VARIoT IoT vulnerabilities database
| VAR-201504-0440 | CVE-2015-3293 | FortiMail Vulnerabilities in which credentials are obtained |
CVSS V2: 4.0 CVSS V3: - Severity: MEDIUM |
FortiMail 5.0.3 through 5.2.3 allows remote administrators to obtain credentials via the "diag debug application httpd" command. Fortinet FortiMail is an email information security device from Fortinet, which provides information filtering engine, anti-spam and threat defense functions. A security vulnerability exists in Fortinet FortiMail versions 5.0.3 to 5.2.3
| VAR-201504-0536 | CVE-2015-3039 | Adobe Flash Player Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Use-after-free vulnerability in Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-0349, CVE-2015-0351, and CVE-2015-0358. This vulnerability CVE-2015-0349 , CVE-2015-0351 ,and CVE-2015-0358 Is a different vulnerability. Supplementary information : CWE Vulnerability type by CWE-416: Use-after-free ( Use of freed memory ) Has been identified. http://cwe.mitre.org/data/definitions/416.htmlAn attacker could execute arbitrary code. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the processing of AS2 ConvolutionFilter objects. By manipulating the matrix property of a ConvolutionFilter object, an attacker can force a dangling pointer to be reused after it has been freed. Failed attempts will likely cause a denial-of-service condition. The product enables viewing of applications, content and video across screens and browsers.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.457"
References
==========
[ 1 ] CVE-2015-0346
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0346
[ 2 ] CVE-2015-0347
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0347
[ 3 ] CVE-2015-0348
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0348
[ 4 ] CVE-2015-0349
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0349
[ 5 ] CVE-2015-0350
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0350
[ 6 ] CVE-2015-0351
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0351
[ 7 ] CVE-2015-0352
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0352
[ 8 ] CVE-2015-0353
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0353
[ 9 ] CVE-2015-0354
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0354
[ 10 ] CVE-2015-0355
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0355
[ 11 ] CVE-2015-0356
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0356
[ 12 ] CVE-2015-0357
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0357
[ 13 ] CVE-2015-0358
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0358
[ 14 ] CVE-2015-0359
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0359
[ 15 ] CVE-2015-0360
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0360
[ 16 ] CVE-2015-3038
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3038
[ 17 ] CVE-2015-3039
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3039
[ 18 ] CVE-2015-3040
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3040
[ 19 ] CVE-2015-3041
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3041
[ 20 ] CVE-2015-3042
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3042
[ 21 ] CVE-2015-3043
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3043
[ 22 ] CVE-2015-3044
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3044
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201504-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:0813-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0813.html
Issue date: 2015-04-15
CVE Names: CVE-2015-0346 CVE-2015-0347 CVE-2015-0348
CVE-2015-0349 CVE-2015-0350 CVE-2015-0351
CVE-2015-0352 CVE-2015-0353 CVE-2015-0354
CVE-2015-0355 CVE-2015-0356 CVE-2015-0357
CVE-2015-0358 CVE-2015-0359 CVE-2015-0360
CVE-2015-3038 CVE-2015-3039 CVE-2015-3040
CVE-2015-3041 CVE-2015-3042 CVE-2015-3043
CVE-2015-3044
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security Bulletin APSB15-06
listed in the References section.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content. (CVE-2015-0346, CVE-2015-0347, CVE-2015-0348, CVE-2015-0349,
CVE-2015-0350, CVE-2015-0351, CVE-2015-0352, CVE-2015-0353, CVE-2015-0354,
CVE-2015-0355, CVE-2015-0356, CVE-2015-0358, CVE-2015-0359, CVE-2015-0360,
CVE-2015-3038, CVE-2015-3039, CVE-2015-3041, CVE-2015-3042, CVE-2015-3043)
A security bypass flaw was found in flash-plugin that could lead to the
disclosure of sensitive information. (CVE-2015-3044)
Two memory information leak flaws were found in flash-plugin that could
allow an attacker to potentially bypass ASLR (Address Space Layout
Randomization) protection, and make it easier to exploit other flaws.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1211869 - flash-plugin: multiple code execution issues fixed in APSB15-06
1211894 - CVE-2015-3044 flash-plugin: security bypass leading to information disclosure (APSB15-06)
1211898 - CVE-2015-0357 CVE-2015-3040 flash-plugin: information leaks leading to ASLR bypass (APSB15-06)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.457-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.457-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.457-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.457-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-0346
https://access.redhat.com/security/cve/CVE-2015-0347
https://access.redhat.com/security/cve/CVE-2015-0348
https://access.redhat.com/security/cve/CVE-2015-0349
https://access.redhat.com/security/cve/CVE-2015-0350
https://access.redhat.com/security/cve/CVE-2015-0351
https://access.redhat.com/security/cve/CVE-2015-0352
https://access.redhat.com/security/cve/CVE-2015-0353
https://access.redhat.com/security/cve/CVE-2015-0354
https://access.redhat.com/security/cve/CVE-2015-0355
https://access.redhat.com/security/cve/CVE-2015-0356
https://access.redhat.com/security/cve/CVE-2015-0357
https://access.redhat.com/security/cve/CVE-2015-0358
https://access.redhat.com/security/cve/CVE-2015-0359
https://access.redhat.com/security/cve/CVE-2015-0360
https://access.redhat.com/security/cve/CVE-2015-3038
https://access.redhat.com/security/cve/CVE-2015-3039
https://access.redhat.com/security/cve/CVE-2015-3040
https://access.redhat.com/security/cve/CVE-2015-3041
https://access.redhat.com/security/cve/CVE-2015-3042
https://access.redhat.com/security/cve/CVE-2015-3043
https://access.redhat.com/security/cve/CVE-2015-3044
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-06.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFVLmOuXlSAg2UNWIIRAhCpAKCQYartNTxOyN7YneEoLHmonLVYxwCeJeZL
9gBkw1TFVgaSAtPj0Xh+ubg=
=LVW2
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201504-0409 | CVE-2015-0348 | Adobe Flash Player Vulnerable to buffer overflow |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Buffer overflow in Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code via unspecified vectors. Adobe Flash Player is prone to an unspecified remote buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied data before copying it into an insufficiently sized buffer.
Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected applications. Failed exploit attempts will likely cause a denial-of-service condition. The product enables viewing of applications, content and video across screens and browsers.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.457"
References
==========
[ 1 ] CVE-2015-0346
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0346
[ 2 ] CVE-2015-0347
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0347
[ 3 ] CVE-2015-0348
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0348
[ 4 ] CVE-2015-0349
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0349
[ 5 ] CVE-2015-0350
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0350
[ 6 ] CVE-2015-0351
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0351
[ 7 ] CVE-2015-0352
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0352
[ 8 ] CVE-2015-0353
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0353
[ 9 ] CVE-2015-0354
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0354
[ 10 ] CVE-2015-0355
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0355
[ 11 ] CVE-2015-0356
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0356
[ 12 ] CVE-2015-0357
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0357
[ 13 ] CVE-2015-0358
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0358
[ 14 ] CVE-2015-0359
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0359
[ 15 ] CVE-2015-0360
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0360
[ 16 ] CVE-2015-3038
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3038
[ 17 ] CVE-2015-3039
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3039
[ 18 ] CVE-2015-3040
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3040
[ 19 ] CVE-2015-3041
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3041
[ 20 ] CVE-2015-3042
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3042
[ 21 ] CVE-2015-3043
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3043
[ 22 ] CVE-2015-3044
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3044
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201504-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:0813-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0813.html
Issue date: 2015-04-15
CVE Names: CVE-2015-0346 CVE-2015-0347 CVE-2015-0348
CVE-2015-0349 CVE-2015-0350 CVE-2015-0351
CVE-2015-0352 CVE-2015-0353 CVE-2015-0354
CVE-2015-0355 CVE-2015-0356 CVE-2015-0357
CVE-2015-0358 CVE-2015-0359 CVE-2015-0360
CVE-2015-3038 CVE-2015-3039 CVE-2015-3040
CVE-2015-3041 CVE-2015-3042 CVE-2015-3043
CVE-2015-3044
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security Bulletin APSB15-06
listed in the References section.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content. (CVE-2015-0346, CVE-2015-0347, CVE-2015-0348, CVE-2015-0349,
CVE-2015-0350, CVE-2015-0351, CVE-2015-0352, CVE-2015-0353, CVE-2015-0354,
CVE-2015-0355, CVE-2015-0356, CVE-2015-0358, CVE-2015-0359, CVE-2015-0360,
CVE-2015-3038, CVE-2015-3039, CVE-2015-3041, CVE-2015-3042, CVE-2015-3043)
A security bypass flaw was found in flash-plugin that could lead to the
disclosure of sensitive information. (CVE-2015-3044)
Two memory information leak flaws were found in flash-plugin that could
allow an attacker to potentially bypass ASLR (Address Space Layout
Randomization) protection, and make it easier to exploit other flaws.
(CVE-2015-0357, CVE-2015-3040)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 11.2.202.457.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1211869 - flash-plugin: multiple code execution issues fixed in APSB15-06
1211894 - CVE-2015-3044 flash-plugin: security bypass leading to information disclosure (APSB15-06)
1211898 - CVE-2015-0357 CVE-2015-3040 flash-plugin: information leaks leading to ASLR bypass (APSB15-06)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.457-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.457-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.457-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.457-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-0346
https://access.redhat.com/security/cve/CVE-2015-0347
https://access.redhat.com/security/cve/CVE-2015-0348
https://access.redhat.com/security/cve/CVE-2015-0349
https://access.redhat.com/security/cve/CVE-2015-0350
https://access.redhat.com/security/cve/CVE-2015-0351
https://access.redhat.com/security/cve/CVE-2015-0352
https://access.redhat.com/security/cve/CVE-2015-0353
https://access.redhat.com/security/cve/CVE-2015-0354
https://access.redhat.com/security/cve/CVE-2015-0355
https://access.redhat.com/security/cve/CVE-2015-0356
https://access.redhat.com/security/cve/CVE-2015-0357
https://access.redhat.com/security/cve/CVE-2015-0358
https://access.redhat.com/security/cve/CVE-2015-0359
https://access.redhat.com/security/cve/CVE-2015-0360
https://access.redhat.com/security/cve/CVE-2015-3038
https://access.redhat.com/security/cve/CVE-2015-3039
https://access.redhat.com/security/cve/CVE-2015-3040
https://access.redhat.com/security/cve/CVE-2015-3041
https://access.redhat.com/security/cve/CVE-2015-3042
https://access.redhat.com/security/cve/CVE-2015-3043
https://access.redhat.com/security/cve/CVE-2015-3044
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-06.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFVLmOuXlSAg2UNWIIRAhCpAKCQYartNTxOyN7YneEoLHmonLVYxwCeJeZL
9gBkw1TFVgaSAtPj0Xh+ubg=
=LVW2
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201504-0411 | CVE-2015-0350 | Adobe Flash Player Vulnerabilities in arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-0347, CVE-2015-0352, CVE-2015-0353, CVE-2015-0354, CVE-2015-0355, CVE-2015-0360, CVE-2015-3038, CVE-2015-3041, CVE-2015-3042, and CVE-2015-3043. Adobe Flash Player is prone to multiple unspecified memory-corruption vulnerabilities.
An attacker can exploit these issues to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.457"
References
==========
[ 1 ] CVE-2015-0346
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0346
[ 2 ] CVE-2015-0347
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0347
[ 3 ] CVE-2015-0348
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0348
[ 4 ] CVE-2015-0349
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0349
[ 5 ] CVE-2015-0350
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0350
[ 6 ] CVE-2015-0351
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0351
[ 7 ] CVE-2015-0352
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0352
[ 8 ] CVE-2015-0353
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0353
[ 9 ] CVE-2015-0354
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0354
[ 10 ] CVE-2015-0355
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0355
[ 11 ] CVE-2015-0356
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0356
[ 12 ] CVE-2015-0357
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0357
[ 13 ] CVE-2015-0358
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0358
[ 14 ] CVE-2015-0359
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0359
[ 15 ] CVE-2015-0360
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0360
[ 16 ] CVE-2015-3038
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3038
[ 17 ] CVE-2015-3039
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3039
[ 18 ] CVE-2015-3040
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3040
[ 19 ] CVE-2015-3041
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3041
[ 20 ] CVE-2015-3042
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3042
[ 21 ] CVE-2015-3043
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3043
[ 22 ] CVE-2015-3044
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3044
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201504-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:0813-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0813.html
Issue date: 2015-04-15
CVE Names: CVE-2015-0346 CVE-2015-0347 CVE-2015-0348
CVE-2015-0349 CVE-2015-0350 CVE-2015-0351
CVE-2015-0352 CVE-2015-0353 CVE-2015-0354
CVE-2015-0355 CVE-2015-0356 CVE-2015-0357
CVE-2015-0358 CVE-2015-0359 CVE-2015-0360
CVE-2015-3038 CVE-2015-3039 CVE-2015-3040
CVE-2015-3041 CVE-2015-3042 CVE-2015-3043
CVE-2015-3044
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security Bulletin APSB15-06
listed in the References section.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content. (CVE-2015-0346, CVE-2015-0347, CVE-2015-0348, CVE-2015-0349,
CVE-2015-0350, CVE-2015-0351, CVE-2015-0352, CVE-2015-0353, CVE-2015-0354,
CVE-2015-0355, CVE-2015-0356, CVE-2015-0358, CVE-2015-0359, CVE-2015-0360,
CVE-2015-3038, CVE-2015-3039, CVE-2015-3041, CVE-2015-3042, CVE-2015-3043)
A security bypass flaw was found in flash-plugin that could lead to the
disclosure of sensitive information. (CVE-2015-3044)
Two memory information leak flaws were found in flash-plugin that could
allow an attacker to potentially bypass ASLR (Address Space Layout
Randomization) protection, and make it easier to exploit other flaws.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1211869 - flash-plugin: multiple code execution issues fixed in APSB15-06
1211894 - CVE-2015-3044 flash-plugin: security bypass leading to information disclosure (APSB15-06)
1211898 - CVE-2015-0357 CVE-2015-3040 flash-plugin: information leaks leading to ASLR bypass (APSB15-06)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.457-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.457-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.457-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.457-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-0346
https://access.redhat.com/security/cve/CVE-2015-0347
https://access.redhat.com/security/cve/CVE-2015-0348
https://access.redhat.com/security/cve/CVE-2015-0349
https://access.redhat.com/security/cve/CVE-2015-0350
https://access.redhat.com/security/cve/CVE-2015-0351
https://access.redhat.com/security/cve/CVE-2015-0352
https://access.redhat.com/security/cve/CVE-2015-0353
https://access.redhat.com/security/cve/CVE-2015-0354
https://access.redhat.com/security/cve/CVE-2015-0355
https://access.redhat.com/security/cve/CVE-2015-0356
https://access.redhat.com/security/cve/CVE-2015-0357
https://access.redhat.com/security/cve/CVE-2015-0358
https://access.redhat.com/security/cve/CVE-2015-0359
https://access.redhat.com/security/cve/CVE-2015-0360
https://access.redhat.com/security/cve/CVE-2015-3038
https://access.redhat.com/security/cve/CVE-2015-3039
https://access.redhat.com/security/cve/CVE-2015-3040
https://access.redhat.com/security/cve/CVE-2015-3041
https://access.redhat.com/security/cve/CVE-2015-3042
https://access.redhat.com/security/cve/CVE-2015-3043
https://access.redhat.com/security/cve/CVE-2015-3044
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-06.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFVLmOuXlSAg2UNWIIRAhCpAKCQYartNTxOyN7YneEoLHmonLVYxwCeJeZL
9gBkw1TFVgaSAtPj0Xh+ubg=
=LVW2
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201504-0412 | CVE-2015-0351 | Adobe Flash Player Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Use-after-free vulnerability in Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-0349, CVE-2015-0358, and CVE-2015-3039. This vulnerability CVE-2015-0349 , CVE-2015-0358 ,and CVE-2015-3039 Is a different vulnerability. Supplementary information : CWE Vulnerability type by CWE-416: Use-after-free ( Use of freed memory ) Has been identified. http://cwe.mitre.org/data/definitions/416.htmlAn attacker could execute arbitrary code. Failed attempts will likely cause a denial-of-service condition. The product enables viewing of applications, content and video across screens and browsers.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.457"
References
==========
[ 1 ] CVE-2015-0346
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0346
[ 2 ] CVE-2015-0347
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0347
[ 3 ] CVE-2015-0348
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0348
[ 4 ] CVE-2015-0349
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0349
[ 5 ] CVE-2015-0350
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0350
[ 6 ] CVE-2015-0351
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0351
[ 7 ] CVE-2015-0352
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0352
[ 8 ] CVE-2015-0353
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0353
[ 9 ] CVE-2015-0354
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0354
[ 10 ] CVE-2015-0355
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0355
[ 11 ] CVE-2015-0356
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0356
[ 12 ] CVE-2015-0357
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0357
[ 13 ] CVE-2015-0358
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0358
[ 14 ] CVE-2015-0359
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0359
[ 15 ] CVE-2015-0360
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0360
[ 16 ] CVE-2015-3038
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3038
[ 17 ] CVE-2015-3039
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3039
[ 18 ] CVE-2015-3040
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3040
[ 19 ] CVE-2015-3041
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3041
[ 20 ] CVE-2015-3042
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3042
[ 21 ] CVE-2015-3043
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3043
[ 22 ] CVE-2015-3044
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3044
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201504-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:0813-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0813.html
Issue date: 2015-04-15
CVE Names: CVE-2015-0346 CVE-2015-0347 CVE-2015-0348
CVE-2015-0349 CVE-2015-0350 CVE-2015-0351
CVE-2015-0352 CVE-2015-0353 CVE-2015-0354
CVE-2015-0355 CVE-2015-0356 CVE-2015-0357
CVE-2015-0358 CVE-2015-0359 CVE-2015-0360
CVE-2015-3038 CVE-2015-3039 CVE-2015-3040
CVE-2015-3041 CVE-2015-3042 CVE-2015-3043
CVE-2015-3044
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security Bulletin APSB15-06
listed in the References section.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content. (CVE-2015-0346, CVE-2015-0347, CVE-2015-0348, CVE-2015-0349,
CVE-2015-0350, CVE-2015-0351, CVE-2015-0352, CVE-2015-0353, CVE-2015-0354,
CVE-2015-0355, CVE-2015-0356, CVE-2015-0358, CVE-2015-0359, CVE-2015-0360,
CVE-2015-3038, CVE-2015-3039, CVE-2015-3041, CVE-2015-3042, CVE-2015-3043)
A security bypass flaw was found in flash-plugin that could lead to the
disclosure of sensitive information. (CVE-2015-3044)
Two memory information leak flaws were found in flash-plugin that could
allow an attacker to potentially bypass ASLR (Address Space Layout
Randomization) protection, and make it easier to exploit other flaws.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1211869 - flash-plugin: multiple code execution issues fixed in APSB15-06
1211894 - CVE-2015-3044 flash-plugin: security bypass leading to information disclosure (APSB15-06)
1211898 - CVE-2015-0357 CVE-2015-3040 flash-plugin: information leaks leading to ASLR bypass (APSB15-06)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.457-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.457-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.457-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.457-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-0346
https://access.redhat.com/security/cve/CVE-2015-0347
https://access.redhat.com/security/cve/CVE-2015-0348
https://access.redhat.com/security/cve/CVE-2015-0349
https://access.redhat.com/security/cve/CVE-2015-0350
https://access.redhat.com/security/cve/CVE-2015-0351
https://access.redhat.com/security/cve/CVE-2015-0352
https://access.redhat.com/security/cve/CVE-2015-0353
https://access.redhat.com/security/cve/CVE-2015-0354
https://access.redhat.com/security/cve/CVE-2015-0355
https://access.redhat.com/security/cve/CVE-2015-0356
https://access.redhat.com/security/cve/CVE-2015-0357
https://access.redhat.com/security/cve/CVE-2015-0358
https://access.redhat.com/security/cve/CVE-2015-0359
https://access.redhat.com/security/cve/CVE-2015-0360
https://access.redhat.com/security/cve/CVE-2015-3038
https://access.redhat.com/security/cve/CVE-2015-3039
https://access.redhat.com/security/cve/CVE-2015-3040
https://access.redhat.com/security/cve/CVE-2015-3041
https://access.redhat.com/security/cve/CVE-2015-3042
https://access.redhat.com/security/cve/CVE-2015-3043
https://access.redhat.com/security/cve/CVE-2015-3044
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-06.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFVLmOuXlSAg2UNWIIRAhCpAKCQYartNTxOyN7YneEoLHmonLVYxwCeJeZL
9gBkw1TFVgaSAtPj0Xh+ubg=
=LVW2
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201504-0410 | CVE-2015-0349 | Adobe Flash Player Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Use-after-free vulnerability in Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-0351, CVE-2015-0358, and CVE-2015-3039. This vulnerability CVE-2015-0351 , CVE-2015-0358 ,and CVE-2015-3039 Is a different vulnerability. Supplementary information : CWE Vulnerability type by CWE-416: Use-after-free ( Use of freed memory ) Has been identified. http://cwe.mitre.org/data/definitions/416.htmlAn attacker could execute arbitrary code. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the processing of AS3 ConvolutionFilter objects. By manipulating the matrix property of a ConvolutionFilter object, an attacker can force a dangling pointer to be reused after it has been freed. Failed attempts will likely cause a denial-of-service condition. The product enables viewing of applications, content and video across screens and browsers.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.457"
References
==========
[ 1 ] CVE-2015-0346
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0346
[ 2 ] CVE-2015-0347
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0347
[ 3 ] CVE-2015-0348
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0348
[ 4 ] CVE-2015-0349
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0349
[ 5 ] CVE-2015-0350
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0350
[ 6 ] CVE-2015-0351
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0351
[ 7 ] CVE-2015-0352
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0352
[ 8 ] CVE-2015-0353
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0353
[ 9 ] CVE-2015-0354
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0354
[ 10 ] CVE-2015-0355
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0355
[ 11 ] CVE-2015-0356
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0356
[ 12 ] CVE-2015-0357
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0357
[ 13 ] CVE-2015-0358
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0358
[ 14 ] CVE-2015-0359
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0359
[ 15 ] CVE-2015-0360
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0360
[ 16 ] CVE-2015-3038
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3038
[ 17 ] CVE-2015-3039
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3039
[ 18 ] CVE-2015-3040
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3040
[ 19 ] CVE-2015-3041
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3041
[ 20 ] CVE-2015-3042
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3042
[ 21 ] CVE-2015-3043
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3043
[ 22 ] CVE-2015-3044
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3044
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201504-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:0813-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0813.html
Issue date: 2015-04-15
CVE Names: CVE-2015-0346 CVE-2015-0347 CVE-2015-0348
CVE-2015-0349 CVE-2015-0350 CVE-2015-0351
CVE-2015-0352 CVE-2015-0353 CVE-2015-0354
CVE-2015-0355 CVE-2015-0356 CVE-2015-0357
CVE-2015-0358 CVE-2015-0359 CVE-2015-0360
CVE-2015-3038 CVE-2015-3039 CVE-2015-3040
CVE-2015-3041 CVE-2015-3042 CVE-2015-3043
CVE-2015-3044
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security Bulletin APSB15-06
listed in the References section.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content. (CVE-2015-0346, CVE-2015-0347, CVE-2015-0348, CVE-2015-0349,
CVE-2015-0350, CVE-2015-0351, CVE-2015-0352, CVE-2015-0353, CVE-2015-0354,
CVE-2015-0355, CVE-2015-0356, CVE-2015-0358, CVE-2015-0359, CVE-2015-0360,
CVE-2015-3038, CVE-2015-3039, CVE-2015-3041, CVE-2015-3042, CVE-2015-3043)
A security bypass flaw was found in flash-plugin that could lead to the
disclosure of sensitive information. (CVE-2015-3044)
Two memory information leak flaws were found in flash-plugin that could
allow an attacker to potentially bypass ASLR (Address Space Layout
Randomization) protection, and make it easier to exploit other flaws.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1211869 - flash-plugin: multiple code execution issues fixed in APSB15-06
1211894 - CVE-2015-3044 flash-plugin: security bypass leading to information disclosure (APSB15-06)
1211898 - CVE-2015-0357 CVE-2015-3040 flash-plugin: information leaks leading to ASLR bypass (APSB15-06)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.457-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.457-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.457-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.457-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-0346
https://access.redhat.com/security/cve/CVE-2015-0347
https://access.redhat.com/security/cve/CVE-2015-0348
https://access.redhat.com/security/cve/CVE-2015-0349
https://access.redhat.com/security/cve/CVE-2015-0350
https://access.redhat.com/security/cve/CVE-2015-0351
https://access.redhat.com/security/cve/CVE-2015-0352
https://access.redhat.com/security/cve/CVE-2015-0353
https://access.redhat.com/security/cve/CVE-2015-0354
https://access.redhat.com/security/cve/CVE-2015-0355
https://access.redhat.com/security/cve/CVE-2015-0356
https://access.redhat.com/security/cve/CVE-2015-0357
https://access.redhat.com/security/cve/CVE-2015-0358
https://access.redhat.com/security/cve/CVE-2015-0359
https://access.redhat.com/security/cve/CVE-2015-0360
https://access.redhat.com/security/cve/CVE-2015-3038
https://access.redhat.com/security/cve/CVE-2015-3039
https://access.redhat.com/security/cve/CVE-2015-3040
https://access.redhat.com/security/cve/CVE-2015-3041
https://access.redhat.com/security/cve/CVE-2015-3042
https://access.redhat.com/security/cve/CVE-2015-3043
https://access.redhat.com/security/cve/CVE-2015-3044
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-06.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFVLmOuXlSAg2UNWIIRAhCpAKCQYartNTxOyN7YneEoLHmonLVYxwCeJeZL
9gBkw1TFVgaSAtPj0Xh+ubg=
=LVW2
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201504-0407 | CVE-2015-0346 | Adobe Flash Player Memory double free vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Double free vulnerability in Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-0359. Adobe Flash Player Is vulnerable to an arbitrary code execution due to a flaw in freeing up memory twice. This vulnerability CVE-2015-0359 Is a different vulnerability. Supplementary information : CWE Vulnerability type by CWE-415: Double Free ( Double release ) Has been identified. http://cwe.mitre.org/data/definitions/415.htmlAn attacker could execute arbitrary code. Adobe Flash Player is prone to multiple remote code-execution vulnerabilities. Failed attempts will likely cause a denial-of-service condition. The product enables viewing of applications, content and video across screens and browsers.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.457"
References
==========
[ 1 ] CVE-2015-0346
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0346
[ 2 ] CVE-2015-0347
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0347
[ 3 ] CVE-2015-0348
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0348
[ 4 ] CVE-2015-0349
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0349
[ 5 ] CVE-2015-0350
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0350
[ 6 ] CVE-2015-0351
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0351
[ 7 ] CVE-2015-0352
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0352
[ 8 ] CVE-2015-0353
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0353
[ 9 ] CVE-2015-0354
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0354
[ 10 ] CVE-2015-0355
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0355
[ 11 ] CVE-2015-0356
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0356
[ 12 ] CVE-2015-0357
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0357
[ 13 ] CVE-2015-0358
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0358
[ 14 ] CVE-2015-0359
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0359
[ 15 ] CVE-2015-0360
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0360
[ 16 ] CVE-2015-3038
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3038
[ 17 ] CVE-2015-3039
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3039
[ 18 ] CVE-2015-3040
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3040
[ 19 ] CVE-2015-3041
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3041
[ 20 ] CVE-2015-3042
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3042
[ 21 ] CVE-2015-3043
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3043
[ 22 ] CVE-2015-3044
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3044
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201504-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:0813-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0813.html
Issue date: 2015-04-15
CVE Names: CVE-2015-0346 CVE-2015-0347 CVE-2015-0348
CVE-2015-0349 CVE-2015-0350 CVE-2015-0351
CVE-2015-0352 CVE-2015-0353 CVE-2015-0354
CVE-2015-0355 CVE-2015-0356 CVE-2015-0357
CVE-2015-0358 CVE-2015-0359 CVE-2015-0360
CVE-2015-3038 CVE-2015-3039 CVE-2015-3040
CVE-2015-3041 CVE-2015-3042 CVE-2015-3043
CVE-2015-3044
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security Bulletin APSB15-06
listed in the References section.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content. (CVE-2015-0346, CVE-2015-0347, CVE-2015-0348, CVE-2015-0349,
CVE-2015-0350, CVE-2015-0351, CVE-2015-0352, CVE-2015-0353, CVE-2015-0354,
CVE-2015-0355, CVE-2015-0356, CVE-2015-0358, CVE-2015-0359, CVE-2015-0360,
CVE-2015-3038, CVE-2015-3039, CVE-2015-3041, CVE-2015-3042, CVE-2015-3043)
A security bypass flaw was found in flash-plugin that could lead to the
disclosure of sensitive information. (CVE-2015-3044)
Two memory information leak flaws were found in flash-plugin that could
allow an attacker to potentially bypass ASLR (Address Space Layout
Randomization) protection, and make it easier to exploit other flaws.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1211869 - flash-plugin: multiple code execution issues fixed in APSB15-06
1211894 - CVE-2015-3044 flash-plugin: security bypass leading to information disclosure (APSB15-06)
1211898 - CVE-2015-0357 CVE-2015-3040 flash-plugin: information leaks leading to ASLR bypass (APSB15-06)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.457-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.457-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.457-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.457-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-0346
https://access.redhat.com/security/cve/CVE-2015-0347
https://access.redhat.com/security/cve/CVE-2015-0348
https://access.redhat.com/security/cve/CVE-2015-0349
https://access.redhat.com/security/cve/CVE-2015-0350
https://access.redhat.com/security/cve/CVE-2015-0351
https://access.redhat.com/security/cve/CVE-2015-0352
https://access.redhat.com/security/cve/CVE-2015-0353
https://access.redhat.com/security/cve/CVE-2015-0354
https://access.redhat.com/security/cve/CVE-2015-0355
https://access.redhat.com/security/cve/CVE-2015-0356
https://access.redhat.com/security/cve/CVE-2015-0357
https://access.redhat.com/security/cve/CVE-2015-0358
https://access.redhat.com/security/cve/CVE-2015-0359
https://access.redhat.com/security/cve/CVE-2015-0360
https://access.redhat.com/security/cve/CVE-2015-3038
https://access.redhat.com/security/cve/CVE-2015-3039
https://access.redhat.com/security/cve/CVE-2015-3040
https://access.redhat.com/security/cve/CVE-2015-3041
https://access.redhat.com/security/cve/CVE-2015-3042
https://access.redhat.com/security/cve/CVE-2015-3043
https://access.redhat.com/security/cve/CVE-2015-3044
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-06.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFVLmOuXlSAg2UNWIIRAhCpAKCQYartNTxOyN7YneEoLHmonLVYxwCeJeZL
9gBkw1TFVgaSAtPj0Xh+ubg=
=LVW2
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201504-0405 | CVE-2015-0359 | Adobe Flash Player Memory double free vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Double free vulnerability in Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-0346. Adobe Flash Player Is vulnerable to an arbitrary code execution due to a flaw in freeing up memory twice. This vulnerability CVE-2015-0346 Is a different vulnerability. Supplementary information : CWE Vulnerability type by CWE-415: Double Free ( Double release ) Has been identified. http://cwe.mitre.org/data/definitions/415.htmlAn attacker could execute arbitrary code. Adobe Flash Player is prone to multiple remote code-execution vulnerabilities. Failed attempts will likely cause a denial-of-service condition. The product enables viewing of applications, content and video across screens and browsers.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.457"
References
==========
[ 1 ] CVE-2015-0346
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0346
[ 2 ] CVE-2015-0347
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0347
[ 3 ] CVE-2015-0348
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0348
[ 4 ] CVE-2015-0349
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0349
[ 5 ] CVE-2015-0350
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0350
[ 6 ] CVE-2015-0351
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0351
[ 7 ] CVE-2015-0352
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0352
[ 8 ] CVE-2015-0353
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0353
[ 9 ] CVE-2015-0354
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0354
[ 10 ] CVE-2015-0355
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0355
[ 11 ] CVE-2015-0356
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0356
[ 12 ] CVE-2015-0357
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0357
[ 13 ] CVE-2015-0358
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0358
[ 14 ] CVE-2015-0359
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0359
[ 15 ] CVE-2015-0360
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0360
[ 16 ] CVE-2015-3038
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3038
[ 17 ] CVE-2015-3039
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3039
[ 18 ] CVE-2015-3040
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3040
[ 19 ] CVE-2015-3041
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3041
[ 20 ] CVE-2015-3042
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3042
[ 21 ] CVE-2015-3043
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3043
[ 22 ] CVE-2015-3044
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3044
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201504-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:0813-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0813.html
Issue date: 2015-04-15
CVE Names: CVE-2015-0346 CVE-2015-0347 CVE-2015-0348
CVE-2015-0349 CVE-2015-0350 CVE-2015-0351
CVE-2015-0352 CVE-2015-0353 CVE-2015-0354
CVE-2015-0355 CVE-2015-0356 CVE-2015-0357
CVE-2015-0358 CVE-2015-0359 CVE-2015-0360
CVE-2015-3038 CVE-2015-3039 CVE-2015-3040
CVE-2015-3041 CVE-2015-3042 CVE-2015-3043
CVE-2015-3044
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security Bulletin APSB15-06
listed in the References section.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content. (CVE-2015-0346, CVE-2015-0347, CVE-2015-0348, CVE-2015-0349,
CVE-2015-0350, CVE-2015-0351, CVE-2015-0352, CVE-2015-0353, CVE-2015-0354,
CVE-2015-0355, CVE-2015-0356, CVE-2015-0358, CVE-2015-0359, CVE-2015-0360,
CVE-2015-3038, CVE-2015-3039, CVE-2015-3041, CVE-2015-3042, CVE-2015-3043)
A security bypass flaw was found in flash-plugin that could lead to the
disclosure of sensitive information. (CVE-2015-3044)
Two memory information leak flaws were found in flash-plugin that could
allow an attacker to potentially bypass ASLR (Address Space Layout
Randomization) protection, and make it easier to exploit other flaws.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1211869 - flash-plugin: multiple code execution issues fixed in APSB15-06
1211894 - CVE-2015-3044 flash-plugin: security bypass leading to information disclosure (APSB15-06)
1211898 - CVE-2015-0357 CVE-2015-3040 flash-plugin: information leaks leading to ASLR bypass (APSB15-06)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.457-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.457-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.457-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.457-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-0346
https://access.redhat.com/security/cve/CVE-2015-0347
https://access.redhat.com/security/cve/CVE-2015-0348
https://access.redhat.com/security/cve/CVE-2015-0349
https://access.redhat.com/security/cve/CVE-2015-0350
https://access.redhat.com/security/cve/CVE-2015-0351
https://access.redhat.com/security/cve/CVE-2015-0352
https://access.redhat.com/security/cve/CVE-2015-0353
https://access.redhat.com/security/cve/CVE-2015-0354
https://access.redhat.com/security/cve/CVE-2015-0355
https://access.redhat.com/security/cve/CVE-2015-0356
https://access.redhat.com/security/cve/CVE-2015-0357
https://access.redhat.com/security/cve/CVE-2015-0358
https://access.redhat.com/security/cve/CVE-2015-0359
https://access.redhat.com/security/cve/CVE-2015-0360
https://access.redhat.com/security/cve/CVE-2015-3038
https://access.redhat.com/security/cve/CVE-2015-3039
https://access.redhat.com/security/cve/CVE-2015-3040
https://access.redhat.com/security/cve/CVE-2015-3041
https://access.redhat.com/security/cve/CVE-2015-3042
https://access.redhat.com/security/cve/CVE-2015-3043
https://access.redhat.com/security/cve/CVE-2015-3044
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-06.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFVLmOuXlSAg2UNWIIRAhCpAKCQYartNTxOyN7YneEoLHmonLVYxwCeJeZL
9gBkw1TFVgaSAtPj0Xh+ubg=
=LVW2
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201504-0408 | CVE-2015-0347 | Adobe Flash Player Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-0350, CVE-2015-0352, CVE-2015-0353, CVE-2015-0354, CVE-2015-0355, CVE-2015-0360, CVE-2015-3038, CVE-2015-3041, CVE-2015-3042, and CVE-2015-3043. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the handling of AVSource objects. By sending a specially crafted SWF an attacker can force a memory corruption condition. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.457"
References
==========
[ 1 ] CVE-2015-0346
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0346
[ 2 ] CVE-2015-0347
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0347
[ 3 ] CVE-2015-0348
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0348
[ 4 ] CVE-2015-0349
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0349
[ 5 ] CVE-2015-0350
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0350
[ 6 ] CVE-2015-0351
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0351
[ 7 ] CVE-2015-0352
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0352
[ 8 ] CVE-2015-0353
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0353
[ 9 ] CVE-2015-0354
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0354
[ 10 ] CVE-2015-0355
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0355
[ 11 ] CVE-2015-0356
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0356
[ 12 ] CVE-2015-0357
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0357
[ 13 ] CVE-2015-0358
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0358
[ 14 ] CVE-2015-0359
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0359
[ 15 ] CVE-2015-0360
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0360
[ 16 ] CVE-2015-3038
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3038
[ 17 ] CVE-2015-3039
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3039
[ 18 ] CVE-2015-3040
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3040
[ 19 ] CVE-2015-3041
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3041
[ 20 ] CVE-2015-3042
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3042
[ 21 ] CVE-2015-3043
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3043
[ 22 ] CVE-2015-3044
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3044
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201504-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:0813-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0813.html
Issue date: 2015-04-15
CVE Names: CVE-2015-0346 CVE-2015-0347 CVE-2015-0348
CVE-2015-0349 CVE-2015-0350 CVE-2015-0351
CVE-2015-0352 CVE-2015-0353 CVE-2015-0354
CVE-2015-0355 CVE-2015-0356 CVE-2015-0357
CVE-2015-0358 CVE-2015-0359 CVE-2015-0360
CVE-2015-3038 CVE-2015-3039 CVE-2015-3040
CVE-2015-3041 CVE-2015-3042 CVE-2015-3043
CVE-2015-3044
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security Bulletin APSB15-06
listed in the References section.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content. (CVE-2015-0346, CVE-2015-0347, CVE-2015-0348, CVE-2015-0349,
CVE-2015-0350, CVE-2015-0351, CVE-2015-0352, CVE-2015-0353, CVE-2015-0354,
CVE-2015-0355, CVE-2015-0356, CVE-2015-0358, CVE-2015-0359, CVE-2015-0360,
CVE-2015-3038, CVE-2015-3039, CVE-2015-3041, CVE-2015-3042, CVE-2015-3043)
A security bypass flaw was found in flash-plugin that could lead to the
disclosure of sensitive information. (CVE-2015-3044)
Two memory information leak flaws were found in flash-plugin that could
allow an attacker to potentially bypass ASLR (Address Space Layout
Randomization) protection, and make it easier to exploit other flaws.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1211869 - flash-plugin: multiple code execution issues fixed in APSB15-06
1211894 - CVE-2015-3044 flash-plugin: security bypass leading to information disclosure (APSB15-06)
1211898 - CVE-2015-0357 CVE-2015-3040 flash-plugin: information leaks leading to ASLR bypass (APSB15-06)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.457-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.457-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.457-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.457-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-0346
https://access.redhat.com/security/cve/CVE-2015-0347
https://access.redhat.com/security/cve/CVE-2015-0348
https://access.redhat.com/security/cve/CVE-2015-0349
https://access.redhat.com/security/cve/CVE-2015-0350
https://access.redhat.com/security/cve/CVE-2015-0351
https://access.redhat.com/security/cve/CVE-2015-0352
https://access.redhat.com/security/cve/CVE-2015-0353
https://access.redhat.com/security/cve/CVE-2015-0354
https://access.redhat.com/security/cve/CVE-2015-0355
https://access.redhat.com/security/cve/CVE-2015-0356
https://access.redhat.com/security/cve/CVE-2015-0357
https://access.redhat.com/security/cve/CVE-2015-0358
https://access.redhat.com/security/cve/CVE-2015-0359
https://access.redhat.com/security/cve/CVE-2015-0360
https://access.redhat.com/security/cve/CVE-2015-3038
https://access.redhat.com/security/cve/CVE-2015-3039
https://access.redhat.com/security/cve/CVE-2015-3040
https://access.redhat.com/security/cve/CVE-2015-3041
https://access.redhat.com/security/cve/CVE-2015-3042
https://access.redhat.com/security/cve/CVE-2015-3043
https://access.redhat.com/security/cve/CVE-2015-3044
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-06.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFVLmOuXlSAg2UNWIIRAhCpAKCQYartNTxOyN7YneEoLHmonLVYxwCeJeZL
9gBkw1TFVgaSAtPj0Xh+ubg=
=LVW2
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201504-0403 | CVE-2015-0357 | Adobe Flash Player In ASLR Vulnerabilities that circumvent protection mechanisms |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux does not properly restrict discovery of memory addresses, which allows attackers to bypass the ASLR protection mechanism via unspecified vectors, a different vulnerability than CVE-2015-3040. This vulnerability CVE-2015-3040 Is a different vulnerability.By the attacker, ASLR Protection mechanisms may be bypassed. Adobe Flash Player is prone to multiple unspecified memory-corruption vulnerabilities.
An attacker can leverage these issues to bypass certain security restrictions and execute arbitrary code in context of the affected application. The product enables viewing of applications, content and video across screens and browsers.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.457"
References
==========
[ 1 ] CVE-2015-0346
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0346
[ 2 ] CVE-2015-0347
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0347
[ 3 ] CVE-2015-0348
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0348
[ 4 ] CVE-2015-0349
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0349
[ 5 ] CVE-2015-0350
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0350
[ 6 ] CVE-2015-0351
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0351
[ 7 ] CVE-2015-0352
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0352
[ 8 ] CVE-2015-0353
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0353
[ 9 ] CVE-2015-0354
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0354
[ 10 ] CVE-2015-0355
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0355
[ 11 ] CVE-2015-0356
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0356
[ 12 ] CVE-2015-0357
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0357
[ 13 ] CVE-2015-0358
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0358
[ 14 ] CVE-2015-0359
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0359
[ 15 ] CVE-2015-0360
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0360
[ 16 ] CVE-2015-3038
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3038
[ 17 ] CVE-2015-3039
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3039
[ 18 ] CVE-2015-3040
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3040
[ 19 ] CVE-2015-3041
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3041
[ 20 ] CVE-2015-3042
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3042
[ 21 ] CVE-2015-3043
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3043
[ 22 ] CVE-2015-3044
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3044
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201504-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:0813-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0813.html
Issue date: 2015-04-15
CVE Names: CVE-2015-0346 CVE-2015-0347 CVE-2015-0348
CVE-2015-0349 CVE-2015-0350 CVE-2015-0351
CVE-2015-0352 CVE-2015-0353 CVE-2015-0354
CVE-2015-0355 CVE-2015-0356 CVE-2015-0357
CVE-2015-0358 CVE-2015-0359 CVE-2015-0360
CVE-2015-3038 CVE-2015-3039 CVE-2015-3040
CVE-2015-3041 CVE-2015-3042 CVE-2015-3043
CVE-2015-3044
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security Bulletin APSB15-06
listed in the References section.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content. (CVE-2015-0346, CVE-2015-0347, CVE-2015-0348, CVE-2015-0349,
CVE-2015-0350, CVE-2015-0351, CVE-2015-0352, CVE-2015-0353, CVE-2015-0354,
CVE-2015-0355, CVE-2015-0356, CVE-2015-0358, CVE-2015-0359, CVE-2015-0360,
CVE-2015-3038, CVE-2015-3039, CVE-2015-3041, CVE-2015-3042, CVE-2015-3043)
A security bypass flaw was found in flash-plugin that could lead to the
disclosure of sensitive information. (CVE-2015-3044)
Two memory information leak flaws were found in flash-plugin that could
allow an attacker to potentially bypass ASLR (Address Space Layout
Randomization) protection, and make it easier to exploit other flaws.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.457-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.457-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.457-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.457-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-0346
https://access.redhat.com/security/cve/CVE-2015-0347
https://access.redhat.com/security/cve/CVE-2015-0348
https://access.redhat.com/security/cve/CVE-2015-0349
https://access.redhat.com/security/cve/CVE-2015-0350
https://access.redhat.com/security/cve/CVE-2015-0351
https://access.redhat.com/security/cve/CVE-2015-0352
https://access.redhat.com/security/cve/CVE-2015-0353
https://access.redhat.com/security/cve/CVE-2015-0354
https://access.redhat.com/security/cve/CVE-2015-0355
https://access.redhat.com/security/cve/CVE-2015-0356
https://access.redhat.com/security/cve/CVE-2015-0357
https://access.redhat.com/security/cve/CVE-2015-0358
https://access.redhat.com/security/cve/CVE-2015-0359
https://access.redhat.com/security/cve/CVE-2015-0360
https://access.redhat.com/security/cve/CVE-2015-3038
https://access.redhat.com/security/cve/CVE-2015-3039
https://access.redhat.com/security/cve/CVE-2015-3040
https://access.redhat.com/security/cve/CVE-2015-3041
https://access.redhat.com/security/cve/CVE-2015-3042
https://access.redhat.com/security/cve/CVE-2015-3043
https://access.redhat.com/security/cve/CVE-2015-3044
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-06.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFVLmOuXlSAg2UNWIIRAhCpAKCQYartNTxOyN7YneEoLHmonLVYxwCeJeZL
9gBkw1TFVgaSAtPj0Xh+ubg=
=LVW2
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201504-0404 | CVE-2015-0358 | Adobe Flash Player Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Use-after-free vulnerability in Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-0349, CVE-2015-0351, and CVE-2015-3039. This vulnerability CVE-2015-0349 , CVE-2015-0351 ,and CVE-2015-3039 Is a different vulnerability. Supplementary information : CWE Vulnerability type by CWE-416: Use-after-free ( Use of freed memory ) Has been identified. http://cwe.mitre.org/data/definitions/416.htmlAn attacker could execute arbitrary code. Failed attempts will likely cause a denial-of-service condition. The product enables viewing of applications, content and video across screens and browsers.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.457"
References
==========
[ 1 ] CVE-2015-0346
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0346
[ 2 ] CVE-2015-0347
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0347
[ 3 ] CVE-2015-0348
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0348
[ 4 ] CVE-2015-0349
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0349
[ 5 ] CVE-2015-0350
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0350
[ 6 ] CVE-2015-0351
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0351
[ 7 ] CVE-2015-0352
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0352
[ 8 ] CVE-2015-0353
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0353
[ 9 ] CVE-2015-0354
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0354
[ 10 ] CVE-2015-0355
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0355
[ 11 ] CVE-2015-0356
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0356
[ 12 ] CVE-2015-0357
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0357
[ 13 ] CVE-2015-0358
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0358
[ 14 ] CVE-2015-0359
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0359
[ 15 ] CVE-2015-0360
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0360
[ 16 ] CVE-2015-3038
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3038
[ 17 ] CVE-2015-3039
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3039
[ 18 ] CVE-2015-3040
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3040
[ 19 ] CVE-2015-3041
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3041
[ 20 ] CVE-2015-3042
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3042
[ 21 ] CVE-2015-3043
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3043
[ 22 ] CVE-2015-3044
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3044
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201504-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:0813-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0813.html
Issue date: 2015-04-15
CVE Names: CVE-2015-0346 CVE-2015-0347 CVE-2015-0348
CVE-2015-0349 CVE-2015-0350 CVE-2015-0351
CVE-2015-0352 CVE-2015-0353 CVE-2015-0354
CVE-2015-0355 CVE-2015-0356 CVE-2015-0357
CVE-2015-0358 CVE-2015-0359 CVE-2015-0360
CVE-2015-3038 CVE-2015-3039 CVE-2015-3040
CVE-2015-3041 CVE-2015-3042 CVE-2015-3043
CVE-2015-3044
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security Bulletin APSB15-06
listed in the References section.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content. (CVE-2015-0346, CVE-2015-0347, CVE-2015-0348, CVE-2015-0349,
CVE-2015-0350, CVE-2015-0351, CVE-2015-0352, CVE-2015-0353, CVE-2015-0354,
CVE-2015-0355, CVE-2015-0356, CVE-2015-0358, CVE-2015-0359, CVE-2015-0360,
CVE-2015-3038, CVE-2015-3039, CVE-2015-3041, CVE-2015-3042, CVE-2015-3043)
A security bypass flaw was found in flash-plugin that could lead to the
disclosure of sensitive information. (CVE-2015-3044)
Two memory information leak flaws were found in flash-plugin that could
allow an attacker to potentially bypass ASLR (Address Space Layout
Randomization) protection, and make it easier to exploit other flaws.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1211869 - flash-plugin: multiple code execution issues fixed in APSB15-06
1211894 - CVE-2015-3044 flash-plugin: security bypass leading to information disclosure (APSB15-06)
1211898 - CVE-2015-0357 CVE-2015-3040 flash-plugin: information leaks leading to ASLR bypass (APSB15-06)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.457-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.457-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.457-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.457-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-0346
https://access.redhat.com/security/cve/CVE-2015-0347
https://access.redhat.com/security/cve/CVE-2015-0348
https://access.redhat.com/security/cve/CVE-2015-0349
https://access.redhat.com/security/cve/CVE-2015-0350
https://access.redhat.com/security/cve/CVE-2015-0351
https://access.redhat.com/security/cve/CVE-2015-0352
https://access.redhat.com/security/cve/CVE-2015-0353
https://access.redhat.com/security/cve/CVE-2015-0354
https://access.redhat.com/security/cve/CVE-2015-0355
https://access.redhat.com/security/cve/CVE-2015-0356
https://access.redhat.com/security/cve/CVE-2015-0357
https://access.redhat.com/security/cve/CVE-2015-0358
https://access.redhat.com/security/cve/CVE-2015-0359
https://access.redhat.com/security/cve/CVE-2015-0360
https://access.redhat.com/security/cve/CVE-2015-3038
https://access.redhat.com/security/cve/CVE-2015-3039
https://access.redhat.com/security/cve/CVE-2015-3040
https://access.redhat.com/security/cve/CVE-2015-3041
https://access.redhat.com/security/cve/CVE-2015-3042
https://access.redhat.com/security/cve/CVE-2015-3043
https://access.redhat.com/security/cve/CVE-2015-3044
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-06.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFVLmOuXlSAg2UNWIIRAhCpAKCQYartNTxOyN7YneEoLHmonLVYxwCeJeZL
9gBkw1TFVgaSAtPj0Xh+ubg=
=LVW2
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201504-0399 | CVE-2015-0353 | Adobe Flash Player Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-0347, CVE-2015-0350, CVE-2015-0352, CVE-2015-0354, CVE-2015-0355, CVE-2015-0360, CVE-2015-3038, CVE-2015-3041, CVE-2015-3042, and CVE-2015-3043. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.457"
References
==========
[ 1 ] CVE-2015-0346
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0346
[ 2 ] CVE-2015-0347
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0347
[ 3 ] CVE-2015-0348
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0348
[ 4 ] CVE-2015-0349
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0349
[ 5 ] CVE-2015-0350
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0350
[ 6 ] CVE-2015-0351
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0351
[ 7 ] CVE-2015-0352
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0352
[ 8 ] CVE-2015-0353
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0353
[ 9 ] CVE-2015-0354
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0354
[ 10 ] CVE-2015-0355
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0355
[ 11 ] CVE-2015-0356
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0356
[ 12 ] CVE-2015-0357
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0357
[ 13 ] CVE-2015-0358
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0358
[ 14 ] CVE-2015-0359
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0359
[ 15 ] CVE-2015-0360
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0360
[ 16 ] CVE-2015-3038
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3038
[ 17 ] CVE-2015-3039
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3039
[ 18 ] CVE-2015-3040
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3040
[ 19 ] CVE-2015-3041
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3041
[ 20 ] CVE-2015-3042
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3042
[ 21 ] CVE-2015-3043
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3043
[ 22 ] CVE-2015-3044
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3044
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201504-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:0813-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0813.html
Issue date: 2015-04-15
CVE Names: CVE-2015-0346 CVE-2015-0347 CVE-2015-0348
CVE-2015-0349 CVE-2015-0350 CVE-2015-0351
CVE-2015-0352 CVE-2015-0353 CVE-2015-0354
CVE-2015-0355 CVE-2015-0356 CVE-2015-0357
CVE-2015-0358 CVE-2015-0359 CVE-2015-0360
CVE-2015-3038 CVE-2015-3039 CVE-2015-3040
CVE-2015-3041 CVE-2015-3042 CVE-2015-3043
CVE-2015-3044
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security Bulletin APSB15-06
listed in the References section.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content. (CVE-2015-0346, CVE-2015-0347, CVE-2015-0348, CVE-2015-0349,
CVE-2015-0350, CVE-2015-0351, CVE-2015-0352, CVE-2015-0353, CVE-2015-0354,
CVE-2015-0355, CVE-2015-0356, CVE-2015-0358, CVE-2015-0359, CVE-2015-0360,
CVE-2015-3038, CVE-2015-3039, CVE-2015-3041, CVE-2015-3042, CVE-2015-3043)
A security bypass flaw was found in flash-plugin that could lead to the
disclosure of sensitive information. (CVE-2015-3044)
Two memory information leak flaws were found in flash-plugin that could
allow an attacker to potentially bypass ASLR (Address Space Layout
Randomization) protection, and make it easier to exploit other flaws.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1211869 - flash-plugin: multiple code execution issues fixed in APSB15-06
1211894 - CVE-2015-3044 flash-plugin: security bypass leading to information disclosure (APSB15-06)
1211898 - CVE-2015-0357 CVE-2015-3040 flash-plugin: information leaks leading to ASLR bypass (APSB15-06)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.457-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.457-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.457-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.457-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-0346
https://access.redhat.com/security/cve/CVE-2015-0347
https://access.redhat.com/security/cve/CVE-2015-0348
https://access.redhat.com/security/cve/CVE-2015-0349
https://access.redhat.com/security/cve/CVE-2015-0350
https://access.redhat.com/security/cve/CVE-2015-0351
https://access.redhat.com/security/cve/CVE-2015-0352
https://access.redhat.com/security/cve/CVE-2015-0353
https://access.redhat.com/security/cve/CVE-2015-0354
https://access.redhat.com/security/cve/CVE-2015-0355
https://access.redhat.com/security/cve/CVE-2015-0356
https://access.redhat.com/security/cve/CVE-2015-0357
https://access.redhat.com/security/cve/CVE-2015-0358
https://access.redhat.com/security/cve/CVE-2015-0359
https://access.redhat.com/security/cve/CVE-2015-0360
https://access.redhat.com/security/cve/CVE-2015-3038
https://access.redhat.com/security/cve/CVE-2015-3039
https://access.redhat.com/security/cve/CVE-2015-3040
https://access.redhat.com/security/cve/CVE-2015-3041
https://access.redhat.com/security/cve/CVE-2015-3042
https://access.redhat.com/security/cve/CVE-2015-3043
https://access.redhat.com/security/cve/CVE-2015-3044
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-06.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFVLmOuXlSAg2UNWIIRAhCpAKCQYartNTxOyN7YneEoLHmonLVYxwCeJeZL
9gBkw1TFVgaSAtPj0Xh+ubg=
=LVW2
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201504-0402 | CVE-2015-0356 | Adobe Flash Player Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code by leveraging an unspecified "type confusion.". Supplementary information : CWE Vulnerability type by CWE-843:Access of Resource Using Incompatible Type ( Mixing of molds ) Has been identified. Failed exploit attempts will likely cause a denial-of-service condition. The product enables viewing of applications, content and video across screens and browsers.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.457"
References
==========
[ 1 ] CVE-2015-0346
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0346
[ 2 ] CVE-2015-0347
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0347
[ 3 ] CVE-2015-0348
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0348
[ 4 ] CVE-2015-0349
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0349
[ 5 ] CVE-2015-0350
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0350
[ 6 ] CVE-2015-0351
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0351
[ 7 ] CVE-2015-0352
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0352
[ 8 ] CVE-2015-0353
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0353
[ 9 ] CVE-2015-0354
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0354
[ 10 ] CVE-2015-0355
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0355
[ 11 ] CVE-2015-0356
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0356
[ 12 ] CVE-2015-0357
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0357
[ 13 ] CVE-2015-0358
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0358
[ 14 ] CVE-2015-0359
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0359
[ 15 ] CVE-2015-0360
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0360
[ 16 ] CVE-2015-3038
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3038
[ 17 ] CVE-2015-3039
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3039
[ 18 ] CVE-2015-3040
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3040
[ 19 ] CVE-2015-3041
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3041
[ 20 ] CVE-2015-3042
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3042
[ 21 ] CVE-2015-3043
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3043
[ 22 ] CVE-2015-3044
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3044
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201504-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:0813-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0813.html
Issue date: 2015-04-15
CVE Names: CVE-2015-0346 CVE-2015-0347 CVE-2015-0348
CVE-2015-0349 CVE-2015-0350 CVE-2015-0351
CVE-2015-0352 CVE-2015-0353 CVE-2015-0354
CVE-2015-0355 CVE-2015-0356 CVE-2015-0357
CVE-2015-0358 CVE-2015-0359 CVE-2015-0360
CVE-2015-3038 CVE-2015-3039 CVE-2015-3040
CVE-2015-3041 CVE-2015-3042 CVE-2015-3043
CVE-2015-3044
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. These
vulnerabilities are detailed in the Adobe Security Bulletin APSB15-06
listed in the References section.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content. (CVE-2015-0346, CVE-2015-0347, CVE-2015-0348, CVE-2015-0349,
CVE-2015-0350, CVE-2015-0351, CVE-2015-0352, CVE-2015-0353, CVE-2015-0354,
CVE-2015-0355, CVE-2015-0356, CVE-2015-0358, CVE-2015-0359, CVE-2015-0360,
CVE-2015-3038, CVE-2015-3039, CVE-2015-3041, CVE-2015-3042, CVE-2015-3043)
A security bypass flaw was found in flash-plugin that could lead to the
disclosure of sensitive information. (CVE-2015-3044)
Two memory information leak flaws were found in flash-plugin that could
allow an attacker to potentially bypass ASLR (Address Space Layout
Randomization) protection, and make it easier to exploit other flaws.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1211869 - flash-plugin: multiple code execution issues fixed in APSB15-06
1211894 - CVE-2015-3044 flash-plugin: security bypass leading to information disclosure (APSB15-06)
1211898 - CVE-2015-0357 CVE-2015-3040 flash-plugin: information leaks leading to ASLR bypass (APSB15-06)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.457-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.457-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.457-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.457-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-0346
https://access.redhat.com/security/cve/CVE-2015-0347
https://access.redhat.com/security/cve/CVE-2015-0348
https://access.redhat.com/security/cve/CVE-2015-0349
https://access.redhat.com/security/cve/CVE-2015-0350
https://access.redhat.com/security/cve/CVE-2015-0351
https://access.redhat.com/security/cve/CVE-2015-0352
https://access.redhat.com/security/cve/CVE-2015-0353
https://access.redhat.com/security/cve/CVE-2015-0354
https://access.redhat.com/security/cve/CVE-2015-0355
https://access.redhat.com/security/cve/CVE-2015-0356
https://access.redhat.com/security/cve/CVE-2015-0357
https://access.redhat.com/security/cve/CVE-2015-0358
https://access.redhat.com/security/cve/CVE-2015-0359
https://access.redhat.com/security/cve/CVE-2015-0360
https://access.redhat.com/security/cve/CVE-2015-3038
https://access.redhat.com/security/cve/CVE-2015-3039
https://access.redhat.com/security/cve/CVE-2015-3040
https://access.redhat.com/security/cve/CVE-2015-3041
https://access.redhat.com/security/cve/CVE-2015-3042
https://access.redhat.com/security/cve/CVE-2015-3043
https://access.redhat.com/security/cve/CVE-2015-3044
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-06.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFVLmOuXlSAg2UNWIIRAhCpAKCQYartNTxOyN7YneEoLHmonLVYxwCeJeZL
9gBkw1TFVgaSAtPj0Xh+ubg=
=LVW2
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201504-0401 | CVE-2015-0355 | Adobe Flash Player Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-0347, CVE-2015-0350, CVE-2015-0352, CVE-2015-0353, CVE-2015-0354, CVE-2015-0360, CVE-2015-3038, CVE-2015-3041, CVE-2015-3042, and CVE-2015-3043. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.457"
References
==========
[ 1 ] CVE-2015-0346
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0346
[ 2 ] CVE-2015-0347
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0347
[ 3 ] CVE-2015-0348
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0348
[ 4 ] CVE-2015-0349
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0349
[ 5 ] CVE-2015-0350
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0350
[ 6 ] CVE-2015-0351
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0351
[ 7 ] CVE-2015-0352
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0352
[ 8 ] CVE-2015-0353
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0353
[ 9 ] CVE-2015-0354
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0354
[ 10 ] CVE-2015-0355
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0355
[ 11 ] CVE-2015-0356
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0356
[ 12 ] CVE-2015-0357
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0357
[ 13 ] CVE-2015-0358
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0358
[ 14 ] CVE-2015-0359
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0359
[ 15 ] CVE-2015-0360
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0360
[ 16 ] CVE-2015-3038
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3038
[ 17 ] CVE-2015-3039
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3039
[ 18 ] CVE-2015-3040
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3040
[ 19 ] CVE-2015-3041
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3041
[ 20 ] CVE-2015-3042
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3042
[ 21 ] CVE-2015-3043
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3043
[ 22 ] CVE-2015-3044
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3044
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201504-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:0813-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0813.html
Issue date: 2015-04-15
CVE Names: CVE-2015-0346 CVE-2015-0347 CVE-2015-0348
CVE-2015-0349 CVE-2015-0350 CVE-2015-0351
CVE-2015-0352 CVE-2015-0353 CVE-2015-0354
CVE-2015-0355 CVE-2015-0356 CVE-2015-0357
CVE-2015-0358 CVE-2015-0359 CVE-2015-0360
CVE-2015-3038 CVE-2015-3039 CVE-2015-3040
CVE-2015-3041 CVE-2015-3042 CVE-2015-3043
CVE-2015-3044
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security Bulletin APSB15-06
listed in the References section.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content. (CVE-2015-0346, CVE-2015-0347, CVE-2015-0348, CVE-2015-0349,
CVE-2015-0350, CVE-2015-0351, CVE-2015-0352, CVE-2015-0353, CVE-2015-0354,
CVE-2015-0355, CVE-2015-0356, CVE-2015-0358, CVE-2015-0359, CVE-2015-0360,
CVE-2015-3038, CVE-2015-3039, CVE-2015-3041, CVE-2015-3042, CVE-2015-3043)
A security bypass flaw was found in flash-plugin that could lead to the
disclosure of sensitive information. (CVE-2015-3044)
Two memory information leak flaws were found in flash-plugin that could
allow an attacker to potentially bypass ASLR (Address Space Layout
Randomization) protection, and make it easier to exploit other flaws.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1211869 - flash-plugin: multiple code execution issues fixed in APSB15-06
1211894 - CVE-2015-3044 flash-plugin: security bypass leading to information disclosure (APSB15-06)
1211898 - CVE-2015-0357 CVE-2015-3040 flash-plugin: information leaks leading to ASLR bypass (APSB15-06)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.457-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.457-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.457-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.457-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-0346
https://access.redhat.com/security/cve/CVE-2015-0347
https://access.redhat.com/security/cve/CVE-2015-0348
https://access.redhat.com/security/cve/CVE-2015-0349
https://access.redhat.com/security/cve/CVE-2015-0350
https://access.redhat.com/security/cve/CVE-2015-0351
https://access.redhat.com/security/cve/CVE-2015-0352
https://access.redhat.com/security/cve/CVE-2015-0353
https://access.redhat.com/security/cve/CVE-2015-0354
https://access.redhat.com/security/cve/CVE-2015-0355
https://access.redhat.com/security/cve/CVE-2015-0356
https://access.redhat.com/security/cve/CVE-2015-0357
https://access.redhat.com/security/cve/CVE-2015-0358
https://access.redhat.com/security/cve/CVE-2015-0359
https://access.redhat.com/security/cve/CVE-2015-0360
https://access.redhat.com/security/cve/CVE-2015-3038
https://access.redhat.com/security/cve/CVE-2015-3039
https://access.redhat.com/security/cve/CVE-2015-3040
https://access.redhat.com/security/cve/CVE-2015-3041
https://access.redhat.com/security/cve/CVE-2015-3042
https://access.redhat.com/security/cve/CVE-2015-3043
https://access.redhat.com/security/cve/CVE-2015-3044
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-06.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFVLmOuXlSAg2UNWIIRAhCpAKCQYartNTxOyN7YneEoLHmonLVYxwCeJeZL
9gBkw1TFVgaSAtPj0Xh+ubg=
=LVW2
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201504-0400 | CVE-2015-0354 | Adobe Flash Player Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-0347, CVE-2015-0350, CVE-2015-0352, CVE-2015-0353, CVE-2015-0355, CVE-2015-0360, CVE-2015-3038, CVE-2015-3041, CVE-2015-3042, and CVE-2015-3043. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.457"
References
==========
[ 1 ] CVE-2015-0346
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0346
[ 2 ] CVE-2015-0347
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0347
[ 3 ] CVE-2015-0348
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0348
[ 4 ] CVE-2015-0349
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0349
[ 5 ] CVE-2015-0350
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0350
[ 6 ] CVE-2015-0351
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0351
[ 7 ] CVE-2015-0352
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0352
[ 8 ] CVE-2015-0353
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0353
[ 9 ] CVE-2015-0354
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0354
[ 10 ] CVE-2015-0355
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0355
[ 11 ] CVE-2015-0356
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0356
[ 12 ] CVE-2015-0357
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0357
[ 13 ] CVE-2015-0358
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0358
[ 14 ] CVE-2015-0359
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0359
[ 15 ] CVE-2015-0360
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0360
[ 16 ] CVE-2015-3038
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3038
[ 17 ] CVE-2015-3039
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3039
[ 18 ] CVE-2015-3040
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3040
[ 19 ] CVE-2015-3041
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3041
[ 20 ] CVE-2015-3042
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3042
[ 21 ] CVE-2015-3043
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3043
[ 22 ] CVE-2015-3044
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3044
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201504-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:0813-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0813.html
Issue date: 2015-04-15
CVE Names: CVE-2015-0346 CVE-2015-0347 CVE-2015-0348
CVE-2015-0349 CVE-2015-0350 CVE-2015-0351
CVE-2015-0352 CVE-2015-0353 CVE-2015-0354
CVE-2015-0355 CVE-2015-0356 CVE-2015-0357
CVE-2015-0358 CVE-2015-0359 CVE-2015-0360
CVE-2015-3038 CVE-2015-3039 CVE-2015-3040
CVE-2015-3041 CVE-2015-3042 CVE-2015-3043
CVE-2015-3044
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security Bulletin APSB15-06
listed in the References section.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content. (CVE-2015-0346, CVE-2015-0347, CVE-2015-0348, CVE-2015-0349,
CVE-2015-0350, CVE-2015-0351, CVE-2015-0352, CVE-2015-0353, CVE-2015-0354,
CVE-2015-0355, CVE-2015-0356, CVE-2015-0358, CVE-2015-0359, CVE-2015-0360,
CVE-2015-3038, CVE-2015-3039, CVE-2015-3041, CVE-2015-3042, CVE-2015-3043)
A security bypass flaw was found in flash-plugin that could lead to the
disclosure of sensitive information. (CVE-2015-3044)
Two memory information leak flaws were found in flash-plugin that could
allow an attacker to potentially bypass ASLR (Address Space Layout
Randomization) protection, and make it easier to exploit other flaws.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1211869 - flash-plugin: multiple code execution issues fixed in APSB15-06
1211894 - CVE-2015-3044 flash-plugin: security bypass leading to information disclosure (APSB15-06)
1211898 - CVE-2015-0357 CVE-2015-3040 flash-plugin: information leaks leading to ASLR bypass (APSB15-06)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.457-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.457-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.457-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.457-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-0346
https://access.redhat.com/security/cve/CVE-2015-0347
https://access.redhat.com/security/cve/CVE-2015-0348
https://access.redhat.com/security/cve/CVE-2015-0349
https://access.redhat.com/security/cve/CVE-2015-0350
https://access.redhat.com/security/cve/CVE-2015-0351
https://access.redhat.com/security/cve/CVE-2015-0352
https://access.redhat.com/security/cve/CVE-2015-0353
https://access.redhat.com/security/cve/CVE-2015-0354
https://access.redhat.com/security/cve/CVE-2015-0355
https://access.redhat.com/security/cve/CVE-2015-0356
https://access.redhat.com/security/cve/CVE-2015-0357
https://access.redhat.com/security/cve/CVE-2015-0358
https://access.redhat.com/security/cve/CVE-2015-0359
https://access.redhat.com/security/cve/CVE-2015-0360
https://access.redhat.com/security/cve/CVE-2015-3038
https://access.redhat.com/security/cve/CVE-2015-3039
https://access.redhat.com/security/cve/CVE-2015-3040
https://access.redhat.com/security/cve/CVE-2015-3041
https://access.redhat.com/security/cve/CVE-2015-3042
https://access.redhat.com/security/cve/CVE-2015-3043
https://access.redhat.com/security/cve/CVE-2015-3044
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-06.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFVLmOuXlSAg2UNWIIRAhCpAKCQYartNTxOyN7YneEoLHmonLVYxwCeJeZL
9gBkw1TFVgaSAtPj0Xh+ubg=
=LVW2
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201504-0398 | CVE-2015-0352 | Adobe Flash Player Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-0347, CVE-2015-0350, CVE-2015-0353, CVE-2015-0354, CVE-2015-0355, CVE-2015-0360, CVE-2015-3038, CVE-2015-3041, CVE-2015-3042, and CVE-2015-3043. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.457"
References
==========
[ 1 ] CVE-2015-0346
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0346
[ 2 ] CVE-2015-0347
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0347
[ 3 ] CVE-2015-0348
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0348
[ 4 ] CVE-2015-0349
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0349
[ 5 ] CVE-2015-0350
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0350
[ 6 ] CVE-2015-0351
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0351
[ 7 ] CVE-2015-0352
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0352
[ 8 ] CVE-2015-0353
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0353
[ 9 ] CVE-2015-0354
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0354
[ 10 ] CVE-2015-0355
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0355
[ 11 ] CVE-2015-0356
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0356
[ 12 ] CVE-2015-0357
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0357
[ 13 ] CVE-2015-0358
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0358
[ 14 ] CVE-2015-0359
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0359
[ 15 ] CVE-2015-0360
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0360
[ 16 ] CVE-2015-3038
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3038
[ 17 ] CVE-2015-3039
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3039
[ 18 ] CVE-2015-3040
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3040
[ 19 ] CVE-2015-3041
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3041
[ 20 ] CVE-2015-3042
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3042
[ 21 ] CVE-2015-3043
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3043
[ 22 ] CVE-2015-3044
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3044
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201504-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:0813-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0813.html
Issue date: 2015-04-15
CVE Names: CVE-2015-0346 CVE-2015-0347 CVE-2015-0348
CVE-2015-0349 CVE-2015-0350 CVE-2015-0351
CVE-2015-0352 CVE-2015-0353 CVE-2015-0354
CVE-2015-0355 CVE-2015-0356 CVE-2015-0357
CVE-2015-0358 CVE-2015-0359 CVE-2015-0360
CVE-2015-3038 CVE-2015-3039 CVE-2015-3040
CVE-2015-3041 CVE-2015-3042 CVE-2015-3043
CVE-2015-3044
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security Bulletin APSB15-06
listed in the References section.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content. (CVE-2015-0346, CVE-2015-0347, CVE-2015-0348, CVE-2015-0349,
CVE-2015-0350, CVE-2015-0351, CVE-2015-0352, CVE-2015-0353, CVE-2015-0354,
CVE-2015-0355, CVE-2015-0356, CVE-2015-0358, CVE-2015-0359, CVE-2015-0360,
CVE-2015-3038, CVE-2015-3039, CVE-2015-3041, CVE-2015-3042, CVE-2015-3043)
A security bypass flaw was found in flash-plugin that could lead to the
disclosure of sensitive information. (CVE-2015-3044)
Two memory information leak flaws were found in flash-plugin that could
allow an attacker to potentially bypass ASLR (Address Space Layout
Randomization) protection, and make it easier to exploit other flaws.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1211869 - flash-plugin: multiple code execution issues fixed in APSB15-06
1211894 - CVE-2015-3044 flash-plugin: security bypass leading to information disclosure (APSB15-06)
1211898 - CVE-2015-0357 CVE-2015-3040 flash-plugin: information leaks leading to ASLR bypass (APSB15-06)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.457-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.457-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.457-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.457-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-0346
https://access.redhat.com/security/cve/CVE-2015-0347
https://access.redhat.com/security/cve/CVE-2015-0348
https://access.redhat.com/security/cve/CVE-2015-0349
https://access.redhat.com/security/cve/CVE-2015-0350
https://access.redhat.com/security/cve/CVE-2015-0351
https://access.redhat.com/security/cve/CVE-2015-0352
https://access.redhat.com/security/cve/CVE-2015-0353
https://access.redhat.com/security/cve/CVE-2015-0354
https://access.redhat.com/security/cve/CVE-2015-0355
https://access.redhat.com/security/cve/CVE-2015-0356
https://access.redhat.com/security/cve/CVE-2015-0357
https://access.redhat.com/security/cve/CVE-2015-0358
https://access.redhat.com/security/cve/CVE-2015-0359
https://access.redhat.com/security/cve/CVE-2015-0360
https://access.redhat.com/security/cve/CVE-2015-3038
https://access.redhat.com/security/cve/CVE-2015-3039
https://access.redhat.com/security/cve/CVE-2015-3040
https://access.redhat.com/security/cve/CVE-2015-3041
https://access.redhat.com/security/cve/CVE-2015-3042
https://access.redhat.com/security/cve/CVE-2015-3043
https://access.redhat.com/security/cve/CVE-2015-3044
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-06.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFVLmOuXlSAg2UNWIIRAhCpAKCQYartNTxOyN7YneEoLHmonLVYxwCeJeZL
9gBkw1TFVgaSAtPj0Xh+ubg=
=LVW2
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201504-0397 | CVE-2015-0360 | Adobe Flash Player Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-0347, CVE-2015-0350, CVE-2015-0352, CVE-2015-0353, CVE-2015-0354, CVE-2015-0355, CVE-2015-3038, CVE-2015-3041, CVE-2015-3042, and CVE-2015-3043. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.457"
References
==========
[ 1 ] CVE-2015-0346
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0346
[ 2 ] CVE-2015-0347
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0347
[ 3 ] CVE-2015-0348
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0348
[ 4 ] CVE-2015-0349
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0349
[ 5 ] CVE-2015-0350
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0350
[ 6 ] CVE-2015-0351
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0351
[ 7 ] CVE-2015-0352
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0352
[ 8 ] CVE-2015-0353
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0353
[ 9 ] CVE-2015-0354
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0354
[ 10 ] CVE-2015-0355
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0355
[ 11 ] CVE-2015-0356
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0356
[ 12 ] CVE-2015-0357
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0357
[ 13 ] CVE-2015-0358
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0358
[ 14 ] CVE-2015-0359
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0359
[ 15 ] CVE-2015-0360
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0360
[ 16 ] CVE-2015-3038
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3038
[ 17 ] CVE-2015-3039
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3039
[ 18 ] CVE-2015-3040
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3040
[ 19 ] CVE-2015-3041
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3041
[ 20 ] CVE-2015-3042
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3042
[ 21 ] CVE-2015-3043
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3043
[ 22 ] CVE-2015-3044
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3044
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201504-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:0813-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0813.html
Issue date: 2015-04-15
CVE Names: CVE-2015-0346 CVE-2015-0347 CVE-2015-0348
CVE-2015-0349 CVE-2015-0350 CVE-2015-0351
CVE-2015-0352 CVE-2015-0353 CVE-2015-0354
CVE-2015-0355 CVE-2015-0356 CVE-2015-0357
CVE-2015-0358 CVE-2015-0359 CVE-2015-0360
CVE-2015-3038 CVE-2015-3039 CVE-2015-3040
CVE-2015-3041 CVE-2015-3042 CVE-2015-3043
CVE-2015-3044
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security Bulletin APSB15-06
listed in the References section.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content. (CVE-2015-0346, CVE-2015-0347, CVE-2015-0348, CVE-2015-0349,
CVE-2015-0350, CVE-2015-0351, CVE-2015-0352, CVE-2015-0353, CVE-2015-0354,
CVE-2015-0355, CVE-2015-0356, CVE-2015-0358, CVE-2015-0359, CVE-2015-0360,
CVE-2015-3038, CVE-2015-3039, CVE-2015-3041, CVE-2015-3042, CVE-2015-3043)
A security bypass flaw was found in flash-plugin that could lead to the
disclosure of sensitive information. (CVE-2015-3044)
Two memory information leak flaws were found in flash-plugin that could
allow an attacker to potentially bypass ASLR (Address Space Layout
Randomization) protection, and make it easier to exploit other flaws.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1211869 - flash-plugin: multiple code execution issues fixed in APSB15-06
1211894 - CVE-2015-3044 flash-plugin: security bypass leading to information disclosure (APSB15-06)
1211898 - CVE-2015-0357 CVE-2015-3040 flash-plugin: information leaks leading to ASLR bypass (APSB15-06)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.457-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.457-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.457-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.457-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.457-1.el6_6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-0346
https://access.redhat.com/security/cve/CVE-2015-0347
https://access.redhat.com/security/cve/CVE-2015-0348
https://access.redhat.com/security/cve/CVE-2015-0349
https://access.redhat.com/security/cve/CVE-2015-0350
https://access.redhat.com/security/cve/CVE-2015-0351
https://access.redhat.com/security/cve/CVE-2015-0352
https://access.redhat.com/security/cve/CVE-2015-0353
https://access.redhat.com/security/cve/CVE-2015-0354
https://access.redhat.com/security/cve/CVE-2015-0355
https://access.redhat.com/security/cve/CVE-2015-0356
https://access.redhat.com/security/cve/CVE-2015-0357
https://access.redhat.com/security/cve/CVE-2015-0358
https://access.redhat.com/security/cve/CVE-2015-0359
https://access.redhat.com/security/cve/CVE-2015-0360
https://access.redhat.com/security/cve/CVE-2015-3038
https://access.redhat.com/security/cve/CVE-2015-3039
https://access.redhat.com/security/cve/CVE-2015-3040
https://access.redhat.com/security/cve/CVE-2015-3041
https://access.redhat.com/security/cve/CVE-2015-3042
https://access.redhat.com/security/cve/CVE-2015-3043
https://access.redhat.com/security/cve/CVE-2015-3044
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-06.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFVLmOuXlSAg2UNWIIRAhCpAKCQYartNTxOyN7YneEoLHmonLVYxwCeJeZL
9gBkw1TFVgaSAtPj0Xh+ubg=
=LVW2
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201504-0166 | CVE-2015-0501 | Oracle MySQL of MySQL Server In Server : Compiling Vulnerabilities |
CVSS V2: 5.7 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, and 5.6.23 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : Compiling.
The vulnerability can be exploited over the 'MySQL Protocol' protocol. The 'Server : Compiling' sub component is affected.
This vulnerability affects the following supported versions:
5.5.42 and earlier, 5.6.23 and earlier. The database system has the characteristics of high performance, low cost and good reliability. A remote attacker can exploit this vulnerability to cause a denial of service and affect data availability. The
vulnerabilities are addressed by upgrading MariaDB to the new upstream
version 10.0.20. Please see the MariaDB 10.0 Release Notes for further
details:
https://mariadb.com/kb/en/mariadb/mariadb-10017-release-notes/
https://mariadb.com/kb/en/mariadb/mariadb-10018-release-notes/
https://mariadb.com/kb/en/mariadb/mariadb-10019-release-notes/
https://mariadb.com/kb/en/mariadb/mariadb-10020-release-notes/
For the stable distribution (jessie), these problems have been fixed in
version 10.0.20-0+deb8u1.
For the unstable distribution (sid), these problems have been fixed in
version 10.0.20-1 or earlier versions. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201507-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: MySQL: Multiple vulnerabilities
Date: July 10, 2015
Bugs: #546722
ID: 201507-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in MySQL, allowing attackers
to execute arbitrary code or cause Denial of Service.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-db/mysql < 5.6.24 *>= 5.5.43
>= 5.6.24
Description
===========
Multiple vulnerabilities have been discovered in MySQL. Please review
the CVE identifiers referenced below for details.
Impact
======
A remote attacker could send a specially crafted request, possibly
resulting in execution of arbitrary code with the privileges of the
application or a Denial of Service condition.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All MySQL 5.5.x users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/mysql-5.5.43"
All MySQL 5.6.x users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/mysql-5.6.24"
References
==========
[ 1 ] CVE-2015-0405
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0405
[ 2 ] CVE-2015-0423
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0423
[ 3 ] CVE-2015-0433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0433
[ 4 ] CVE-2015-0438
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0438
[ 5 ] CVE-2015-0439
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0439
[ 6 ] CVE-2015-0441
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0441
[ 7 ] CVE-2015-0498
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0498
[ 8 ] CVE-2015-0499
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0499
[ 9 ] CVE-2015-0500
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0500
[ 10 ] CVE-2015-0501
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0501
[ 11 ] CVE-2015-0503
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0503
[ 12 ] CVE-2015-0505
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0505
[ 13 ] CVE-2015-0506
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0506
[ 14 ] CVE-2015-0507
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0507
[ 15 ] CVE-2015-0508
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0508
[ 16 ] CVE-2015-0511
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0511
[ 17 ] CVE-2015-2566
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2566
[ 18 ] CVE-2015-2567
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2567
[ 19 ] CVE-2015-2568
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2568
[ 20 ] CVE-2015-2571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2571
[ 21 ] CVE-2015-2573
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2573
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201507-19
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. ============================================================================
Ubuntu Security Notice USN-2575-1
April 21, 2015
mysql-5.5 vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in MySQL. MySQL has been updated to
5.5.43.
Please see the following for more information:
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-42.html
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-43.html
http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.10:
mysql-server-5.5 5.5.43-0ubuntu0.14.10.1
Ubuntu 14.04 LTS:
mysql-server-5.5 5.5.43-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:
mysql-server-5.5 5.5.43-0ubuntu0.12.04.1
In general, a standard system update will make all the necessary changes.
Here are the details from the Slackware 14.1 ChangeLog:
+--------------------------+
patches/packages/mariadb-5.5.43-i486-1_slack14.1.txz: Upgraded.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2568
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2573
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0433
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0441
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0501
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2571
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0505
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0499
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.
Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/mariadb-5.5.43-i486-1_slack14.1.txz
Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/mariadb-5.5.43-x86_64-1_slack14.1.txz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/ap/mariadb-10.0.18-i586-1.txz
Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/ap/mariadb-10.0.18-x86_64-1.txz
MD5 signatures:
+-------------+
Slackware 14.1 package:
17905b4257617eb8b1dc8dd128959b02 mariadb-5.5.43-i486-1_slack14.1.txz
Slackware x86_64 14.1 package:
89560390c29526d793ccbbf18807c09f mariadb-5.5.43-x86_64-1_slack14.1.txz
Slackware -current package:
6ff4004dedd522fcd7de14a7b4d8f3be ap/mariadb-10.0.18-i586-1.txz
Slackware x86_64 -current package:
91b13958f3ab6bc8fe2b89d2b06d98dd ap/mariadb-10.0.18-x86_64-1.txz
Installation instructions:
+------------------------+
Upgrade the package as root:
# upgradepkg mariadb-5.5.43-i486-1_slack14.1.txz
Then, restart the database server:
# sh /etc/rc.d/rc.mysqld restart
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: mariadb security update
Advisory ID: RHSA-2015:1665-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1665.html
Issue date: 2015-08-24
CVE Names: CVE-2015-0433 CVE-2015-0441 CVE-2015-0499
CVE-2015-0501 CVE-2015-0505 CVE-2015-2568
CVE-2015-2571 CVE-2015-2573 CVE-2015-2582
CVE-2015-2620 CVE-2015-2643 CVE-2015-2648
CVE-2015-3152 CVE-2015-4737 CVE-2015-4752
CVE-2015-4757
=====================================================================
1. Summary:
Updated mariadb packages that fix several security issues are now available
for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
3. Description:
MariaDB is a multi-user, multi-threaded SQL database server that is binary
compatible with MySQL.
It was found that the MySQL client library permitted but did not require
a client to use SSL/TLS when establishing a secure connection to a MySQL
server using the "--ssl" option. A man-in-the-middle attacker
could use this flaw to strip the SSL/TLS protection from a connection
between a client and a server. (CVE-2015-3152)
This update fixes several vulnerabilities in the MariaDB database server.
Information about these flaws can be found on the Oracle Critical Patch
Update Advisory page, listed in the References section. (CVE-2015-0501,
CVE-2015-2568, CVE-2015-0499, CVE-2015-2571, CVE-2015-0433, CVE-2015-0441,
CVE-2015-0505, CVE-2015-2573, CVE-2015-2582, CVE-2015-2620, CVE-2015-2643,
CVE-2015-2648, CVE-2015-4737, CVE-2015-4752, CVE-2015-4757)
These updated packages upgrade MariaDB to version 5.5.44. Refer to the
MariaDB Release Notes listed in the References section for a complete list
of changes.
All MariaDB users should upgrade to these updated packages, which correct
these issues. After installing this update, the MariaDB server daemon
(mysqld) will be restarted automatically.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1212758 - CVE-2015-0501 mysql: unspecified vulnerability related to Server:Compiling (CPU April 2015)
1212763 - CVE-2015-2568 mysql: unspecified vulnerability related to Server:Security:Privileges (CPU April 2015)
1212768 - CVE-2015-0499 mysql: unspecified vulnerability related to Server:Federated (CPU April 2015)
1212772 - CVE-2015-2571 mysql: unspecified vulnerability related to Server:Optimizer (CPU April 2015)
1212776 - CVE-2015-0433 mysql: unspecified vulnerability related to Server:InnoDB:DML (CPU April 2015)
1212777 - CVE-2015-0441 mysql: unspecified vulnerability related to Server:Security:Encryption (CPU April 2015)
1212780 - CVE-2015-0505 mysql: unspecified vulnerability related to Server:DDL (CPU April 2015)
1212783 - CVE-2015-2573 mysql: unspecified vulnerability related to Server:DDL (CPU April 2015)
1217506 - CVE-2015-3152 mysql: use of SSL/TLS can not be enforced in mysql client library (oCERT-2015-003, BACKRONYM)
1244768 - CVE-2015-2582 mysql: unspecified vulnerability related to Server:GIS (CPU July 2015)
1244771 - CVE-2015-2620 mysql: unspecified vulnerability related to Server:Security:Privileges (CPU July 2015)
1244774 - CVE-2015-2643 mysql: unspecified vulnerability related to Server:Optimizer (CPU July 2015)
1244775 - CVE-2015-2648 mysql: unspecified vulnerability related to Server:DML (CPU July 2015)
1244778 - CVE-2015-4737 mysql: unspecified vulnerability related to Server:Pluggable Auth (CPU July 2015)
1244779 - CVE-2015-4752 mysql: unspecified vulnerability related to Server:I_S (CPU July 2015)
1244781 - CVE-2015-4757 mysql: unspecified vulnerability related to Server:Optimizer (CPU July 2015)
6. Package List:
Red Hat Enterprise Linux Client (v. 7):
Source:
mariadb-5.5.44-1.el7_1.src.rpm
x86_64:
mariadb-5.5.44-1.el7_1.x86_64.rpm
mariadb-debuginfo-5.5.44-1.el7_1.i686.rpm
mariadb-debuginfo-5.5.44-1.el7_1.x86_64.rpm
mariadb-libs-5.5.44-1.el7_1.i686.rpm
mariadb-libs-5.5.44-1.el7_1.x86_64.rpm
mariadb-server-5.5.44-1.el7_1.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64:
mariadb-bench-5.5.44-1.el7_1.x86_64.rpm
mariadb-debuginfo-5.5.44-1.el7_1.i686.rpm
mariadb-debuginfo-5.5.44-1.el7_1.x86_64.rpm
mariadb-devel-5.5.44-1.el7_1.i686.rpm
mariadb-devel-5.5.44-1.el7_1.x86_64.rpm
mariadb-embedded-5.5.44-1.el7_1.i686.rpm
mariadb-embedded-5.5.44-1.el7_1.x86_64.rpm
mariadb-embedded-devel-5.5.44-1.el7_1.i686.rpm
mariadb-embedded-devel-5.5.44-1.el7_1.x86_64.rpm
mariadb-test-5.5.44-1.el7_1.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
mariadb-5.5.44-1.el7_1.src.rpm
x86_64:
mariadb-5.5.44-1.el7_1.x86_64.rpm
mariadb-debuginfo-5.5.44-1.el7_1.i686.rpm
mariadb-debuginfo-5.5.44-1.el7_1.x86_64.rpm
mariadb-libs-5.5.44-1.el7_1.i686.rpm
mariadb-libs-5.5.44-1.el7_1.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
x86_64:
mariadb-bench-5.5.44-1.el7_1.x86_64.rpm
mariadb-debuginfo-5.5.44-1.el7_1.i686.rpm
mariadb-debuginfo-5.5.44-1.el7_1.x86_64.rpm
mariadb-devel-5.5.44-1.el7_1.i686.rpm
mariadb-devel-5.5.44-1.el7_1.x86_64.rpm
mariadb-embedded-5.5.44-1.el7_1.i686.rpm
mariadb-embedded-5.5.44-1.el7_1.x86_64.rpm
mariadb-embedded-devel-5.5.44-1.el7_1.i686.rpm
mariadb-embedded-devel-5.5.44-1.el7_1.x86_64.rpm
mariadb-server-5.5.44-1.el7_1.x86_64.rpm
mariadb-test-5.5.44-1.el7_1.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
mariadb-5.5.44-1.el7_1.src.rpm
ppc64:
mariadb-5.5.44-1.el7_1.ppc64.rpm
mariadb-bench-5.5.44-1.el7_1.ppc64.rpm
mariadb-debuginfo-5.5.44-1.el7_1.ppc.rpm
mariadb-debuginfo-5.5.44-1.el7_1.ppc64.rpm
mariadb-devel-5.5.44-1.el7_1.ppc.rpm
mariadb-devel-5.5.44-1.el7_1.ppc64.rpm
mariadb-libs-5.5.44-1.el7_1.ppc.rpm
mariadb-libs-5.5.44-1.el7_1.ppc64.rpm
mariadb-server-5.5.44-1.el7_1.ppc64.rpm
mariadb-test-5.5.44-1.el7_1.ppc64.rpm
s390x:
mariadb-5.5.44-1.el7_1.s390x.rpm
mariadb-bench-5.5.44-1.el7_1.s390x.rpm
mariadb-debuginfo-5.5.44-1.el7_1.s390.rpm
mariadb-debuginfo-5.5.44-1.el7_1.s390x.rpm
mariadb-devel-5.5.44-1.el7_1.s390.rpm
mariadb-devel-5.5.44-1.el7_1.s390x.rpm
mariadb-libs-5.5.44-1.el7_1.s390.rpm
mariadb-libs-5.5.44-1.el7_1.s390x.rpm
mariadb-server-5.5.44-1.el7_1.s390x.rpm
mariadb-test-5.5.44-1.el7_1.s390x.rpm
x86_64:
mariadb-5.5.44-1.el7_1.x86_64.rpm
mariadb-bench-5.5.44-1.el7_1.x86_64.rpm
mariadb-debuginfo-5.5.44-1.el7_1.i686.rpm
mariadb-debuginfo-5.5.44-1.el7_1.x86_64.rpm
mariadb-devel-5.5.44-1.el7_1.i686.rpm
mariadb-devel-5.5.44-1.el7_1.x86_64.rpm
mariadb-libs-5.5.44-1.el7_1.i686.rpm
mariadb-libs-5.5.44-1.el7_1.x86_64.rpm
mariadb-server-5.5.44-1.el7_1.x86_64.rpm
mariadb-test-5.5.44-1.el7_1.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
mariadb-5.5.44-1.ael7b_1.src.rpm
ppc64le:
mariadb-5.5.44-1.ael7b_1.ppc64le.rpm
mariadb-bench-5.5.44-1.ael7b_1.ppc64le.rpm
mariadb-debuginfo-5.5.44-1.ael7b_1.ppc64le.rpm
mariadb-devel-5.5.44-1.ael7b_1.ppc64le.rpm
mariadb-libs-5.5.44-1.ael7b_1.ppc64le.rpm
mariadb-server-5.5.44-1.ael7b_1.ppc64le.rpm
mariadb-test-5.5.44-1.ael7b_1.ppc64le.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
ppc64:
mariadb-debuginfo-5.5.44-1.el7_1.ppc.rpm
mariadb-debuginfo-5.5.44-1.el7_1.ppc64.rpm
mariadb-embedded-5.5.44-1.el7_1.ppc.rpm
mariadb-embedded-5.5.44-1.el7_1.ppc64.rpm
mariadb-embedded-devel-5.5.44-1.el7_1.ppc.rpm
mariadb-embedded-devel-5.5.44-1.el7_1.ppc64.rpm
s390x:
mariadb-debuginfo-5.5.44-1.el7_1.s390.rpm
mariadb-debuginfo-5.5.44-1.el7_1.s390x.rpm
mariadb-embedded-5.5.44-1.el7_1.s390.rpm
mariadb-embedded-5.5.44-1.el7_1.s390x.rpm
mariadb-embedded-devel-5.5.44-1.el7_1.s390.rpm
mariadb-embedded-devel-5.5.44-1.el7_1.s390x.rpm
x86_64:
mariadb-debuginfo-5.5.44-1.el7_1.i686.rpm
mariadb-debuginfo-5.5.44-1.el7_1.x86_64.rpm
mariadb-embedded-5.5.44-1.el7_1.i686.rpm
mariadb-embedded-5.5.44-1.el7_1.x86_64.rpm
mariadb-embedded-devel-5.5.44-1.el7_1.i686.rpm
mariadb-embedded-devel-5.5.44-1.el7_1.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
ppc64le:
mariadb-debuginfo-5.5.44-1.ael7b_1.ppc64le.rpm
mariadb-embedded-5.5.44-1.ael7b_1.ppc64le.rpm
mariadb-embedded-devel-5.5.44-1.ael7b_1.ppc64le.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
mariadb-5.5.44-1.el7_1.src.rpm
x86_64:
mariadb-5.5.44-1.el7_1.x86_64.rpm
mariadb-bench-5.5.44-1.el7_1.x86_64.rpm
mariadb-debuginfo-5.5.44-1.el7_1.i686.rpm
mariadb-debuginfo-5.5.44-1.el7_1.x86_64.rpm
mariadb-devel-5.5.44-1.el7_1.i686.rpm
mariadb-devel-5.5.44-1.el7_1.x86_64.rpm
mariadb-libs-5.5.44-1.el7_1.i686.rpm
mariadb-libs-5.5.44-1.el7_1.x86_64.rpm
mariadb-server-5.5.44-1.el7_1.x86_64.rpm
mariadb-test-5.5.44-1.el7_1.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64:
mariadb-debuginfo-5.5.44-1.el7_1.i686.rpm
mariadb-debuginfo-5.5.44-1.el7_1.x86_64.rpm
mariadb-embedded-5.5.44-1.el7_1.i686.rpm
mariadb-embedded-5.5.44-1.el7_1.x86_64.rpm
mariadb-embedded-devel-5.5.44-1.el7_1.i686.rpm
mariadb-embedded-devel-5.5.44-1.el7_1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-0433
https://access.redhat.com/security/cve/CVE-2015-0441
https://access.redhat.com/security/cve/CVE-2015-0499
https://access.redhat.com/security/cve/CVE-2015-0501
https://access.redhat.com/security/cve/CVE-2015-0505
https://access.redhat.com/security/cve/CVE-2015-2568
https://access.redhat.com/security/cve/CVE-2015-2571
https://access.redhat.com/security/cve/CVE-2015-2573
https://access.redhat.com/security/cve/CVE-2015-2582
https://access.redhat.com/security/cve/CVE-2015-2620
https://access.redhat.com/security/cve/CVE-2015-2643
https://access.redhat.com/security/cve/CVE-2015-2648
https://access.redhat.com/security/cve/CVE-2015-3152
https://access.redhat.com/security/cve/CVE-2015-4737
https://access.redhat.com/security/cve/CVE-2015-4752
https://access.redhat.com/security/cve/CVE-2015-4757
https://access.redhat.com/security/updates/classification/#moderate
http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL
https://mariadb.com/kb/en/mariadb/mariadb-5544-release-notes/
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFV228TXlSAg2UNWIIRAm1mAJ0bzbWNcno0Sy/+xCRBh61u0Og5LQCfYvOB
tzK/FpD+vNcUAhqnRuiFgiM=
=BpLD
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201504-0273 | CVE-2015-0693 | Cisco Web Security Any in the appliance device software Python Code execution vulnerability |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
Cisco Web Security Appliance (WSA) devices with software 8.5.0-ise-147 do not properly restrict use of the pickle Python module during certain tunnel-status checks, which allows local users to execute arbitrary Python code and gain privileges via a crafted pickle file, aka Bug ID CSCut39259. The Cisco Web Security Appliance is a secure Web gateway that integrates malware protection, application visualization control, policy control, and more on a single platform. A local privilege elevation vulnerability exists in the Cisco Web Security Appliance. Allows an attacker to exploit this vulnerability to execute arbitrary Python code with higher privileges. Successful exploits may result in complete system compromise.
This issue being tracked by Cisco Bug ID CSCut39259
| VAR-201504-0622 | No CVE | Net-SNMP 'snmp_api.c' Remote Denial of Service Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Net-SNMP is a set of open source Simple Network Management Protocol software. This software is used to monitor network equipment, computer equipment, UPS equipment, etc. A remote denial of service vulnerability exists in Net-SNMP. An attacker could exploit the vulnerability to cause a denial of service