
https://access.redhat.com/security/cve/CVE-2015-5581
https://access.redhat.com/security/cve/CVE-2015-5582
https://access.redhat.com/security/cve/CVE-2015-5584
https://access.redhat.com/security/cve/CVE-2015-5587
https://access.redhat.com/security/cve/CVE-2015-5588
https://access.redhat.com/security/cve/CVE-2015-6676
https://access.redhat.com/security/cve/CVE-2015-6677
https://access.redhat.com/security/cve/CVE-2015-6678
https://access.redhat.com/security/cve/CVE-2015-6679
https://access.redhat.com/security/cve/CVE-2015-6682
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-23.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFWAUhqXlSAg2UNWIIRAtwLAJ9AIILXDTBc54JCyPGAJZPwlvTTbgCfRwgv
VC/tCEoNGrkMNfvhCrQ4wBs=
=9aOW
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n
a-c04939841
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c04939841
Version: 1
HPSBHF03535 rev.1 - HPE iMC OSS and iMC Plat running Adobe Flash, Multiple
Remote Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2016-01-13
Last Updated: 2016-01-13
Potential Security Impact: Remote Multiple Vulnerabilities
Source: Hewlett Packard Enterprise, Product Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HPE iMC OSS and
iMC Plat running Adobe Flash. The vulnerabilities could be exploited remotely
resulting in execution of code, Denial of Service (DoS), or other impacts to
affect confidentiality, integrity, and availability.
References:
CVE-2015-6679
CVE-2015-5568
CVE-2015-5570
CVE-2015-5573
CVE-2015-5574
CVE-2015-5575
CVE-2015-5577
CVE-2015-5578
CVE-2015-5579
CVE-2015-5580
CVE-2015-5581
CVE-2015-5582
CVE-2015-5584
CVE-2015-5587
CVE-2015-5588
CVE-2015-6676
CVE-2015-6677
CVE-2015-6678
CVE-2015-6682
CVE-2015-5572
CVE-2015-5576
CVE-2015-6679
CVE-2015-5571
SSRT102282
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
- iMC OSS prior to SHM 7.1 E0301P05
- iMC Plat prior to 7.2 E0403
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2015-6679 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5568 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5570 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5573 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5574 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5575 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5577 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5578 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5579 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5580 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5581 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5582 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5584 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5587 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5588 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6676 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6677 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6678 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6682 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5572 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5576 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-6679 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5571 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HPE has provided the following software updates to resolve the
vulnerabilities in iMC OSS and iMC Plat.
iMC OSS - SHM 7.2 E0402, 7.1 E0301P05 or later for the following
Products/SKUs:
- JD456A HP IMC WSM Software Module with 50-Access Point License
- JF414A HP IMC Wireless Service Manager Software Module with 50-Access
Point License
- JF414AAE HP IMC Wireless Service Manager Software Module with 50-Access
Point E-LTU
- JG551AAE HP PCM+ Mobility Manager to IMC Wireless Service Manager Module
Upgrade with 250 Access Point E-LTU
- JG758AAE HP IMC WSM/RTLS w/ 50-node E-LTU
- JG769AAE HP PCM Mobility Manager to IMC Wireless Service Manager Upg with
250-node E-LTU
- JG398A HP IMC Service Health Manager Software Module License
- JG398AAE HP IMC Service Health Manager Software Module E-LTU
iMC PLAT 7.2 E0403 for the following Products/SKUs:
- JD125A HP IMC Std S/W Platform w/100-node
- JD126A HP IMC Ent S/W Platform w/100-node
- JD808A HP IMC Ent Platform w/100-node License
- JD814A HP A-IMC Enterprise Edition Software DVD Media
- JD815A HP IMC Std Platform w/100-node License
- JD816A HP A-IMC Standard Edition Software DVD Media
- JF288AAE HP Network Director to Intelligent Management Center Upgrade
E-LTU
- JF289AAE HP Enterprise Management System to Intelligent Management Center
Upgrade E-LTU
- JF377A HP IMC Std S/W Platform w/100-node Lic
- JF377AAE HP IMC Std S/W Pltfrm w/100-node E-LTU
- JF378A HP IMC Ent S/W Platform w/200-node Lic
- JF378AAE HP IMC Ent S/W Pltfrm w/200-node E-LTU
- JG546AAE HP IMC Basic SW Platform w/50-node E-LTU
- JG548AAE HP PCM+ to IMC Bsc Upgr w/50-node E-LTU
- JG549AAE HP PCM+ to IMC Std Upgr w/200-node E-LTU
- JG550AAE HP PMM to IMC Bsc WLM Upgr w/150AP E-LTU
- JG590AAE HP IMC Bsc WLAN Mgr SW Pltfm 50 AP E-LTU
- JG659AAE HP IMC Smart Connect VAE E-LTU
- JG660AAE HP IMC Smart Connect w/WLM VAE E-LTU
- JG747AAE HP IMC Std SW Plat w/ 50 Nodes E-LTU
- JG748AAE HP IMC Ent SW Plat w/ 50 Nodes E-LTU
- JG766AAE HP IMC SmCnct Vrtl Applnc SW E-LTU
- JG767AAE HP IMC SmCnct WSM Vrtl Applnc SW E-LTU
- JG768AAE HP PCM+ to IMC Std Upg w/ 200-node E-LTU
HISTORY
Version:1 (rev.1) - 13 January 2016 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software
products should be applied in accordance with the customer's patch management
policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hpe.com.
Report: To report a potential security vulnerability with any HPE supported
product, send Email to: security-alert@hpe.com
Subscribe: To initiate a subscription to receive future HPE Security Bulletin
alerts via Email: http://www.hpe.com/support/Subscriber_Choice
Security Bulletin Archive: A list of recently released Security Bulletins is
available here: http://www.hpe.com/support/Security_Bulletin_Archive
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HPE General Software
HF = HPE Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX
Copyright 2016 Hewlett Packard Enterprise
Hewlett Packard Enterprise shall not be liable for technical or editorial
errors or omissions contained herein. The information provided is provided
"as is" without warranty of any kind. To the extent permitted by law, neither
HP or its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice. Hewlett
Packard Enterprise and the names of Hewlett Packard Enterprise products
referenced herein are trademarks of Hewlett Packard Enterprise in the United
States and other countries. Other product and company names mentioned herein
may be trademarks of their respective owners
| VAR-201509-0328 | CVE-2015-6677 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Windows and OS X and before 11.2.202.521 on Linux, Adobe AIR before 19.0.0.190, Adobe AIR SDK before 19.0.0.190, and Adobe AIR SDK & Compiler before 19.0.0.190 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-5575, CVE-2015-5577, CVE-2015-5578, CVE-2015-5580, CVE-2015-5582, and CVE-2015-5588. This vulnerability CVE-2015-5575 , CVE-2015-5577 , CVE-2015-5578 , CVE-2015-5580 , CVE-2015-5582 ,and CVE-2015-5588 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state. Failed exploit attempts will likely result in denial-of-service conditions. Security flaws exist in several Adobe products. 0.233 and earlier versions, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 18.0.0.232 and earlier versions based on Windows 10 platform, Adobe Flash Player for Internet Explorer 10 and 11 18.0.0.232 and earlier versions based on Windows 8.0 and 8.1 platforms, Adobe Flash Player for Linux 11.2.202.508 and earlier versions based on Linux platforms, AIR Desktop Runtime 18.0.0.199 and earlier versions based on Windows and Macintosh platforms, AIR SDK 18.0.0.199 and earlier versions based on Windows, Macintosh, Android and iOS platforms and AIR SDK & Compiler 18.0.0.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.521"
References
==========
[ 1 ] CVE-2015-5567
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5567
[ 2 ] CVE-2015-5568
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5568
[ 3 ] CVE-2015-5570
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5570
[ 4 ] CVE-2015-5571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5571
[ 5 ] CVE-2015-5572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5572
[ 6 ] CVE-2015-5573
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5573
[ 7 ] CVE-2015-5574
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5574
[ 8 ] CVE-2015-5575
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5575
[ 9 ] CVE-2015-5576
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5576
[ 10 ] CVE-2015-5577
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5577
[ 11 ] CVE-2015-5578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5578
[ 12 ] CVE-2015-5579
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5579
[ 13 ] CVE-2015-5580
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5580
[ 14 ] CVE-2015-5581
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5581
[ 15 ] CVE-2015-5582
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5582
[ 16 ] CVE-2015-5584
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5584
[ 17 ] CVE-2015-5587
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5587
[ 18 ] CVE-2015-5588
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5588
[ 19 ] CVE-2015-6676
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6676
[ 20 ] CVE-2015-6677
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6677
[ 21 ] CVE-2015-6678
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6678
[ 22 ] CVE-2015-6679
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6679
[ 23 ] CVE-2015-6680
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6680
[ 24 ] CVE-2015-6681
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6681
[ 25 ] CVE-2015-6682
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6682
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201509-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:1814-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1814.html
Issue date: 2015-09-22
CVE Names: CVE-2015-5567 CVE-2015-5568 CVE-2015-5570
CVE-2015-5571 CVE-2015-5572 CVE-2015-5573
CVE-2015-5574 CVE-2015-5575 CVE-2015-5576
CVE-2015-5577 CVE-2015-5578 CVE-2015-5579
CVE-2015-5580 CVE-2015-5581 CVE-2015-5582
CVE-2015-5584 CVE-2015-5587 CVE-2015-5588
CVE-2015-6676 CVE-2015-6677 CVE-2015-6678
CVE-2015-6679 CVE-2015-6682
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities, detailed in the Adobe Security Bulletin APSB15-23 listed
in the References section, could allow an attacker to create a specially
crafted SWF file that would cause flash-plugin to crash, execute arbitrary
code, or disclose sensitive information when the victim loaded a page
containing the malicious SWF content.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1264992 - flash-plugin: multiple code execution issues fixed in APSB15-23
1265121 - flash-plugin: information leaks and hardening bypass fixed in APSB15-23
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.521-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.521-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.521-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.521-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-5567
https://access.redhat.com/security/cve/CVE-2015-5568
https://access.redhat.com/security/cve/CVE-2015-5570
https://access.redhat.com/security/cve/CVE-2015-5571
https://access.redhat.com/security/cve/CVE-2015-5572
https://access.redhat.com/security/cve/CVE-2015-5573
https://access.redhat.com/security/cve/CVE-2015-5574
https://access.redhat.com/security/cve/CVE-2015-5575
https://access.redhat.com/security/cve/CVE-2015-5576
https://access.redhat.com/security/cve/CVE-2015-5577
https://access.redhat.com/security/cve/CVE-2015-5578
https://access.redhat.com/security/cve/CVE-2015-5579
https://access.redhat.com/security/cve/CVE-2015-5580
https://access.redhat.com/security/cve/CVE-2015-5581
https://access.redhat.com/security/cve/CVE-2015-5582
https://access.redhat.com/security/cve/CVE-2015-5584
https://access.redhat.com/security/cve/CVE-2015-5587
https://access.redhat.com/security/cve/CVE-2015-5588
https://access.redhat.com/security/cve/CVE-2015-6676
https://access.redhat.com/security/cve/CVE-2015-6677
https://access.redhat.com/security/cve/CVE-2015-6678
https://access.redhat.com/security/cve/CVE-2015-6679
https://access.redhat.com/security/cve/CVE-2015-6682
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-23.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFWAUhqXlSAg2UNWIIRAtwLAJ9AIILXDTBc54JCyPGAJZPwlvTTbgCfRwgv
VC/tCEoNGrkMNfvhCrQ4wBs=
=9aOW
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n
a-c04939841
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c04939841
Version: 1
HPSBHF03535 rev.1 - HPE iMC OSS and iMC Plat running Adobe Flash, Multiple
Remote Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2016-01-13
Last Updated: 2016-01-13
Potential Security Impact: Remote Multiple Vulnerabilities
Source: Hewlett Packard Enterprise, Product Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HPE iMC OSS and
iMC Plat running Adobe Flash. The vulnerabilities could be exploited remotely
resulting in execution of code, Denial of Service (DoS), or other impacts to
affect confidentiality, integrity, and availability.
References:
CVE-2015-6679
CVE-2015-5568
CVE-2015-5570
CVE-2015-5573
CVE-2015-5574
CVE-2015-5575
CVE-2015-5577
CVE-2015-5578
CVE-2015-5579
CVE-2015-5580
CVE-2015-5581
CVE-2015-5582
CVE-2015-5584
CVE-2015-5587
CVE-2015-5588
CVE-2015-6676
CVE-2015-6677
CVE-2015-6678
CVE-2015-6682
CVE-2015-5572
CVE-2015-5576
CVE-2015-6679
CVE-2015-5571
SSRT102282
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
- iMC OSS prior to SHM 7.1 E0301P05
- iMC Plat prior to 7.2 E0403
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2015-6679 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5568 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5570 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5573 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5574 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5575 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5577 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5578 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5579 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5580 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5581 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5582 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5584 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5587 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5588 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6676 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6677 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6678 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6682 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5572 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5576 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-6679 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5571 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HPE has provided the following software updates to resolve the
vulnerabilities in iMC OSS and iMC Plat.
iMC OSS - SHM 7.2 E0402, 7.1 E0301P05 or later for the following
Products/SKUs:
- JD456A HP IMC WSM Software Module with 50-Access Point License
- JF414A HP IMC Wireless Service Manager Software Module with 50-Access
Point License
- JF414AAE HP IMC Wireless Service Manager Software Module with 50-Access
Point E-LTU
- JG551AAE HP PCM+ Mobility Manager to IMC Wireless Service Manager Module
Upgrade with 250 Access Point E-LTU
- JG758AAE HP IMC WSM/RTLS w/ 50-node E-LTU
- JG769AAE HP PCM Mobility Manager to IMC Wireless Service Manager Upg with
250-node E-LTU
- JG398A HP IMC Service Health Manager Software Module License
- JG398AAE HP IMC Service Health Manager Software Module E-LTU
iMC PLAT 7.2 E0403 for the following Products/SKUs:
- JD125A HP IMC Std S/W Platform w/100-node
- JD126A HP IMC Ent S/W Platform w/100-node
- JD808A HP IMC Ent Platform w/100-node License
- JD814A HP A-IMC Enterprise Edition Software DVD Media
- JD815A HP IMC Std Platform w/100-node License
- JD816A HP A-IMC Standard Edition Software DVD Media
- JF288AAE HP Network Director to Intelligent Management Center Upgrade
E-LTU
- JF289AAE HP Enterprise Management System to Intelligent Management Center
Upgrade E-LTU
- JF377A HP IMC Std S/W Platform w/100-node Lic
- JF377AAE HP IMC Std S/W Pltfrm w/100-node E-LTU
- JF378A HP IMC Ent S/W Platform w/200-node Lic
- JF378AAE HP IMC Ent S/W Pltfrm w/200-node E-LTU
- JG546AAE HP IMC Basic SW Platform w/50-node E-LTU
- JG548AAE HP PCM+ to IMC Bsc Upgr w/50-node E-LTU
- JG549AAE HP PCM+ to IMC Std Upgr w/200-node E-LTU
- JG550AAE HP PMM to IMC Bsc WLM Upgr w/150AP E-LTU
- JG590AAE HP IMC Bsc WLAN Mgr SW Pltfm 50 AP E-LTU
- JG659AAE HP IMC Smart Connect VAE E-LTU
- JG660AAE HP IMC Smart Connect w/WLM VAE E-LTU
- JG747AAE HP IMC Std SW Plat w/ 50 Nodes E-LTU
- JG748AAE HP IMC Ent SW Plat w/ 50 Nodes E-LTU
- JG766AAE HP IMC SmCnct Vrtl Applnc SW E-LTU
- JG767AAE HP IMC SmCnct WSM Vrtl Applnc SW E-LTU
- JG768AAE HP PCM+ to IMC Std Upg w/ 200-node E-LTU
HISTORY
Version:1 (rev.1) - 13 January 2016 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software
products should be applied in accordance with the customer's patch management
policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hpe.com.
Report: To report a potential security vulnerability with any HPE supported
product, send Email to: security-alert@hpe.com
Subscribe: To initiate a subscription to receive future HPE Security Bulletin
alerts via Email: http://www.hpe.com/support/Subscriber_Choice
Security Bulletin Archive: A list of recently released Security Bulletins is
available here: http://www.hpe.com/support/Security_Bulletin_Archive
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HPE General Software
HF = HPE Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX
Copyright 2016 Hewlett Packard Enterprise
Hewlett Packard Enterprise shall not be liable for technical or editorial
errors or omissions contained herein. The information provided is provided
"as is" without warranty of any kind. To the extent permitted by law, neither
HP or its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice. Hewlett
Packard Enterprise and the names of Hewlett Packard Enterprise products
referenced herein are trademarks of Hewlett Packard Enterprise in the United
States and other countries. Other product and company names mentioned herein
may be trademarks of their respective owners
| VAR-201509-0327 | CVE-2015-6676 | Adobe Flash Player and Adobe AIR Vulnerable to buffer overflow |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Buffer overflow in Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Windows and OS X and before 11.2.202.521 on Linux, Adobe AIR before 19.0.0.190, Adobe AIR SDK before 19.0.0.190, and Adobe AIR SDK & Compiler before 19.0.0.190 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-6678. This vulnerability CVE-2015-6678 Is a different vulnerability.An attacker could execute arbitrary code. Adobe Flash Player and AIR are prone to multiple unspecified buffer-overflow vulnerabilities because they fail to adequately bounds-check user-supplied data before copying it to an insufficiently sized memory buffer. Failed exploit attempts will likely result in denial-of-service conditions. 0.233 and earlier versions, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 18.0.0.232 and earlier versions based on Windows 10 platform, Adobe Flash Player for Internet Explorer 10 and 11 18.0.0.232 and earlier versions based on Windows 8.0 and 8.1 platforms, Adobe Flash Player for Linux 11.2.202.508 and earlier versions based on Linux platforms, AIR Desktop Runtime 18.0.0.199 and earlier versions based on Windows and Macintosh platforms, AIR SDK 18.0.0.199 and earlier versions based on Windows, Macintosh, Android and iOS platforms and AIR SDK & Compiler 18.0.0.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information, or bypass security restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.521"
References
==========
[ 1 ] CVE-2015-5567
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5567
[ 2 ] CVE-2015-5568
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5568
[ 3 ] CVE-2015-5570
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5570
[ 4 ] CVE-2015-5571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5571
[ 5 ] CVE-2015-5572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5572
[ 6 ] CVE-2015-5573
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5573
[ 7 ] CVE-2015-5574
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5574
[ 8 ] CVE-2015-5575
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5575
[ 9 ] CVE-2015-5576
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5576
[ 10 ] CVE-2015-5577
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5577
[ 11 ] CVE-2015-5578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5578
[ 12 ] CVE-2015-5579
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5579
[ 13 ] CVE-2015-5580
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5580
[ 14 ] CVE-2015-5581
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5581
[ 15 ] CVE-2015-5582
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5582
[ 16 ] CVE-2015-5584
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5584
[ 17 ] CVE-2015-5587
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5587
[ 18 ] CVE-2015-5588
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5588
[ 19 ] CVE-2015-6676
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6676
[ 20 ] CVE-2015-6677
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6677
[ 21 ] CVE-2015-6678
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6678
[ 22 ] CVE-2015-6679
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6679
[ 23 ] CVE-2015-6680
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6680
[ 24 ] CVE-2015-6681
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6681
[ 25 ] CVE-2015-6682
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6682
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201509-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:1814-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1814.html
Issue date: 2015-09-22
CVE Names: CVE-2015-5567 CVE-2015-5568 CVE-2015-5570
CVE-2015-5571 CVE-2015-5572 CVE-2015-5573
CVE-2015-5574 CVE-2015-5575 CVE-2015-5576
CVE-2015-5577 CVE-2015-5578 CVE-2015-5579
CVE-2015-5580 CVE-2015-5581 CVE-2015-5582
CVE-2015-5584 CVE-2015-5587 CVE-2015-5588
CVE-2015-6676 CVE-2015-6677 CVE-2015-6678
CVE-2015-6679 CVE-2015-6682
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities, detailed in the Adobe Security Bulletin APSB15-23 listed
in the References section, could allow an attacker to create a specially
crafted SWF file that would cause flash-plugin to crash, execute arbitrary
code, or disclose sensitive information when the victim loaded a page
containing the malicious SWF content. (CVE-2015-5567, CVE-2015-5568,
CVE-2015-5570, CVE-2015-5571, CVE-2015-5572, CVE-2015-5573, CVE-2015-5574,
CVE-2015-5575, CVE-2015-5576, CVE-2015-5577, CVE-2015-5578, CVE-2015-5579,
CVE-2015-5580, CVE-2015-5581, CVE-2015-5582, CVE-2015-5584, CVE-2015-5587,
CVE-2015-5588, CVE-2015-6676, CVE-2015-6677, CVE-2015-6678, CVE-2015-6679,
CVE-2015-6682)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 11.2.202.521.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1264992 - flash-plugin: multiple code execution issues fixed in APSB15-23
1265121 - flash-plugin: information leaks and hardening bypass fixed in APSB15-23
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.521-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.521-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.521-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.521-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-5567
https://access.redhat.com/security/cve/CVE-2015-5568
https://access.redhat.com/security/cve/CVE-2015-5570
https://access.redhat.com/security/cve/CVE-2015-5571
https://access.redhat.com/security/cve/CVE-2015-5572
https://access.redhat.com/security/cve/CVE-2015-5573
https://access.redhat.com/security/cve/CVE-2015-5574
https://access.redhat.com/security/cve/CVE-2015-5575
https://access.redhat.com/security/cve/CVE-2015-5576
https://access.redhat.com/security/cve/CVE-2015-5577
https://access.redhat.com/security/cve/CVE-2015-5578
https://access.redhat.com/security/cve/CVE-2015-5579
https://access.redhat.com/security/cve/CVE-2015-5580
https://access.redhat.com/security/cve/CVE-2015-5581
https://access.redhat.com/security/cve/CVE-2015-5582
https://access.redhat.com/security/cve/CVE-2015-5584
https://access.redhat.com/security/cve/CVE-2015-5587
https://access.redhat.com/security/cve/CVE-2015-5588
https://access.redhat.com/security/cve/CVE-2015-6676
https://access.redhat.com/security/cve/CVE-2015-6677
https://access.redhat.com/security/cve/CVE-2015-6678
https://access.redhat.com/security/cve/CVE-2015-6679
https://access.redhat.com/security/cve/CVE-2015-6682
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-23.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFWAUhqXlSAg2UNWIIRAtwLAJ9AIILXDTBc54JCyPGAJZPwlvTTbgCfRwgv
VC/tCEoNGrkMNfvhCrQ4wBs=
=9aOW
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n
a-c04939841
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c04939841
Version: 1
HPSBHF03535 rev.1 - HPE iMC OSS and iMC Plat running Adobe Flash, Multiple
Remote Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2016-01-13
Last Updated: 2016-01-13
Potential Security Impact: Remote Multiple Vulnerabilities
Source: Hewlett Packard Enterprise, Product Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HPE iMC OSS and
iMC Plat running Adobe Flash. The vulnerabilities could be exploited remotely
resulting in execution of code, Denial of Service (DoS), or other impacts to
affect confidentiality, integrity, and availability.
References:
CVE-2015-6679
CVE-2015-5568
CVE-2015-5570
CVE-2015-5573
CVE-2015-5574
CVE-2015-5575
CVE-2015-5577
CVE-2015-5578
CVE-2015-5579
CVE-2015-5580
CVE-2015-5581
CVE-2015-5582
CVE-2015-5584
CVE-2015-5587
CVE-2015-5588
CVE-2015-6676
CVE-2015-6677
CVE-2015-6678
CVE-2015-6682
CVE-2015-5572
CVE-2015-5576
CVE-2015-6679
CVE-2015-5571
SSRT102282
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
- iMC OSS prior to SHM 7.1 E0301P05
- iMC Plat prior to 7.2 E0403
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2015-6679 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5568 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5570 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5573 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5574 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5575 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5577 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5578 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5579 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5580 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5581 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5582 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5584 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5587 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5588 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6676 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6677 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6678 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6682 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5572 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5576 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-6679 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5571 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HPE has provided the following software updates to resolve the
vulnerabilities in iMC OSS and iMC Plat.
iMC OSS - SHM 7.2 E0402, 7.1 E0301P05 or later for the following
Products/SKUs:
- JD456A HP IMC WSM Software Module with 50-Access Point License
- JF414A HP IMC Wireless Service Manager Software Module with 50-Access
Point License
- JF414AAE HP IMC Wireless Service Manager Software Module with 50-Access
Point E-LTU
- JG551AAE HP PCM+ Mobility Manager to IMC Wireless Service Manager Module
Upgrade with 250 Access Point E-LTU
- JG758AAE HP IMC WSM/RTLS w/ 50-node E-LTU
- JG769AAE HP PCM Mobility Manager to IMC Wireless Service Manager Upg with
250-node E-LTU
- JG398A HP IMC Service Health Manager Software Module License
- JG398AAE HP IMC Service Health Manager Software Module E-LTU
iMC PLAT 7.2 E0403 for the following Products/SKUs:
- JD125A HP IMC Std S/W Platform w/100-node
- JD126A HP IMC Ent S/W Platform w/100-node
- JD808A HP IMC Ent Platform w/100-node License
- JD814A HP A-IMC Enterprise Edition Software DVD Media
- JD815A HP IMC Std Platform w/100-node License
- JD816A HP A-IMC Standard Edition Software DVD Media
- JF288AAE HP Network Director to Intelligent Management Center Upgrade
E-LTU
- JF289AAE HP Enterprise Management System to Intelligent Management Center
Upgrade E-LTU
- JF377A HP IMC Std S/W Platform w/100-node Lic
- JF377AAE HP IMC Std S/W Pltfrm w/100-node E-LTU
- JF378A HP IMC Ent S/W Platform w/200-node Lic
- JF378AAE HP IMC Ent S/W Pltfrm w/200-node E-LTU
- JG546AAE HP IMC Basic SW Platform w/50-node E-LTU
- JG548AAE HP PCM+ to IMC Bsc Upgr w/50-node E-LTU
- JG549AAE HP PCM+ to IMC Std Upgr w/200-node E-LTU
- JG550AAE HP PMM to IMC Bsc WLM Upgr w/150AP E-LTU
- JG590AAE HP IMC Bsc WLAN Mgr SW Pltfm 50 AP E-LTU
- JG659AAE HP IMC Smart Connect VAE E-LTU
- JG660AAE HP IMC Smart Connect w/WLM VAE E-LTU
- JG747AAE HP IMC Std SW Plat w/ 50 Nodes E-LTU
- JG748AAE HP IMC Ent SW Plat w/ 50 Nodes E-LTU
- JG766AAE HP IMC SmCnct Vrtl Applnc SW E-LTU
- JG767AAE HP IMC SmCnct WSM Vrtl Applnc SW E-LTU
- JG768AAE HP PCM+ to IMC Std Upg w/ 200-node E-LTU
HISTORY
Version:1 (rev.1) - 13 January 2016 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software
products should be applied in accordance with the customer's patch management
policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hpe.com.
Report: To report a potential security vulnerability with any HPE supported
product, send Email to: security-alert@hpe.com
Subscribe: To initiate a subscription to receive future HPE Security Bulletin
alerts via Email: http://www.hpe.com/support/Subscriber_Choice
Security Bulletin Archive: A list of recently released Security Bulletins is
available here: http://www.hpe.com/support/Security_Bulletin_Archive
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HPE General Software
HF = HPE Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX
Copyright 2016 Hewlett Packard Enterprise
Hewlett Packard Enterprise shall not be liable for technical or editorial
errors or omissions contained herein. The information provided is provided
"as is" without warranty of any kind. To the extent permitted by law, neither
HP or its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice. Hewlett
Packard Enterprise and the names of Hewlett Packard Enterprise products
referenced herein are trademarks of Hewlett Packard Enterprise in the United
States and other countries. Other product and company names mentioned herein
may be trademarks of their respective owners
| VAR-201509-0278 | CVE-2015-5588 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Windows and OS X and before 11.2.202.521 on Linux, Adobe AIR before 19.0.0.190, Adobe AIR SDK before 19.0.0.190, and Adobe AIR SDK & Compiler before 19.0.0.190 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-5575, CVE-2015-5577, CVE-2015-5578, CVE-2015-5580, CVE-2015-5582, and CVE-2015-6677. This vulnerability CVE-2015-5575 , CVE-2015-5577 , CVE-2015-5578 , CVE-2015-5580 , CVE-2015-5582 ,and CVE-2015-6677 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state. Failed exploit attempts will likely result in denial-of-service conditions. Security flaws exist in several Adobe products. 0.233 and earlier versions, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 18.0.0.232 and earlier versions based on Windows 10 platform, Adobe Flash Player for Internet Explorer 10 and 11 18.0.0.232 and earlier versions based on Windows 8.0 and 8.1 platforms, Adobe Flash Player for Linux 11.2.202.508 and earlier versions based on Linux platforms, AIR Desktop Runtime 18.0.0.199 and earlier versions based on Windows and Macintosh platforms, AIR SDK 18.0.0.199 and earlier versions based on Windows, Macintosh, Android and iOS platforms and AIR SDK & Compiler 18.0.0.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.521"
References
==========
[ 1 ] CVE-2015-5567
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5567
[ 2 ] CVE-2015-5568
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5568
[ 3 ] CVE-2015-5570
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5570
[ 4 ] CVE-2015-5571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5571
[ 5 ] CVE-2015-5572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5572
[ 6 ] CVE-2015-5573
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5573
[ 7 ] CVE-2015-5574
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5574
[ 8 ] CVE-2015-5575
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5575
[ 9 ] CVE-2015-5576
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5576
[ 10 ] CVE-2015-5577
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5577
[ 11 ] CVE-2015-5578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5578
[ 12 ] CVE-2015-5579
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5579
[ 13 ] CVE-2015-5580
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5580
[ 14 ] CVE-2015-5581
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5581
[ 15 ] CVE-2015-5582
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5582
[ 16 ] CVE-2015-5584
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5584
[ 17 ] CVE-2015-5587
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5587
[ 18 ] CVE-2015-5588
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5588
[ 19 ] CVE-2015-6676
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6676
[ 20 ] CVE-2015-6677
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6677
[ 21 ] CVE-2015-6678
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6678
[ 22 ] CVE-2015-6679
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6679
[ 23 ] CVE-2015-6680
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6680
[ 24 ] CVE-2015-6681
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6681
[ 25 ] CVE-2015-6682
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6682
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201509-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:1814-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1814.html
Issue date: 2015-09-22
CVE Names: CVE-2015-5567 CVE-2015-5568 CVE-2015-5570
CVE-2015-5571 CVE-2015-5572 CVE-2015-5573
CVE-2015-5574 CVE-2015-5575 CVE-2015-5576
CVE-2015-5577 CVE-2015-5578 CVE-2015-5579
CVE-2015-5580 CVE-2015-5581 CVE-2015-5582
CVE-2015-5584 CVE-2015-5587 CVE-2015-5588
CVE-2015-6676 CVE-2015-6677 CVE-2015-6678
CVE-2015-6679 CVE-2015-6682
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities, detailed in the Adobe Security Bulletin APSB15-23 listed
in the References section, could allow an attacker to create a specially
crafted SWF file that would cause flash-plugin to crash, execute arbitrary
code, or disclose sensitive information when the victim loaded a page
containing the malicious SWF content.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1264992 - flash-plugin: multiple code execution issues fixed in APSB15-23
1265121 - flash-plugin: information leaks and hardening bypass fixed in APSB15-23
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.521-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.521-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.521-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.521-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-5567
https://access.redhat.com/security/cve/CVE-2015-5568
https://access.redhat.com/security/cve/CVE-2015-5570
https://access.redhat.com/security/cve/CVE-2015-5571
https://access.redhat.com/security/cve/CVE-2015-5572
https://access.redhat.com/security/cve/CVE-2015-5573
https://access.redhat.com/security/cve/CVE-2015-5574
https://access.redhat.com/security/cve/CVE-2015-5575
https://access.redhat.com/security/cve/CVE-2015-5576
https://access.redhat.com/security/cve/CVE-2015-5577
https://access.redhat.com/security/cve/CVE-2015-5578
https://access.redhat.com/security/cve/CVE-2015-5579
https://access.redhat.com/security/cve/CVE-2015-5580
https://access.redhat.com/security/cve/CVE-2015-5581
https://access.redhat.com/security/cve/CVE-2015-5582
https://access.redhat.com/security/cve/CVE-2015-5584
https://access.redhat.com/security/cve/CVE-2015-5587
https://access.redhat.com/security/cve/CVE-2015-5588
https://access.redhat.com/security/cve/CVE-2015-6676
https://access.redhat.com/security/cve/CVE-2015-6677
https://access.redhat.com/security/cve/CVE-2015-6678
https://access.redhat.com/security/cve/CVE-2015-6679
https://access.redhat.com/security/cve/CVE-2015-6682
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-23.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFWAUhqXlSAg2UNWIIRAtwLAJ9AIILXDTBc54JCyPGAJZPwlvTTbgCfRwgv
VC/tCEoNGrkMNfvhCrQ4wBs=
=9aOW
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n
a-c04939841
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c04939841
Version: 1
HPSBHF03535 rev.1 - HPE iMC OSS and iMC Plat running Adobe Flash, Multiple
Remote Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2016-01-13
Last Updated: 2016-01-13
Potential Security Impact: Remote Multiple Vulnerabilities
Source: Hewlett Packard Enterprise, Product Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HPE iMC OSS and
iMC Plat running Adobe Flash. The vulnerabilities could be exploited remotely
resulting in execution of code, Denial of Service (DoS), or other impacts to
affect confidentiality, integrity, and availability.
References:
CVE-2015-6679
CVE-2015-5568
CVE-2015-5570
CVE-2015-5573
CVE-2015-5574
CVE-2015-5575
CVE-2015-5577
CVE-2015-5578
CVE-2015-5579
CVE-2015-5580
CVE-2015-5581
CVE-2015-5582
CVE-2015-5584
CVE-2015-5587
CVE-2015-5588
CVE-2015-6676
CVE-2015-6677
CVE-2015-6678
CVE-2015-6682
CVE-2015-5572
CVE-2015-5576
CVE-2015-6679
CVE-2015-5571
SSRT102282
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
- iMC OSS prior to SHM 7.1 E0301P05
- iMC Plat prior to 7.2 E0403
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2015-6679 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5568 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5570 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5573 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5574 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5575 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5577 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5578 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5579 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5580 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5581 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5582 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5584 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5587 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5588 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6676 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6677 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6678 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6682 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5572 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5576 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-6679 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5571 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HPE has provided the following software updates to resolve the
vulnerabilities in iMC OSS and iMC Plat.
iMC OSS - SHM 7.2 E0402, 7.1 E0301P05 or later for the following
Products/SKUs:
- JD456A HP IMC WSM Software Module with 50-Access Point License
- JF414A HP IMC Wireless Service Manager Software Module with 50-Access
Point License
- JF414AAE HP IMC Wireless Service Manager Software Module with 50-Access
Point E-LTU
- JG551AAE HP PCM+ Mobility Manager to IMC Wireless Service Manager Module
Upgrade with 250 Access Point E-LTU
- JG758AAE HP IMC WSM/RTLS w/ 50-node E-LTU
- JG769AAE HP PCM Mobility Manager to IMC Wireless Service Manager Upg with
250-node E-LTU
- JG398A HP IMC Service Health Manager Software Module License
- JG398AAE HP IMC Service Health Manager Software Module E-LTU
iMC PLAT 7.2 E0403 for the following Products/SKUs:
- JD125A HP IMC Std S/W Platform w/100-node
- JD126A HP IMC Ent S/W Platform w/100-node
- JD808A HP IMC Ent Platform w/100-node License
- JD814A HP A-IMC Enterprise Edition Software DVD Media
- JD815A HP IMC Std Platform w/100-node License
- JD816A HP A-IMC Standard Edition Software DVD Media
- JF288AAE HP Network Director to Intelligent Management Center Upgrade
E-LTU
- JF289AAE HP Enterprise Management System to Intelligent Management Center
Upgrade E-LTU
- JF377A HP IMC Std S/W Platform w/100-node Lic
- JF377AAE HP IMC Std S/W Pltfrm w/100-node E-LTU
- JF378A HP IMC Ent S/W Platform w/200-node Lic
- JF378AAE HP IMC Ent S/W Pltfrm w/200-node E-LTU
- JG546AAE HP IMC Basic SW Platform w/50-node E-LTU
- JG548AAE HP PCM+ to IMC Bsc Upgr w/50-node E-LTU
- JG549AAE HP PCM+ to IMC Std Upgr w/200-node E-LTU
- JG550AAE HP PMM to IMC Bsc WLM Upgr w/150AP E-LTU
- JG590AAE HP IMC Bsc WLAN Mgr SW Pltfm 50 AP E-LTU
- JG659AAE HP IMC Smart Connect VAE E-LTU
- JG660AAE HP IMC Smart Connect w/WLM VAE E-LTU
- JG747AAE HP IMC Std SW Plat w/ 50 Nodes E-LTU
- JG748AAE HP IMC Ent SW Plat w/ 50 Nodes E-LTU
- JG766AAE HP IMC SmCnct Vrtl Applnc SW E-LTU
- JG767AAE HP IMC SmCnct WSM Vrtl Applnc SW E-LTU
- JG768AAE HP PCM+ to IMC Std Upg w/ 200-node E-LTU
HISTORY
Version:1 (rev.1) - 13 January 2016 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software
products should be applied in accordance with the customer's patch management
policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hpe.com.
Report: To report a potential security vulnerability with any HPE supported
product, send Email to: security-alert@hpe.com
Subscribe: To initiate a subscription to receive future HPE Security Bulletin
alerts via Email: http://www.hpe.com/support/Subscriber_Choice
Security Bulletin Archive: A list of recently released Security Bulletins is
available here: http://www.hpe.com/support/Security_Bulletin_Archive
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HPE General Software
HF = HPE Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX
Copyright 2016 Hewlett Packard Enterprise
Hewlett Packard Enterprise shall not be liable for technical or editorial
errors or omissions contained herein. The information provided is provided
"as is" without warranty of any kind. To the extent permitted by law, neither
HP or its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice. Hewlett
Packard Enterprise and the names of Hewlett Packard Enterprise products
referenced herein are trademarks of Hewlett Packard Enterprise in the United
States and other countries. Other product and company names mentioned herein
may be trademarks of their respective owners
| VAR-201509-0142 | CVE-2015-5578 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Windows and OS X and before 11.2.202.521 on Linux, Adobe AIR before 19.0.0.190, Adobe AIR SDK before 19.0.0.190, and Adobe AIR SDK & Compiler before 19.0.0.190 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-5575, CVE-2015-5577, CVE-2015-5580, CVE-2015-5582, CVE-2015-5588, and CVE-2015-6677. This vulnerability CVE-2015-5575 , CVE-2015-5577 , CVE-2015-5580 , CVE-2015-5582 , CVE-2015-5588 ,and CVE-2015-6677 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state. Failed exploit attempts will likely result in denial-of-service conditions. Security flaws exist in several Adobe products. 0.233 and earlier versions, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 18.0.0.232 and earlier versions based on Windows 10 platform, Adobe Flash Player for Internet Explorer 10 and 11 18.0.0.232 and earlier versions based on Windows 8.0 and 8.1 platforms, Adobe Flash Player for Linux 11.2.202.508 and earlier versions based on Linux platforms, AIR Desktop Runtime 18.0.0.199 and earlier versions based on Windows and Macintosh platforms, AIR SDK 18.0.0.199 and earlier versions based on Windows, Macintosh, Android and iOS platforms and AIR SDK & Compiler 18.0.0.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.521"
References
==========
[ 1 ] CVE-2015-5567
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5567
[ 2 ] CVE-2015-5568
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5568
[ 3 ] CVE-2015-5570
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5570
[ 4 ] CVE-2015-5571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5571
[ 5 ] CVE-2015-5572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5572
[ 6 ] CVE-2015-5573
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5573
[ 7 ] CVE-2015-5574
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5574
[ 8 ] CVE-2015-5575
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5575
[ 9 ] CVE-2015-5576
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5576
[ 10 ] CVE-2015-5577
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5577
[ 11 ] CVE-2015-5578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5578
[ 12 ] CVE-2015-5579
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5579
[ 13 ] CVE-2015-5580
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5580
[ 14 ] CVE-2015-5581
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5581
[ 15 ] CVE-2015-5582
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5582
[ 16 ] CVE-2015-5584
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5584
[ 17 ] CVE-2015-5587
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5587
[ 18 ] CVE-2015-5588
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5588
[ 19 ] CVE-2015-6676
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6676
[ 20 ] CVE-2015-6677
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6677
[ 21 ] CVE-2015-6678
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6678
[ 22 ] CVE-2015-6679
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6679
[ 23 ] CVE-2015-6680
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6680
[ 24 ] CVE-2015-6681
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6681
[ 25 ] CVE-2015-6682
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6682
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201509-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:1814-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1814.html
Issue date: 2015-09-22
CVE Names: CVE-2015-5567 CVE-2015-5568 CVE-2015-5570
CVE-2015-5571 CVE-2015-5572 CVE-2015-5573
CVE-2015-5574 CVE-2015-5575 CVE-2015-5576
CVE-2015-5577 CVE-2015-5578 CVE-2015-5579
CVE-2015-5580 CVE-2015-5581 CVE-2015-5582
CVE-2015-5584 CVE-2015-5587 CVE-2015-5588
CVE-2015-6676 CVE-2015-6677 CVE-2015-6678
CVE-2015-6679 CVE-2015-6682
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities, detailed in the Adobe Security Bulletin APSB15-23 listed
in the References section, could allow an attacker to create a specially
crafted SWF file that would cause flash-plugin to crash, execute arbitrary
code, or disclose sensitive information when the victim loaded a page
containing the malicious SWF content.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1264992 - flash-plugin: multiple code execution issues fixed in APSB15-23
1265121 - flash-plugin: information leaks and hardening bypass fixed in APSB15-23
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.521-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.521-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.521-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.521-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-5567
https://access.redhat.com/security/cve/CVE-2015-5568
https://access.redhat.com/security/cve/CVE-2015-5570
https://access.redhat.com/security/cve/CVE-2015-5571
https://access.redhat.com/security/cve/CVE-2015-5572
https://access.redhat.com/security/cve/CVE-2015-5573
https://access.redhat.com/security/cve/CVE-2015-5574
https://access.redhat.com/security/cve/CVE-2015-5575
https://access.redhat.com/security/cve/CVE-2015-5576
https://access.redhat.com/security/cve/CVE-2015-5577
https://access.redhat.com/security/cve/CVE-2015-5578
https://access.redhat.com/security/cve/CVE-2015-5579
https://access.redhat.com/security/cve/CVE-2015-5580
https://access.redhat.com/security/cve/CVE-2015-5581
https://access.redhat.com/security/cve/CVE-2015-5582
https://access.redhat.com/security/cve/CVE-2015-5584
https://access.redhat.com/security/cve/CVE-2015-5587
https://access.redhat.com/security/cve/CVE-2015-5588
https://access.redhat.com/security/cve/CVE-2015-6676
https://access.redhat.com/security/cve/CVE-2015-6677
https://access.redhat.com/security/cve/CVE-2015-6678
https://access.redhat.com/security/cve/CVE-2015-6679
https://access.redhat.com/security/cve/CVE-2015-6682
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-23.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFWAUhqXlSAg2UNWIIRAtwLAJ9AIILXDTBc54JCyPGAJZPwlvTTbgCfRwgv
VC/tCEoNGrkMNfvhCrQ4wBs=
=9aOW
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n
a-c04939841
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c04939841
Version: 1
HPSBHF03535 rev.1 - HPE iMC OSS and iMC Plat running Adobe Flash, Multiple
Remote Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2016-01-13
Last Updated: 2016-01-13
Potential Security Impact: Remote Multiple Vulnerabilities
Source: Hewlett Packard Enterprise, Product Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HPE iMC OSS and
iMC Plat running Adobe Flash. The vulnerabilities could be exploited remotely
resulting in execution of code, Denial of Service (DoS), or other impacts to
affect confidentiality, integrity, and availability.
References:
CVE-2015-6679
CVE-2015-5568
CVE-2015-5570
CVE-2015-5573
CVE-2015-5574
CVE-2015-5575
CVE-2015-5577
CVE-2015-5578
CVE-2015-5579
CVE-2015-5580
CVE-2015-5581
CVE-2015-5582
CVE-2015-5584
CVE-2015-5587
CVE-2015-5588
CVE-2015-6676
CVE-2015-6677
CVE-2015-6678
CVE-2015-6682
CVE-2015-5572
CVE-2015-5576
CVE-2015-6679
CVE-2015-5571
SSRT102282
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
- iMC OSS prior to SHM 7.1 E0301P05
- iMC Plat prior to 7.2 E0403
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2015-6679 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5568 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5570 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5573 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5574 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5575 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5577 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5578 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5579 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5580 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5581 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5582 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5584 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5587 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5588 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6676 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6677 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6678 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6682 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5572 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5576 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-6679 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5571 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HPE has provided the following software updates to resolve the
vulnerabilities in iMC OSS and iMC Plat.
iMC OSS - SHM 7.2 E0402, 7.1 E0301P05 or later for the following
Products/SKUs:
- JD456A HP IMC WSM Software Module with 50-Access Point License
- JF414A HP IMC Wireless Service Manager Software Module with 50-Access
Point License
- JF414AAE HP IMC Wireless Service Manager Software Module with 50-Access
Point E-LTU
- JG551AAE HP PCM+ Mobility Manager to IMC Wireless Service Manager Module
Upgrade with 250 Access Point E-LTU
- JG758AAE HP IMC WSM/RTLS w/ 50-node E-LTU
- JG769AAE HP PCM Mobility Manager to IMC Wireless Service Manager Upg with
250-node E-LTU
- JG398A HP IMC Service Health Manager Software Module License
- JG398AAE HP IMC Service Health Manager Software Module E-LTU
iMC PLAT 7.2 E0403 for the following Products/SKUs:
- JD125A HP IMC Std S/W Platform w/100-node
- JD126A HP IMC Ent S/W Platform w/100-node
- JD808A HP IMC Ent Platform w/100-node License
- JD814A HP A-IMC Enterprise Edition Software DVD Media
- JD815A HP IMC Std Platform w/100-node License
- JD816A HP A-IMC Standard Edition Software DVD Media
- JF288AAE HP Network Director to Intelligent Management Center Upgrade
E-LTU
- JF289AAE HP Enterprise Management System to Intelligent Management Center
Upgrade E-LTU
- JF377A HP IMC Std S/W Platform w/100-node Lic
- JF377AAE HP IMC Std S/W Pltfrm w/100-node E-LTU
- JF378A HP IMC Ent S/W Platform w/200-node Lic
- JF378AAE HP IMC Ent S/W Pltfrm w/200-node E-LTU
- JG546AAE HP IMC Basic SW Platform w/50-node E-LTU
- JG548AAE HP PCM+ to IMC Bsc Upgr w/50-node E-LTU
- JG549AAE HP PCM+ to IMC Std Upgr w/200-node E-LTU
- JG550AAE HP PMM to IMC Bsc WLM Upgr w/150AP E-LTU
- JG590AAE HP IMC Bsc WLAN Mgr SW Pltfm 50 AP E-LTU
- JG659AAE HP IMC Smart Connect VAE E-LTU
- JG660AAE HP IMC Smart Connect w/WLM VAE E-LTU
- JG747AAE HP IMC Std SW Plat w/ 50 Nodes E-LTU
- JG748AAE HP IMC Ent SW Plat w/ 50 Nodes E-LTU
- JG766AAE HP IMC SmCnct Vrtl Applnc SW E-LTU
- JG767AAE HP IMC SmCnct WSM Vrtl Applnc SW E-LTU
- JG768AAE HP PCM+ to IMC Std Upg w/ 200-node E-LTU
HISTORY
Version:1 (rev.1) - 13 January 2016 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software
products should be applied in accordance with the customer's patch management
policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hpe.com.
Report: To report a potential security vulnerability with any HPE supported
product, send Email to: security-alert@hpe.com
Subscribe: To initiate a subscription to receive future HPE Security Bulletin
alerts via Email: http://www.hpe.com/support/Subscriber_Choice
Security Bulletin Archive: A list of recently released Security Bulletins is
available here: http://www.hpe.com/support/Security_Bulletin_Archive
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HPE General Software
HF = HPE Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX
Copyright 2016 Hewlett Packard Enterprise
Hewlett Packard Enterprise shall not be liable for technical or editorial
errors or omissions contained herein. The information provided is provided
"as is" without warranty of any kind. To the extent permitted by law, neither
HP or its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice. Hewlett
Packard Enterprise and the names of Hewlett Packard Enterprise products
referenced herein are trademarks of Hewlett Packard Enterprise in the United
States and other countries. Other product and company names mentioned herein
may be trademarks of their respective owners
| VAR-201509-0140 | CVE-2015-5576 | Adobe Flash Player and Adobe AIR In ASLR Vulnerabilities that circumvent protection mechanisms |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Windows and OS X and before 11.2.202.521 on Linux, Adobe AIR before 19.0.0.190, Adobe AIR SDK before 19.0.0.190, and Adobe AIR SDK & Compiler before 19.0.0.190 do not properly restrict discovery of memory addresses, which allows attackers to bypass the ASLR protection mechanism via unspecified vectors.
Attackers can exploit this issue to obtain sensitive information that may lead to further attacks. Attackers can exploit this vulnerability to bypass the established ASLR protection mechanism and take control of the affected system. 0.233 and earlier versions, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 18.0.0.232 and earlier versions based on Windows 10 platform, Adobe Flash Player for Internet Explorer 10 and 11 18.0.0.232 and earlier versions based on Windows 8.0 and 8.1 platforms, Adobe Flash Player for Linux 11.2.202.508 and earlier versions based on Linux platforms, AIR Desktop Runtime 18.0.0.199 and earlier versions based on Windows and Macintosh platforms, AIR SDK 18.0.0.199 and earlier versions based on Windows, Macintosh, Android and iOS platforms and AIR SDK & Compiler 18.0.0.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information, or bypass security restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.521"
References
==========
[ 1 ] CVE-2015-5567
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5567
[ 2 ] CVE-2015-5568
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5568
[ 3 ] CVE-2015-5570
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5570
[ 4 ] CVE-2015-5571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5571
[ 5 ] CVE-2015-5572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5572
[ 6 ] CVE-2015-5573
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5573
[ 7 ] CVE-2015-5574
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5574
[ 8 ] CVE-2015-5575
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5575
[ 9 ] CVE-2015-5576
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5576
[ 10 ] CVE-2015-5577
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5577
[ 11 ] CVE-2015-5578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5578
[ 12 ] CVE-2015-5579
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5579
[ 13 ] CVE-2015-5580
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5580
[ 14 ] CVE-2015-5581
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5581
[ 15 ] CVE-2015-5582
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5582
[ 16 ] CVE-2015-5584
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5584
[ 17 ] CVE-2015-5587
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5587
[ 18 ] CVE-2015-5588
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5588
[ 19 ] CVE-2015-6676
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6676
[ 20 ] CVE-2015-6677
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6677
[ 21 ] CVE-2015-6678
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6678
[ 22 ] CVE-2015-6679
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6679
[ 23 ] CVE-2015-6680
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6680
[ 24 ] CVE-2015-6681
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6681
[ 25 ] CVE-2015-6682
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6682
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201509-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:1814-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1814.html
Issue date: 2015-09-22
CVE Names: CVE-2015-5567 CVE-2015-5568 CVE-2015-5570
CVE-2015-5571 CVE-2015-5572 CVE-2015-5573
CVE-2015-5574 CVE-2015-5575 CVE-2015-5576
CVE-2015-5577 CVE-2015-5578 CVE-2015-5579
CVE-2015-5580 CVE-2015-5581 CVE-2015-5582
CVE-2015-5584 CVE-2015-5587 CVE-2015-5588
CVE-2015-6676 CVE-2015-6677 CVE-2015-6678
CVE-2015-6679 CVE-2015-6682
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities, detailed in the Adobe Security Bulletin APSB15-23 listed
in the References section, could allow an attacker to create a specially
crafted SWF file that would cause flash-plugin to crash, execute arbitrary
code, or disclose sensitive information when the victim loaded a page
containing the malicious SWF content.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1264992 - flash-plugin: multiple code execution issues fixed in APSB15-23
1265121 - flash-plugin: information leaks and hardening bypass fixed in APSB15-23
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.521-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.521-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.521-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.521-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-5567
https://access.redhat.com/security/cve/CVE-2015-5568
https://access.redhat.com/security/cve/CVE-2015-5570
https://access.redhat.com/security/cve/CVE-2015-5571
https://access.redhat.com/security/cve/CVE-2015-5572
https://access.redhat.com/security/cve/CVE-2015-5573
https://access.redhat.com/security/cve/CVE-2015-5574
https://access.redhat.com/security/cve/CVE-2015-5575
https://access.redhat.com/security/cve/CVE-2015-5576
https://access.redhat.com/security/cve/CVE-2015-5577
https://access.redhat.com/security/cve/CVE-2015-5578
https://access.redhat.com/security/cve/CVE-2015-5579
https://access.redhat.com/security/cve/CVE-2015-5580
https://access.redhat.com/security/cve/CVE-2015-5581
https://access.redhat.com/security/cve/CVE-2015-5582
https://access.redhat.com/security/cve/CVE-2015-5584
https://access.redhat.com/security/cve/CVE-2015-5587
https://access.redhat.com/security/cve/CVE-2015-5588
https://access.redhat.com/security/cve/CVE-2015-6676
https://access.redhat.com/security/cve/CVE-2015-6677
https://access.redhat.com/security/cve/CVE-2015-6678
https://access.redhat.com/security/cve/CVE-2015-6679
https://access.redhat.com/security/cve/CVE-2015-6682
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-23.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFWAUhqXlSAg2UNWIIRAtwLAJ9AIILXDTBc54JCyPGAJZPwlvTTbgCfRwgv
VC/tCEoNGrkMNfvhCrQ4wBs=
=9aOW
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n
a-c04939841
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c04939841
Version: 1
HPSBHF03535 rev.1 - HPE iMC OSS and iMC Plat running Adobe Flash, Multiple
Remote Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2016-01-13
Last Updated: 2016-01-13
Potential Security Impact: Remote Multiple Vulnerabilities
Source: Hewlett Packard Enterprise, Product Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HPE iMC OSS and
iMC Plat running Adobe Flash. The vulnerabilities could be exploited remotely
resulting in execution of code, Denial of Service (DoS), or other impacts to
affect confidentiality, integrity, and availability.
References:
CVE-2015-6679
CVE-2015-5568
CVE-2015-5570
CVE-2015-5573
CVE-2015-5574
CVE-2015-5575
CVE-2015-5577
CVE-2015-5578
CVE-2015-5579
CVE-2015-5580
CVE-2015-5581
CVE-2015-5582
CVE-2015-5584
CVE-2015-5587
CVE-2015-5588
CVE-2015-6676
CVE-2015-6677
CVE-2015-6678
CVE-2015-6682
CVE-2015-5572
CVE-2015-5576
CVE-2015-6679
CVE-2015-5571
SSRT102282
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
- iMC OSS prior to SHM 7.1 E0301P05
- iMC Plat prior to 7.2 E0403
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2015-6679 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5568 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5570 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5573 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5574 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5575 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5577 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5578 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5579 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5580 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5581 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5582 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5584 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5587 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5588 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6676 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6677 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6678 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6682 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5572 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5576 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-6679 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5571 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HPE has provided the following software updates to resolve the
vulnerabilities in iMC OSS and iMC Plat.
iMC OSS - SHM 7.2 E0402, 7.1 E0301P05 or later for the following
Products/SKUs:
- JD456A HP IMC WSM Software Module with 50-Access Point License
- JF414A HP IMC Wireless Service Manager Software Module with 50-Access
Point License
- JF414AAE HP IMC Wireless Service Manager Software Module with 50-Access
Point E-LTU
- JG551AAE HP PCM+ Mobility Manager to IMC Wireless Service Manager Module
Upgrade with 250 Access Point E-LTU
- JG758AAE HP IMC WSM/RTLS w/ 50-node E-LTU
- JG769AAE HP PCM Mobility Manager to IMC Wireless Service Manager Upg with
250-node E-LTU
- JG398A HP IMC Service Health Manager Software Module License
- JG398AAE HP IMC Service Health Manager Software Module E-LTU
iMC PLAT 7.2 E0403 for the following Products/SKUs:
- JD125A HP IMC Std S/W Platform w/100-node
- JD126A HP IMC Ent S/W Platform w/100-node
- JD808A HP IMC Ent Platform w/100-node License
- JD814A HP A-IMC Enterprise Edition Software DVD Media
- JD815A HP IMC Std Platform w/100-node License
- JD816A HP A-IMC Standard Edition Software DVD Media
- JF288AAE HP Network Director to Intelligent Management Center Upgrade
E-LTU
- JF289AAE HP Enterprise Management System to Intelligent Management Center
Upgrade E-LTU
- JF377A HP IMC Std S/W Platform w/100-node Lic
- JF377AAE HP IMC Std S/W Pltfrm w/100-node E-LTU
- JF378A HP IMC Ent S/W Platform w/200-node Lic
- JF378AAE HP IMC Ent S/W Pltfrm w/200-node E-LTU
- JG546AAE HP IMC Basic SW Platform w/50-node E-LTU
- JG548AAE HP PCM+ to IMC Bsc Upgr w/50-node E-LTU
- JG549AAE HP PCM+ to IMC Std Upgr w/200-node E-LTU
- JG550AAE HP PMM to IMC Bsc WLM Upgr w/150AP E-LTU
- JG590AAE HP IMC Bsc WLAN Mgr SW Pltfm 50 AP E-LTU
- JG659AAE HP IMC Smart Connect VAE E-LTU
- JG660AAE HP IMC Smart Connect w/WLM VAE E-LTU
- JG747AAE HP IMC Std SW Plat w/ 50 Nodes E-LTU
- JG748AAE HP IMC Ent SW Plat w/ 50 Nodes E-LTU
- JG766AAE HP IMC SmCnct Vrtl Applnc SW E-LTU
- JG767AAE HP IMC SmCnct WSM Vrtl Applnc SW E-LTU
- JG768AAE HP PCM+ to IMC Std Upg w/ 200-node E-LTU
HISTORY
Version:1 (rev.1) - 13 January 2016 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software
products should be applied in accordance with the customer's patch management
policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hpe.com.
Report: To report a potential security vulnerability with any HPE supported
product, send Email to: security-alert@hpe.com
Subscribe: To initiate a subscription to receive future HPE Security Bulletin
alerts via Email: http://www.hpe.com/support/Subscriber_Choice
Security Bulletin Archive: A list of recently released Security Bulletins is
available here: http://www.hpe.com/support/Security_Bulletin_Archive
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HPE General Software
HF = HPE Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX
Copyright 2016 Hewlett Packard Enterprise
Hewlett Packard Enterprise shall not be liable for technical or editorial
errors or omissions contained herein. The information provided is provided
"as is" without warranty of any kind. To the extent permitted by law, neither
HP or its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice. Hewlett
Packard Enterprise and the names of Hewlett Packard Enterprise products
referenced herein are trademarks of Hewlett Packard Enterprise in the United
States and other countries. Other product and company names mentioned herein
may be trademarks of their respective owners
| VAR-201509-0143 | CVE-2015-5579 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Windows and OS X and before 11.2.202.521 on Linux, Adobe AIR before 19.0.0.190, Adobe AIR SDK before 19.0.0.190, and Adobe AIR SDK & Compiler before 19.0.0.190 allow attackers to execute arbitrary code or cause a denial of service (stack memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-5567. Failed exploit attempts will likely result in denial-of-service conditions. Security flaws exist in several Adobe products. 0.233 and earlier versions, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 18.0.0.232 and earlier versions based on Windows 10 platform, Adobe Flash Player for Internet Explorer 10 and 11 18.0.0.232 and earlier versions based on Windows 8.0 and 8.1 platforms, Adobe Flash Player for Linux 11.2.202.508 and earlier versions based on Linux platforms, AIR Desktop Runtime 18.0.0.199 and earlier versions based on Windows and Macintosh platforms, AIR SDK 18.0.0.199 and earlier versions based on Windows, Macintosh, Android and iOS platforms and AIR SDK & Compiler 18.0.0.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.521"
References
==========
[ 1 ] CVE-2015-5567
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5567
[ 2 ] CVE-2015-5568
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5568
[ 3 ] CVE-2015-5570
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5570
[ 4 ] CVE-2015-5571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5571
[ 5 ] CVE-2015-5572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5572
[ 6 ] CVE-2015-5573
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5573
[ 7 ] CVE-2015-5574
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5574
[ 8 ] CVE-2015-5575
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5575
[ 9 ] CVE-2015-5576
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5576
[ 10 ] CVE-2015-5577
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5577
[ 11 ] CVE-2015-5578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5578
[ 12 ] CVE-2015-5579
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5579
[ 13 ] CVE-2015-5580
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5580
[ 14 ] CVE-2015-5581
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5581
[ 15 ] CVE-2015-5582
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5582
[ 16 ] CVE-2015-5584
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5584
[ 17 ] CVE-2015-5587
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5587
[ 18 ] CVE-2015-5588
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5588
[ 19 ] CVE-2015-6676
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6676
[ 20 ] CVE-2015-6677
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6677
[ 21 ] CVE-2015-6678
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6678
[ 22 ] CVE-2015-6679
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6679
[ 23 ] CVE-2015-6680
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6680
[ 24 ] CVE-2015-6681
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6681
[ 25 ] CVE-2015-6682
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6682
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201509-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:1814-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1814.html
Issue date: 2015-09-22
CVE Names: CVE-2015-5567 CVE-2015-5568 CVE-2015-5570
CVE-2015-5571 CVE-2015-5572 CVE-2015-5573
CVE-2015-5574 CVE-2015-5575 CVE-2015-5576
CVE-2015-5577 CVE-2015-5578 CVE-2015-5579
CVE-2015-5580 CVE-2015-5581 CVE-2015-5582
CVE-2015-5584 CVE-2015-5587 CVE-2015-5588
CVE-2015-6676 CVE-2015-6677 CVE-2015-6678
CVE-2015-6679 CVE-2015-6682
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities, detailed in the Adobe Security Bulletin APSB15-23 listed
in the References section, could allow an attacker to create a specially
crafted SWF file that would cause flash-plugin to crash, execute arbitrary
code, or disclose sensitive information when the victim loaded a page
containing the malicious SWF content. (CVE-2015-5567, CVE-2015-5568,
CVE-2015-5570, CVE-2015-5571, CVE-2015-5572, CVE-2015-5573, CVE-2015-5574,
CVE-2015-5575, CVE-2015-5576, CVE-2015-5577, CVE-2015-5578, CVE-2015-5579,
CVE-2015-5580, CVE-2015-5581, CVE-2015-5582, CVE-2015-5584, CVE-2015-5587,
CVE-2015-5588, CVE-2015-6676, CVE-2015-6677, CVE-2015-6678, CVE-2015-6679,
CVE-2015-6682)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 11.2.202.521.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1264992 - flash-plugin: multiple code execution issues fixed in APSB15-23
1265121 - flash-plugin: information leaks and hardening bypass fixed in APSB15-23
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.521-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.521-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.521-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.521-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-5567
https://access.redhat.com/security/cve/CVE-2015-5568
https://access.redhat.com/security/cve/CVE-2015-5570
https://access.redhat.com/security/cve/CVE-2015-5571
https://access.redhat.com/security/cve/CVE-2015-5572
https://access.redhat.com/security/cve/CVE-2015-5573
https://access.redhat.com/security/cve/CVE-2015-5574
https://access.redhat.com/security/cve/CVE-2015-5575
https://access.redhat.com/security/cve/CVE-2015-5576
https://access.redhat.com/security/cve/CVE-2015-5577
https://access.redhat.com/security/cve/CVE-2015-5578
https://access.redhat.com/security/cve/CVE-2015-5579
https://access.redhat.com/security/cve/CVE-2015-5580
https://access.redhat.com/security/cve/CVE-2015-5581
https://access.redhat.com/security/cve/CVE-2015-5582
https://access.redhat.com/security/cve/CVE-2015-5584
https://access.redhat.com/security/cve/CVE-2015-5587
https://access.redhat.com/security/cve/CVE-2015-5588
https://access.redhat.com/security/cve/CVE-2015-6676
https://access.redhat.com/security/cve/CVE-2015-6677
https://access.redhat.com/security/cve/CVE-2015-6678
https://access.redhat.com/security/cve/CVE-2015-6679
https://access.redhat.com/security/cve/CVE-2015-6682
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-23.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFWAUhqXlSAg2UNWIIRAtwLAJ9AIILXDTBc54JCyPGAJZPwlvTTbgCfRwgv
VC/tCEoNGrkMNfvhCrQ4wBs=
=9aOW
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n
a-c04939841
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c04939841
Version: 1
HPSBHF03535 rev.1 - HPE iMC OSS and iMC Plat running Adobe Flash, Multiple
Remote Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2016-01-13
Last Updated: 2016-01-13
Potential Security Impact: Remote Multiple Vulnerabilities
Source: Hewlett Packard Enterprise, Product Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HPE iMC OSS and
iMC Plat running Adobe Flash. The vulnerabilities could be exploited remotely
resulting in execution of code, Denial of Service (DoS), or other impacts to
affect confidentiality, integrity, and availability.
References:
CVE-2015-6679
CVE-2015-5568
CVE-2015-5570
CVE-2015-5573
CVE-2015-5574
CVE-2015-5575
CVE-2015-5577
CVE-2015-5578
CVE-2015-5579
CVE-2015-5580
CVE-2015-5581
CVE-2015-5582
CVE-2015-5584
CVE-2015-5587
CVE-2015-5588
CVE-2015-6676
CVE-2015-6677
CVE-2015-6678
CVE-2015-6682
CVE-2015-5572
CVE-2015-5576
CVE-2015-6679
CVE-2015-5571
SSRT102282
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
- iMC OSS prior to SHM 7.1 E0301P05
- iMC Plat prior to 7.2 E0403
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2015-6679 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5568 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5570 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5573 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5574 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5575 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5577 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5578 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5579 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5580 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5581 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5582 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5584 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5587 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5588 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6676 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6677 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6678 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6682 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5572 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5576 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-6679 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5571 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HPE has provided the following software updates to resolve the
vulnerabilities in iMC OSS and iMC Plat.
iMC OSS - SHM 7.2 E0402, 7.1 E0301P05 or later for the following
Products/SKUs:
- JD456A HP IMC WSM Software Module with 50-Access Point License
- JF414A HP IMC Wireless Service Manager Software Module with 50-Access
Point License
- JF414AAE HP IMC Wireless Service Manager Software Module with 50-Access
Point E-LTU
- JG551AAE HP PCM+ Mobility Manager to IMC Wireless Service Manager Module
Upgrade with 250 Access Point E-LTU
- JG758AAE HP IMC WSM/RTLS w/ 50-node E-LTU
- JG769AAE HP PCM Mobility Manager to IMC Wireless Service Manager Upg with
250-node E-LTU
- JG398A HP IMC Service Health Manager Software Module License
- JG398AAE HP IMC Service Health Manager Software Module E-LTU
iMC PLAT 7.2 E0403 for the following Products/SKUs:
- JD125A HP IMC Std S/W Platform w/100-node
- JD126A HP IMC Ent S/W Platform w/100-node
- JD808A HP IMC Ent Platform w/100-node License
- JD814A HP A-IMC Enterprise Edition Software DVD Media
- JD815A HP IMC Std Platform w/100-node License
- JD816A HP A-IMC Standard Edition Software DVD Media
- JF288AAE HP Network Director to Intelligent Management Center Upgrade
E-LTU
- JF289AAE HP Enterprise Management System to Intelligent Management Center
Upgrade E-LTU
- JF377A HP IMC Std S/W Platform w/100-node Lic
- JF377AAE HP IMC Std S/W Pltfrm w/100-node E-LTU
- JF378A HP IMC Ent S/W Platform w/200-node Lic
- JF378AAE HP IMC Ent S/W Pltfrm w/200-node E-LTU
- JG546AAE HP IMC Basic SW Platform w/50-node E-LTU
- JG548AAE HP PCM+ to IMC Bsc Upgr w/50-node E-LTU
- JG549AAE HP PCM+ to IMC Std Upgr w/200-node E-LTU
- JG550AAE HP PMM to IMC Bsc WLM Upgr w/150AP E-LTU
- JG590AAE HP IMC Bsc WLAN Mgr SW Pltfm 50 AP E-LTU
- JG659AAE HP IMC Smart Connect VAE E-LTU
- JG660AAE HP IMC Smart Connect w/WLM VAE E-LTU
- JG747AAE HP IMC Std SW Plat w/ 50 Nodes E-LTU
- JG748AAE HP IMC Ent SW Plat w/ 50 Nodes E-LTU
- JG766AAE HP IMC SmCnct Vrtl Applnc SW E-LTU
- JG767AAE HP IMC SmCnct WSM Vrtl Applnc SW E-LTU
- JG768AAE HP PCM+ to IMC Std Upg w/ 200-node E-LTU
HISTORY
Version:1 (rev.1) - 13 January 2016 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software
products should be applied in accordance with the customer's patch management
policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hpe.com.
Report: To report a potential security vulnerability with any HPE supported
product, send Email to: security-alert@hpe.com
Subscribe: To initiate a subscription to receive future HPE Security Bulletin
alerts via Email: http://www.hpe.com/support/Subscriber_Choice
Security Bulletin Archive: A list of recently released Security Bulletins is
available here: http://www.hpe.com/support/Security_Bulletin_Archive
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HPE General Software
HF = HPE Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX
Copyright 2016 Hewlett Packard Enterprise
Hewlett Packard Enterprise shall not be liable for technical or editorial
errors or omissions contained herein. The information provided is provided
"as is" without warranty of any kind. To the extent permitted by law, neither
HP or its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice. Hewlett
Packard Enterprise and the names of Hewlett Packard Enterprise products
referenced herein are trademarks of Hewlett Packard Enterprise in the United
States and other countries. Other product and company names mentioned herein
may be trademarks of their respective owners
| VAR-201509-0141 | CVE-2015-5577 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Windows and OS X and before 11.2.202.521 on Linux, Adobe AIR before 19.0.0.190, Adobe AIR SDK before 19.0.0.190, and Adobe AIR SDK & Compiler before 19.0.0.190 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-5575, CVE-2015-5578, CVE-2015-5580, CVE-2015-5582, CVE-2015-5588, and CVE-2015-6677. This vulnerability CVE-2015-5575 , CVE-2015-5578 , CVE-2015-5580 , CVE-2015-5582 , CVE-2015-5588 ,and CVE-2015-6677 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state. Failed exploit attempts will likely result in denial-of-service conditions. Security flaws exist in several Adobe products. 0.233 and earlier versions, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 18.0.0.232 and earlier versions based on Windows 10 platform, Adobe Flash Player for Internet Explorer 10 and 11 18.0.0.232 and earlier versions based on Windows 8.0 and 8.1 platforms, Adobe Flash Player for Linux 11.2.202.508 and earlier versions based on Linux platforms, AIR Desktop Runtime 18.0.0.199 and earlier versions based on Windows and Macintosh platforms, AIR SDK 18.0.0.199 and earlier versions based on Windows, Macintosh, Android and iOS platforms and AIR SDK & Compiler 18.0.0.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.521"
References
==========
[ 1 ] CVE-2015-5567
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5567
[ 2 ] CVE-2015-5568
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5568
[ 3 ] CVE-2015-5570
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5570
[ 4 ] CVE-2015-5571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5571
[ 5 ] CVE-2015-5572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5572
[ 6 ] CVE-2015-5573
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5573
[ 7 ] CVE-2015-5574
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5574
[ 8 ] CVE-2015-5575
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5575
[ 9 ] CVE-2015-5576
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5576
[ 10 ] CVE-2015-5577
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5577
[ 11 ] CVE-2015-5578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5578
[ 12 ] CVE-2015-5579
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5579
[ 13 ] CVE-2015-5580
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5580
[ 14 ] CVE-2015-5581
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5581
[ 15 ] CVE-2015-5582
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5582
[ 16 ] CVE-2015-5584
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5584
[ 17 ] CVE-2015-5587
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5587
[ 18 ] CVE-2015-5588
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5588
[ 19 ] CVE-2015-6676
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6676
[ 20 ] CVE-2015-6677
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6677
[ 21 ] CVE-2015-6678
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6678
[ 22 ] CVE-2015-6679
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6679
[ 23 ] CVE-2015-6680
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6680
[ 24 ] CVE-2015-6681
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6681
[ 25 ] CVE-2015-6682
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6682
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201509-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:1814-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1814.html
Issue date: 2015-09-22
CVE Names: CVE-2015-5567 CVE-2015-5568 CVE-2015-5570
CVE-2015-5571 CVE-2015-5572 CVE-2015-5573
CVE-2015-5574 CVE-2015-5575 CVE-2015-5576
CVE-2015-5577 CVE-2015-5578 CVE-2015-5579
CVE-2015-5580 CVE-2015-5581 CVE-2015-5582
CVE-2015-5584 CVE-2015-5587 CVE-2015-5588
CVE-2015-6676 CVE-2015-6677 CVE-2015-6678
CVE-2015-6679 CVE-2015-6682
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities, detailed in the Adobe Security Bulletin APSB15-23 listed
in the References section, could allow an attacker to create a specially
crafted SWF file that would cause flash-plugin to crash, execute arbitrary
code, or disclose sensitive information when the victim loaded a page
containing the malicious SWF content.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1264992 - flash-plugin: multiple code execution issues fixed in APSB15-23
1265121 - flash-plugin: information leaks and hardening bypass fixed in APSB15-23
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.521-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.521-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.521-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.521-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-5567
https://access.redhat.com/security/cve/CVE-2015-5568
https://access.redhat.com/security/cve/CVE-2015-5570
https://access.redhat.com/security/cve/CVE-2015-5571
https://access.redhat.com/security/cve/CVE-2015-5572
https://access.redhat.com/security/cve/CVE-2015-5573
https://access.redhat.com/security/cve/CVE-2015-5574
https://access.redhat.com/security/cve/CVE-2015-5575
https://access.redhat.com/security/cve/CVE-2015-5576
https://access.redhat.com/security/cve/CVE-2015-5577
https://access.redhat.com/security/cve/CVE-2015-5578
https://access.redhat.com/security/cve/CVE-2015-5579
https://access.redhat.com/security/cve/CVE-2015-5580
https://access.redhat.com/security/cve/CVE-2015-5581
https://access.redhat.com/security/cve/CVE-2015-5582
https://access.redhat.com/security/cve/CVE-2015-5584
https://access.redhat.com/security/cve/CVE-2015-5587
https://access.redhat.com/security/cve/CVE-2015-5588
https://access.redhat.com/security/cve/CVE-2015-6676
https://access.redhat.com/security/cve/CVE-2015-6677
https://access.redhat.com/security/cve/CVE-2015-6678
https://access.redhat.com/security/cve/CVE-2015-6679
https://access.redhat.com/security/cve/CVE-2015-6682
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-23.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFWAUhqXlSAg2UNWIIRAtwLAJ9AIILXDTBc54JCyPGAJZPwlvTTbgCfRwgv
VC/tCEoNGrkMNfvhCrQ4wBs=
=9aOW
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n
a-c04939841
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c04939841
Version: 1
HPSBHF03535 rev.1 - HPE iMC OSS and iMC Plat running Adobe Flash, Multiple
Remote Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2016-01-13
Last Updated: 2016-01-13
Potential Security Impact: Remote Multiple Vulnerabilities
Source: Hewlett Packard Enterprise, Product Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HPE iMC OSS and
iMC Plat running Adobe Flash. The vulnerabilities could be exploited remotely
resulting in execution of code, Denial of Service (DoS), or other impacts to
affect confidentiality, integrity, and availability.
References:
CVE-2015-6679
CVE-2015-5568
CVE-2015-5570
CVE-2015-5573
CVE-2015-5574
CVE-2015-5575
CVE-2015-5577
CVE-2015-5578
CVE-2015-5579
CVE-2015-5580
CVE-2015-5581
CVE-2015-5582
CVE-2015-5584
CVE-2015-5587
CVE-2015-5588
CVE-2015-6676
CVE-2015-6677
CVE-2015-6678
CVE-2015-6682
CVE-2015-5572
CVE-2015-5576
CVE-2015-6679
CVE-2015-5571
SSRT102282
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
- iMC OSS prior to SHM 7.1 E0301P05
- iMC Plat prior to 7.2 E0403
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2015-6679 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5568 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5570 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5573 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5574 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5575 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5577 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5578 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5579 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5580 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5581 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5582 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5584 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5587 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5588 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6676 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6677 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6678 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6682 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5572 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5576 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-6679 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5571 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HPE has provided the following software updates to resolve the
vulnerabilities in iMC OSS and iMC Plat.
iMC OSS - SHM 7.2 E0402, 7.1 E0301P05 or later for the following
Products/SKUs:
- JD456A HP IMC WSM Software Module with 50-Access Point License
- JF414A HP IMC Wireless Service Manager Software Module with 50-Access
Point License
- JF414AAE HP IMC Wireless Service Manager Software Module with 50-Access
Point E-LTU
- JG551AAE HP PCM+ Mobility Manager to IMC Wireless Service Manager Module
Upgrade with 250 Access Point E-LTU
- JG758AAE HP IMC WSM/RTLS w/ 50-node E-LTU
- JG769AAE HP PCM Mobility Manager to IMC Wireless Service Manager Upg with
250-node E-LTU
- JG398A HP IMC Service Health Manager Software Module License
- JG398AAE HP IMC Service Health Manager Software Module E-LTU
iMC PLAT 7.2 E0403 for the following Products/SKUs:
- JD125A HP IMC Std S/W Platform w/100-node
- JD126A HP IMC Ent S/W Platform w/100-node
- JD808A HP IMC Ent Platform w/100-node License
- JD814A HP A-IMC Enterprise Edition Software DVD Media
- JD815A HP IMC Std Platform w/100-node License
- JD816A HP A-IMC Standard Edition Software DVD Media
- JF288AAE HP Network Director to Intelligent Management Center Upgrade
E-LTU
- JF289AAE HP Enterprise Management System to Intelligent Management Center
Upgrade E-LTU
- JF377A HP IMC Std S/W Platform w/100-node Lic
- JF377AAE HP IMC Std S/W Pltfrm w/100-node E-LTU
- JF378A HP IMC Ent S/W Platform w/200-node Lic
- JF378AAE HP IMC Ent S/W Pltfrm w/200-node E-LTU
- JG546AAE HP IMC Basic SW Platform w/50-node E-LTU
- JG548AAE HP PCM+ to IMC Bsc Upgr w/50-node E-LTU
- JG549AAE HP PCM+ to IMC Std Upgr w/200-node E-LTU
- JG550AAE HP PMM to IMC Bsc WLM Upgr w/150AP E-LTU
- JG590AAE HP IMC Bsc WLAN Mgr SW Pltfm 50 AP E-LTU
- JG659AAE HP IMC Smart Connect VAE E-LTU
- JG660AAE HP IMC Smart Connect w/WLM VAE E-LTU
- JG747AAE HP IMC Std SW Plat w/ 50 Nodes E-LTU
- JG748AAE HP IMC Ent SW Plat w/ 50 Nodes E-LTU
- JG766AAE HP IMC SmCnct Vrtl Applnc SW E-LTU
- JG767AAE HP IMC SmCnct WSM Vrtl Applnc SW E-LTU
- JG768AAE HP PCM+ to IMC Std Upg w/ 200-node E-LTU
HISTORY
Version:1 (rev.1) - 13 January 2016 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software
products should be applied in accordance with the customer's patch management
policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hpe.com.
Report: To report a potential security vulnerability with any HPE supported
product, send Email to: security-alert@hpe.com
Subscribe: To initiate a subscription to receive future HPE Security Bulletin
alerts via Email: http://www.hpe.com/support/Subscriber_Choice
Security Bulletin Archive: A list of recently released Security Bulletins is
available here: http://www.hpe.com/support/Security_Bulletin_Archive
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HPE General Software
HF = HPE Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX
Copyright 2016 Hewlett Packard Enterprise
Hewlett Packard Enterprise shall not be liable for technical or editorial
errors or omissions contained herein. The information provided is provided
"as is" without warranty of any kind. To the extent permitted by law, neither
HP or its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice. Hewlett
Packard Enterprise and the names of Hewlett Packard Enterprise products
referenced herein are trademarks of Hewlett Packard Enterprise in the United
States and other countries. Other product and company names mentioned herein
may be trademarks of their respective owners
| VAR-201509-0136 | CVE-2015-5572 | Adobe Flash Player and Adobe AIR Vulnerable to access restrictions |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Windows and OS X and before 11.2.202.521 on Linux, Adobe AIR before 19.0.0.190, Adobe AIR SDK before 19.0.0.190, and Adobe AIR SDK & Compiler before 19.0.0.190 allow attackers to bypass intended access restrictions and obtain sensitive information via unspecified vectors. Security flaws exist in several Adobe products. 0.233 and earlier versions, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 18.0.0.232 and earlier versions based on Windows 10 platform, Adobe Flash Player for Internet Explorer 10 and 11 18.0.0.232 and earlier versions based on Windows 8.0 and 8.1 platforms, Adobe Flash Player for Linux 11.2.202.508 and earlier versions based on Linux platforms, AIR Desktop Runtime 18.0.0.199 and earlier versions based on Windows and Macintosh platforms, AIR SDK 18.0.0.199 and earlier versions based on Windows, Macintosh, Android and iOS platforms and AIR SDK & Compiler 18.0.0.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.521"
References
==========
[ 1 ] CVE-2015-5567
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5567
[ 2 ] CVE-2015-5568
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5568
[ 3 ] CVE-2015-5570
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5570
[ 4 ] CVE-2015-5571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5571
[ 5 ] CVE-2015-5572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5572
[ 6 ] CVE-2015-5573
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5573
[ 7 ] CVE-2015-5574
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5574
[ 8 ] CVE-2015-5575
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5575
[ 9 ] CVE-2015-5576
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5576
[ 10 ] CVE-2015-5577
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5577
[ 11 ] CVE-2015-5578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5578
[ 12 ] CVE-2015-5579
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5579
[ 13 ] CVE-2015-5580
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5580
[ 14 ] CVE-2015-5581
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5581
[ 15 ] CVE-2015-5582
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5582
[ 16 ] CVE-2015-5584
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5584
[ 17 ] CVE-2015-5587
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5587
[ 18 ] CVE-2015-5588
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5588
[ 19 ] CVE-2015-6676
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6676
[ 20 ] CVE-2015-6677
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6677
[ 21 ] CVE-2015-6678
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6678
[ 22 ] CVE-2015-6679
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6679
[ 23 ] CVE-2015-6680
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6680
[ 24 ] CVE-2015-6681
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6681
[ 25 ] CVE-2015-6682
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6682
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201509-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:1814-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1814.html
Issue date: 2015-09-22
CVE Names: CVE-2015-5567 CVE-2015-5568 CVE-2015-5570
CVE-2015-5571 CVE-2015-5572 CVE-2015-5573
CVE-2015-5574 CVE-2015-5575 CVE-2015-5576
CVE-2015-5577 CVE-2015-5578 CVE-2015-5579
CVE-2015-5580 CVE-2015-5581 CVE-2015-5582
CVE-2015-5584 CVE-2015-5587 CVE-2015-5588
CVE-2015-6676 CVE-2015-6677 CVE-2015-6678
CVE-2015-6679 CVE-2015-6682
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities, detailed in the Adobe Security Bulletin APSB15-23 listed
in the References section, could allow an attacker to create a specially
crafted SWF file that would cause flash-plugin to crash, execute arbitrary
code, or disclose sensitive information when the victim loaded a page
containing the malicious SWF content.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1264992 - flash-plugin: multiple code execution issues fixed in APSB15-23
1265121 - flash-plugin: information leaks and hardening bypass fixed in APSB15-23
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.521-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.521-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.521-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.521-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-5567
https://access.redhat.com/security/cve/CVE-2015-5568
https://access.redhat.com/security/cve/CVE-2015-5570
https://access.redhat.com/security/cve/CVE-2015-5571
https://access.redhat.com/security/cve/CVE-2015-5572
https://access.redhat.com/security/cve/CVE-2015-5573
https://access.redhat.com/security/cve/CVE-2015-5574
https://access.redhat.com/security/cve/CVE-2015-5575
https://access.redhat.com/security/cve/CVE-2015-5576
https://access.redhat.com/security/cve/CVE-2015-5577
https://access.redhat.com/security/cve/CVE-2015-5578
https://access.redhat.com/security/cve/CVE-2015-5579
https://access.redhat.com/security/cve/CVE-2015-5580
https://access.redhat.com/security/cve/CVE-2015-5581
https://access.redhat.com/security/cve/CVE-2015-5582
https://access.redhat.com/security/cve/CVE-2015-5584
https://access.redhat.com/security/cve/CVE-2015-5587
https://access.redhat.com/security/cve/CVE-2015-5588
https://access.redhat.com/security/cve/CVE-2015-6676
https://access.redhat.com/security/cve/CVE-2015-6677
https://access.redhat.com/security/cve/CVE-2015-6678
https://access.redhat.com/security/cve/CVE-2015-6679
https://access.redhat.com/security/cve/CVE-2015-6682
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-23.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFWAUhqXlSAg2UNWIIRAtwLAJ9AIILXDTBc54JCyPGAJZPwlvTTbgCfRwgv
VC/tCEoNGrkMNfvhCrQ4wBs=
=9aOW
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n
a-c04939841
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c04939841
Version: 1
HPSBHF03535 rev.1 - HPE iMC OSS and iMC Plat running Adobe Flash, Multiple
Remote Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2016-01-13
Last Updated: 2016-01-13
Potential Security Impact: Remote Multiple Vulnerabilities
Source: Hewlett Packard Enterprise, Product Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HPE iMC OSS and
iMC Plat running Adobe Flash. The vulnerabilities could be exploited remotely
resulting in execution of code, Denial of Service (DoS), or other impacts to
affect confidentiality, integrity, and availability.
References:
CVE-2015-6679
CVE-2015-5568
CVE-2015-5570
CVE-2015-5573
CVE-2015-5574
CVE-2015-5575
CVE-2015-5577
CVE-2015-5578
CVE-2015-5579
CVE-2015-5580
CVE-2015-5581
CVE-2015-5582
CVE-2015-5584
CVE-2015-5587
CVE-2015-5588
CVE-2015-6676
CVE-2015-6677
CVE-2015-6678
CVE-2015-6682
CVE-2015-5572
CVE-2015-5576
CVE-2015-6679
CVE-2015-5571
SSRT102282
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
- iMC OSS prior to SHM 7.1 E0301P05
- iMC Plat prior to 7.2 E0403
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2015-6679 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5568 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5570 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5573 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5574 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5575 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5577 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5578 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5579 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5580 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5581 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5582 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5584 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5587 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5588 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6676 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6677 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6678 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6682 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5572 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5576 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-6679 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5571 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HPE has provided the following software updates to resolve the
vulnerabilities in iMC OSS and iMC Plat.
iMC OSS - SHM 7.2 E0402, 7.1 E0301P05 or later for the following
Products/SKUs:
- JD456A HP IMC WSM Software Module with 50-Access Point License
- JF414A HP IMC Wireless Service Manager Software Module with 50-Access
Point License
- JF414AAE HP IMC Wireless Service Manager Software Module with 50-Access
Point E-LTU
- JG551AAE HP PCM+ Mobility Manager to IMC Wireless Service Manager Module
Upgrade with 250 Access Point E-LTU
- JG758AAE HP IMC WSM/RTLS w/ 50-node E-LTU
- JG769AAE HP PCM Mobility Manager to IMC Wireless Service Manager Upg with
250-node E-LTU
- JG398A HP IMC Service Health Manager Software Module License
- JG398AAE HP IMC Service Health Manager Software Module E-LTU
iMC PLAT 7.2 E0403 for the following Products/SKUs:
- JD125A HP IMC Std S/W Platform w/100-node
- JD126A HP IMC Ent S/W Platform w/100-node
- JD808A HP IMC Ent Platform w/100-node License
- JD814A HP A-IMC Enterprise Edition Software DVD Media
- JD815A HP IMC Std Platform w/100-node License
- JD816A HP A-IMC Standard Edition Software DVD Media
- JF288AAE HP Network Director to Intelligent Management Center Upgrade
E-LTU
- JF289AAE HP Enterprise Management System to Intelligent Management Center
Upgrade E-LTU
- JF377A HP IMC Std S/W Platform w/100-node Lic
- JF377AAE HP IMC Std S/W Pltfrm w/100-node E-LTU
- JF378A HP IMC Ent S/W Platform w/200-node Lic
- JF378AAE HP IMC Ent S/W Pltfrm w/200-node E-LTU
- JG546AAE HP IMC Basic SW Platform w/50-node E-LTU
- JG548AAE HP PCM+ to IMC Bsc Upgr w/50-node E-LTU
- JG549AAE HP PCM+ to IMC Std Upgr w/200-node E-LTU
- JG550AAE HP PMM to IMC Bsc WLM Upgr w/150AP E-LTU
- JG590AAE HP IMC Bsc WLAN Mgr SW Pltfm 50 AP E-LTU
- JG659AAE HP IMC Smart Connect VAE E-LTU
- JG660AAE HP IMC Smart Connect w/WLM VAE E-LTU
- JG747AAE HP IMC Std SW Plat w/ 50 Nodes E-LTU
- JG748AAE HP IMC Ent SW Plat w/ 50 Nodes E-LTU
- JG766AAE HP IMC SmCnct Vrtl Applnc SW E-LTU
- JG767AAE HP IMC SmCnct WSM Vrtl Applnc SW E-LTU
- JG768AAE HP PCM+ to IMC Std Upg w/ 200-node E-LTU
HISTORY
Version:1 (rev.1) - 13 January 2016 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software
products should be applied in accordance with the customer's patch management
policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hpe.com.
Report: To report a potential security vulnerability with any HPE supported
product, send Email to: security-alert@hpe.com
Subscribe: To initiate a subscription to receive future HPE Security Bulletin
alerts via Email: http://www.hpe.com/support/Subscriber_Choice
Security Bulletin Archive: A list of recently released Security Bulletins is
available here: http://www.hpe.com/support/Security_Bulletin_Archive
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HPE General Software
HF = HPE Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX
Copyright 2016 Hewlett Packard Enterprise
Hewlett Packard Enterprise shall not be liable for technical or editorial
errors or omissions contained herein. The information provided is provided
"as is" without warranty of any kind. To the extent permitted by law, neither
HP or its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice. Hewlett
Packard Enterprise and the names of Hewlett Packard Enterprise products
referenced herein are trademarks of Hewlett Packard Enterprise in the United
States and other countries. Other product and company names mentioned herein
may be trademarks of their respective owners
| VAR-201509-0137 | CVE-2015-5573 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Windows and OS X and before 11.2.202.521 on Linux, Adobe AIR before 19.0.0.190, Adobe AIR SDK before 19.0.0.190, and Adobe AIR SDK & Compiler before 19.0.0.190 allow attackers to execute arbitrary code by leveraging an unspecified "type confusion.". Supplementary information : CWE Vulnerability type by CWE-843:Access of Resource Using Incompatible Type ( Mixing of molds ) Has been identified. http://cwe.mitre.org/data/definitions/843.htmlUnspecified by attacker " Mixing of molds (type confusion)" May be used to execute arbitrary code. Failed exploit attempts will likely cause a denial-of-service condition. Security flaws exist in several Adobe products. 0.233 and earlier versions, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 18.0.0.232 and earlier versions based on Windows 10 platform, Adobe Flash Player for Internet Explorer 10 and 11 18.0.0.232 and earlier versions based on Windows 8.0 and 8.1 platforms, Adobe Flash Player for Linux 11.2.202.508 and earlier versions based on Linux platforms, AIR Desktop Runtime 18.0.0.199 and earlier versions based on Windows and Macintosh platforms, AIR SDK 18.0.0.199 and earlier versions based on Windows, Macintosh, Android and iOS platforms and AIR SDK & Compiler 18.0.0.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information, or bypass security restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.521"
References
==========
[ 1 ] CVE-2015-5567
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5567
[ 2 ] CVE-2015-5568
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5568
[ 3 ] CVE-2015-5570
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5570
[ 4 ] CVE-2015-5571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5571
[ 5 ] CVE-2015-5572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5572
[ 6 ] CVE-2015-5573
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5573
[ 7 ] CVE-2015-5574
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5574
[ 8 ] CVE-2015-5575
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5575
[ 9 ] CVE-2015-5576
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5576
[ 10 ] CVE-2015-5577
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5577
[ 11 ] CVE-2015-5578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5578
[ 12 ] CVE-2015-5579
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5579
[ 13 ] CVE-2015-5580
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5580
[ 14 ] CVE-2015-5581
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5581
[ 15 ] CVE-2015-5582
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5582
[ 16 ] CVE-2015-5584
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5584
[ 17 ] CVE-2015-5587
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5587
[ 18 ] CVE-2015-5588
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5588
[ 19 ] CVE-2015-6676
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6676
[ 20 ] CVE-2015-6677
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6677
[ 21 ] CVE-2015-6678
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6678
[ 22 ] CVE-2015-6679
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6679
[ 23 ] CVE-2015-6680
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6680
[ 24 ] CVE-2015-6681
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6681
[ 25 ] CVE-2015-6682
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6682
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201509-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:1814-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1814.html
Issue date: 2015-09-22
CVE Names: CVE-2015-5567 CVE-2015-5568 CVE-2015-5570
CVE-2015-5571 CVE-2015-5572 CVE-2015-5573
CVE-2015-5574 CVE-2015-5575 CVE-2015-5576
CVE-2015-5577 CVE-2015-5578 CVE-2015-5579
CVE-2015-5580 CVE-2015-5581 CVE-2015-5582
CVE-2015-5584 CVE-2015-5587 CVE-2015-5588
CVE-2015-6676 CVE-2015-6677 CVE-2015-6678
CVE-2015-6679 CVE-2015-6682
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. These
vulnerabilities, detailed in the Adobe Security Bulletin APSB15-23 listed
in the References section, could allow an attacker to create a specially
crafted SWF file that would cause flash-plugin to crash, execute arbitrary
code, or disclose sensitive information when the victim loaded a page
containing the malicious SWF content.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1264992 - flash-plugin: multiple code execution issues fixed in APSB15-23
1265121 - flash-plugin: information leaks and hardening bypass fixed in APSB15-23
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.521-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.521-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.521-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.521-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-5567
https://access.redhat.com/security/cve/CVE-2015-5568
https://access.redhat.com/security/cve/CVE-2015-5570
https://access.redhat.com/security/cve/CVE-2015-5571
https://access.redhat.com/security/cve/CVE-2015-5572
https://access.redhat.com/security/cve/CVE-2015-5573
https://access.redhat.com/security/cve/CVE-2015-5574
https://access.redhat.com/security/cve/CVE-2015-5575
https://access.redhat.com/security/cve/CVE-2015-5576
https://access.redhat.com/security/cve/CVE-2015-5577
https://access.redhat.com/security/cve/CVE-2015-5578
https://access.redhat.com/security/cve/CVE-2015-5579
https://access.redhat.com/security/cve/CVE-2015-5580
https://access.redhat.com/security/cve/CVE-2015-5581
https://access.redhat.com/security/cve/CVE-2015-5582
https://access.redhat.com/security/cve/CVE-2015-5584
https://access.redhat.com/security/cve/CVE-2015-5587
https://access.redhat.com/security/cve/CVE-2015-5588
https://access.redhat.com/security/cve/CVE-2015-6676
https://access.redhat.com/security/cve/CVE-2015-6677
https://access.redhat.com/security/cve/CVE-2015-6678
https://access.redhat.com/security/cve/CVE-2015-6679
https://access.redhat.com/security/cve/CVE-2015-6682
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-23.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFWAUhqXlSAg2UNWIIRAtwLAJ9AIILXDTBc54JCyPGAJZPwlvTTbgCfRwgv
VC/tCEoNGrkMNfvhCrQ4wBs=
=9aOW
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n
a-c04939841
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c04939841
Version: 1
HPSBHF03535 rev.1 - HPE iMC OSS and iMC Plat running Adobe Flash, Multiple
Remote Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2016-01-13
Last Updated: 2016-01-13
Potential Security Impact: Remote Multiple Vulnerabilities
Source: Hewlett Packard Enterprise, Product Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HPE iMC OSS and
iMC Plat running Adobe Flash. The vulnerabilities could be exploited remotely
resulting in execution of code, Denial of Service (DoS), or other impacts to
affect confidentiality, integrity, and availability.
References:
CVE-2015-6679
CVE-2015-5568
CVE-2015-5570
CVE-2015-5573
CVE-2015-5574
CVE-2015-5575
CVE-2015-5577
CVE-2015-5578
CVE-2015-5579
CVE-2015-5580
CVE-2015-5581
CVE-2015-5582
CVE-2015-5584
CVE-2015-5587
CVE-2015-5588
CVE-2015-6676
CVE-2015-6677
CVE-2015-6678
CVE-2015-6682
CVE-2015-5572
CVE-2015-5576
CVE-2015-6679
CVE-2015-5571
SSRT102282
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
- iMC OSS prior to SHM 7.1 E0301P05
- iMC Plat prior to 7.2 E0403
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2015-6679 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5568 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5570 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5573 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5574 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5575 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5577 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5578 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5579 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5580 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5581 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5582 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5584 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5587 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5588 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6676 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6677 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6678 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6682 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5572 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5576 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-6679 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5571 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HPE has provided the following software updates to resolve the
vulnerabilities in iMC OSS and iMC Plat.
iMC OSS - SHM 7.2 E0402, 7.1 E0301P05 or later for the following
Products/SKUs:
- JD456A HP IMC WSM Software Module with 50-Access Point License
- JF414A HP IMC Wireless Service Manager Software Module with 50-Access
Point License
- JF414AAE HP IMC Wireless Service Manager Software Module with 50-Access
Point E-LTU
- JG551AAE HP PCM+ Mobility Manager to IMC Wireless Service Manager Module
Upgrade with 250 Access Point E-LTU
- JG758AAE HP IMC WSM/RTLS w/ 50-node E-LTU
- JG769AAE HP PCM Mobility Manager to IMC Wireless Service Manager Upg with
250-node E-LTU
- JG398A HP IMC Service Health Manager Software Module License
- JG398AAE HP IMC Service Health Manager Software Module E-LTU
iMC PLAT 7.2 E0403 for the following Products/SKUs:
- JD125A HP IMC Std S/W Platform w/100-node
- JD126A HP IMC Ent S/W Platform w/100-node
- JD808A HP IMC Ent Platform w/100-node License
- JD814A HP A-IMC Enterprise Edition Software DVD Media
- JD815A HP IMC Std Platform w/100-node License
- JD816A HP A-IMC Standard Edition Software DVD Media
- JF288AAE HP Network Director to Intelligent Management Center Upgrade
E-LTU
- JF289AAE HP Enterprise Management System to Intelligent Management Center
Upgrade E-LTU
- JF377A HP IMC Std S/W Platform w/100-node Lic
- JF377AAE HP IMC Std S/W Pltfrm w/100-node E-LTU
- JF378A HP IMC Ent S/W Platform w/200-node Lic
- JF378AAE HP IMC Ent S/W Pltfrm w/200-node E-LTU
- JG546AAE HP IMC Basic SW Platform w/50-node E-LTU
- JG548AAE HP PCM+ to IMC Bsc Upgr w/50-node E-LTU
- JG549AAE HP PCM+ to IMC Std Upgr w/200-node E-LTU
- JG550AAE HP PMM to IMC Bsc WLM Upgr w/150AP E-LTU
- JG590AAE HP IMC Bsc WLAN Mgr SW Pltfm 50 AP E-LTU
- JG659AAE HP IMC Smart Connect VAE E-LTU
- JG660AAE HP IMC Smart Connect w/WLM VAE E-LTU
- JG747AAE HP IMC Std SW Plat w/ 50 Nodes E-LTU
- JG748AAE HP IMC Ent SW Plat w/ 50 Nodes E-LTU
- JG766AAE HP IMC SmCnct Vrtl Applnc SW E-LTU
- JG767AAE HP IMC SmCnct WSM Vrtl Applnc SW E-LTU
- JG768AAE HP PCM+ to IMC Std Upg w/ 200-node E-LTU
HISTORY
Version:1 (rev.1) - 13 January 2016 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software
products should be applied in accordance with the customer's patch management
policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hpe.com.
Report: To report a potential security vulnerability with any HPE supported
product, send Email to: security-alert@hpe.com
Subscribe: To initiate a subscription to receive future HPE Security Bulletin
alerts via Email: http://www.hpe.com/support/Subscriber_Choice
Security Bulletin Archive: A list of recently released Security Bulletins is
available here: http://www.hpe.com/support/Security_Bulletin_Archive
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HPE General Software
HF = HPE Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX
Copyright 2016 Hewlett Packard Enterprise
Hewlett Packard Enterprise shall not be liable for technical or editorial
errors or omissions contained herein. The information provided is provided
"as is" without warranty of any kind. To the extent permitted by law, neither
HP or its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice. Hewlett
Packard Enterprise and the names of Hewlett Packard Enterprise products
referenced herein are trademarks of Hewlett Packard Enterprise in the United
States and other countries. Other product and company names mentioned herein
may be trademarks of their respective owners
| VAR-201509-0139 | CVE-2015-5575 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Windows and OS X and before 11.2.202.521 on Linux, Adobe AIR before 19.0.0.190, Adobe AIR SDK before 19.0.0.190, and Adobe AIR SDK & Compiler before 19.0.0.190 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-5577, CVE-2015-5578, CVE-2015-5580, CVE-2015-5582, CVE-2015-5588, and CVE-2015-6677. This vulnerability CVE-2015-5577 , CVE-2015-5578 , CVE-2015-5580 , CVE-2015-5582 , CVE-2015-5588 ,and CVE-2015-6677 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state. Failed exploit attempts will likely result in denial-of-service conditions. Security flaws exist in several Adobe products. 0.233 and earlier versions, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 18.0.0.232 and earlier versions based on Windows 10 platform, Adobe Flash Player for Internet Explorer 10 and 11 18.0.0.232 and earlier versions based on Windows 8.0 and 8.1 platforms, Adobe Flash Player for Linux 11.2.202.508 and earlier versions based on Linux platforms, AIR Desktop Runtime 18.0.0.199 and earlier versions based on Windows and Macintosh platforms, AIR SDK 18.0.0.199 and earlier versions based on Windows, Macintosh, Android and iOS platforms and AIR SDK & Compiler 18.0.0.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.521"
References
==========
[ 1 ] CVE-2015-5567
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5567
[ 2 ] CVE-2015-5568
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5568
[ 3 ] CVE-2015-5570
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5570
[ 4 ] CVE-2015-5571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5571
[ 5 ] CVE-2015-5572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5572
[ 6 ] CVE-2015-5573
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5573
[ 7 ] CVE-2015-5574
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5574
[ 8 ] CVE-2015-5575
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5575
[ 9 ] CVE-2015-5576
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5576
[ 10 ] CVE-2015-5577
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5577
[ 11 ] CVE-2015-5578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5578
[ 12 ] CVE-2015-5579
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5579
[ 13 ] CVE-2015-5580
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5580
[ 14 ] CVE-2015-5581
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5581
[ 15 ] CVE-2015-5582
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5582
[ 16 ] CVE-2015-5584
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5584
[ 17 ] CVE-2015-5587
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5587
[ 18 ] CVE-2015-5588
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5588
[ 19 ] CVE-2015-6676
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6676
[ 20 ] CVE-2015-6677
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6677
[ 21 ] CVE-2015-6678
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6678
[ 22 ] CVE-2015-6679
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6679
[ 23 ] CVE-2015-6680
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6680
[ 24 ] CVE-2015-6681
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6681
[ 25 ] CVE-2015-6682
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6682
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201509-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:1814-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1814.html
Issue date: 2015-09-22
CVE Names: CVE-2015-5567 CVE-2015-5568 CVE-2015-5570
CVE-2015-5571 CVE-2015-5572 CVE-2015-5573
CVE-2015-5574 CVE-2015-5575 CVE-2015-5576
CVE-2015-5577 CVE-2015-5578 CVE-2015-5579
CVE-2015-5580 CVE-2015-5581 CVE-2015-5582
CVE-2015-5584 CVE-2015-5587 CVE-2015-5588
CVE-2015-6676 CVE-2015-6677 CVE-2015-6678
CVE-2015-6679 CVE-2015-6682
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities, detailed in the Adobe Security Bulletin APSB15-23 listed
in the References section, could allow an attacker to create a specially
crafted SWF file that would cause flash-plugin to crash, execute arbitrary
code, or disclose sensitive information when the victim loaded a page
containing the malicious SWF content.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1264992 - flash-plugin: multiple code execution issues fixed in APSB15-23
1265121 - flash-plugin: information leaks and hardening bypass fixed in APSB15-23
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.521-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.521-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.521-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.521-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
x86_64:
flash-plugin-11.2.202.521-1.el6_7.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-5567
https://access.redhat.com/security/cve/CVE-2015-5568
https://access.redhat.com/security/cve/CVE-2015-5570
https://access.redhat.com/security/cve/CVE-2015-5571
https://access.redhat.com/security/cve/CVE-2015-5572
https://access.redhat.com/security/cve/CVE-2015-5573
https://access.redhat.com/security/cve/CVE-2015-5574
https://access.redhat.com/security/cve/CVE-2015-5575
https://access.redhat.com/security/cve/CVE-2015-5576
https://access.redhat.com/security/cve/CVE-2015-5577
https://access.redhat.com/security/cve/CVE-2015-5578
https://access.redhat.com/security/cve/CVE-2015-5579
https://access.redhat.com/security/cve/CVE-2015-5580
https://access.redhat.com/security/cve/CVE-2015-5581
https://access.redhat.com/security/cve/CVE-2015-5582
https://access.redhat.com/security/cve/CVE-2015-5584
https://access.redhat.com/security/cve/CVE-2015-5587
https://access.redhat.com/security/cve/CVE-2015-5588
https://access.redhat.com/security/cve/CVE-2015-6676
https://access.redhat.com/security/cve/CVE-2015-6677
https://access.redhat.com/security/cve/CVE-2015-6678
https://access.redhat.com/security/cve/CVE-2015-6679
https://access.redhat.com/security/cve/CVE-2015-6682
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-23.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFWAUhqXlSAg2UNWIIRAtwLAJ9AIILXDTBc54JCyPGAJZPwlvTTbgCfRwgv
VC/tCEoNGrkMNfvhCrQ4wBs=
=9aOW
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n
a-c04939841
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c04939841
Version: 1
HPSBHF03535 rev.1 - HPE iMC OSS and iMC Plat running Adobe Flash, Multiple
Remote Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2016-01-13
Last Updated: 2016-01-13
Potential Security Impact: Remote Multiple Vulnerabilities
Source: Hewlett Packard Enterprise, Product Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HPE iMC OSS and
iMC Plat running Adobe Flash. The vulnerabilities could be exploited remotely
resulting in execution of code, Denial of Service (DoS), or other impacts to
affect confidentiality, integrity, and availability.
References:
CVE-2015-6679
CVE-2015-5568
CVE-2015-5570
CVE-2015-5573
CVE-2015-5574
CVE-2015-5575
CVE-2015-5577
CVE-2015-5578
CVE-2015-5579
CVE-2015-5580
CVE-2015-5581
CVE-2015-5582
CVE-2015-5584
CVE-2015-5587
CVE-2015-5588
CVE-2015-6676
CVE-2015-6677
CVE-2015-6678
CVE-2015-6682
CVE-2015-5572
CVE-2015-5576
CVE-2015-6679
CVE-2015-5571
SSRT102282
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
- iMC OSS prior to SHM 7.1 E0301P05
- iMC Plat prior to 7.2 E0403
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2015-6679 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5568 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5570 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5573 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5574 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5575 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5577 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5578 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5579 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5580 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5581 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5582 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5584 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5587 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5588 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6676 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6677 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6678 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-6682 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5572 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5576 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-6679 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5571 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HPE has provided the following software updates to resolve the
vulnerabilities in iMC OSS and iMC Plat.
iMC OSS - SHM 7.2 E0402, 7.1 E0301P05 or later for the following
Products/SKUs:
- JD456A HP IMC WSM Software Module with 50-Access Point License
- JF414A HP IMC Wireless Service Manager Software Module with 50-Access
Point License
- JF414AAE HP IMC Wireless Service Manager Software Module with 50-Access
Point E-LTU
- JG551AAE HP PCM+ Mobility Manager to IMC Wireless Service Manager Module
Upgrade with 250 Access Point E-LTU
- JG758AAE HP IMC WSM/RTLS w/ 50-node E-LTU
- JG769AAE HP PCM Mobility Manager to IMC Wireless Service Manager Upg with
250-node E-LTU
- JG398A HP IMC Service Health Manager Software Module License
- JG398AAE HP IMC Service Health Manager Software Module E-LTU
iMC PLAT 7.2 E0403 for the following Products/SKUs:
- JD125A HP IMC Std S/W Platform w/100-node
- JD126A HP IMC Ent S/W Platform w/100-node
- JD808A HP IMC Ent Platform w/100-node License
- JD814A HP A-IMC Enterprise Edition Software DVD Media
- JD815A HP IMC Std Platform w/100-node License
- JD816A HP A-IMC Standard Edition Software DVD Media
- JF288AAE HP Network Director to Intelligent Management Center Upgrade
E-LTU
- JF289AAE HP Enterprise Management System to Intelligent Management Center
Upgrade E-LTU
- JF377A HP IMC Std S/W Platform w/100-node Lic
- JF377AAE HP IMC Std S/W Pltfrm w/100-node E-LTU
- JF378A HP IMC Ent S/W Platform w/200-node Lic
- JF378AAE HP IMC Ent S/W Pltfrm w/200-node E-LTU
- JG546AAE HP IMC Basic SW Platform w/50-node E-LTU
- JG548AAE HP PCM+ to IMC Bsc Upgr w/50-node E-LTU
- JG549AAE HP PCM+ to IMC Std Upgr w/200-node E-LTU
- JG550AAE HP PMM to IMC Bsc WLM Upgr w/150AP E-LTU
- JG590AAE HP IMC Bsc WLAN Mgr SW Pltfm 50 AP E-LTU
- JG659AAE HP IMC Smart Connect VAE E-LTU
- JG660AAE HP IMC Smart Connect w/WLM VAE E-LTU
- JG747AAE HP IMC Std SW Plat w/ 50 Nodes E-LTU
- JG748AAE HP IMC Ent SW Plat w/ 50 Nodes E-LTU
- JG766AAE HP IMC SmCnct Vrtl Applnc SW E-LTU
- JG767AAE HP IMC SmCnct WSM Vrtl Applnc SW E-LTU
- JG768AAE HP PCM+ to IMC Std Upg w/ 200-node E-LTU
HISTORY
Version:1 (rev.1) - 13 January 2016 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software
products should be applied in accordance with the customer's patch management
policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hpe.com.
Report: To report a potential security vulnerability with any HPE supported
product, send Email to: security-alert@hpe.com
Subscribe: To initiate a subscription to receive future HPE Security Bulletin
alerts via Email: http://www.hpe.com/support/Subscriber_Choice
Security Bulletin Archive: A list of recently released Security Bulletins is
available here: http://www.hpe.com/support/Security_Bulletin_Archive
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HPE General Software
HF = HPE Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX
Copyright 2016 Hewlett Packard Enterprise
Hewlett Packard Enterprise shall not be liable for technical or editorial
errors or omissions contained herein. The information provided is provided
"as is" without warranty of any kind. To the extent permitted by law, neither
HP or its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice. Hewlett
Packard Enterprise and the names of Hewlett Packard Enterprise products
referenced herein are trademarks of Hewlett Packard Enterprise in the United
States and other countries. Other product and company names mentioned herein
may be trademarks of their respective owners