VARIoT IoT vulnerabilities database
| VAR-201507-0074 | CVE-2015-3130 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-3117, CVE-2015-3123, CVE-2015-3133, CVE-2015-3134, and CVE-2015-4431. This vulnerability CVE-2015-3117 , CVE-2015-3123 , CVE-2015-3133 , CVE-2015-3134 ,and CVE-2015-4431 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state. Failed exploit attempts will likely result in denial-of-service conditions. Security flaws exist in several Adobe products.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.481"
References
==========
[ 1 ] CVE-2014-0578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0578
[ 2 ] CVE-2015-3113
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3113
[ 3 ] CVE-2015-3114
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3114
[ 4 ] CVE-2015-3115
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3115
[ 5 ] CVE-2015-3116
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3116
[ 6 ] CVE-2015-3117
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3117
[ 7 ] CVE-2015-3118
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3118
[ 8 ] CVE-2015-3119
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3119
[ 9 ] CVE-2015-3120
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3120
[ 10 ] CVE-2015-3121
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3121
[ 11 ] CVE-2015-3122
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3122
[ 12 ] CVE-2015-3123
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3123
[ 13 ] CVE-2015-3124
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3124
[ 14 ] CVE-2015-3125
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3125
[ 15 ] CVE-2015-3126
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3126
[ 16 ] CVE-2015-3127
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3127
[ 17 ] CVE-2015-3128
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3128
[ 18 ] CVE-2015-3129
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3129
[ 19 ] CVE-2015-3130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3130
[ 20 ] CVE-2015-3131
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3131
[ 21 ] CVE-2015-3132
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3132
[ 22 ] CVE-2015-3133
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3133
[ 23 ] CVE-2015-3134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3134
[ 24 ] CVE-2015-3135
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3135
[ 25 ] CVE-2015-3136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3136
[ 26 ] CVE-2015-3137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3137
[ 27 ] CVE-2015-4428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4428
[ 28 ] CVE-2015-4429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4429
[ 29 ] CVE-2015-4430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4430
[ 30 ] CVE-2015-4431
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4431
[ 31 ] CVE-2015-4432
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4432
[ 32 ] CVE-2015-4433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4433
[ 33 ] CVE-2015-5116
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5116
[ 34 ] CVE-2015-5117
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5117
[ 35 ] CVE-2015-5118
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5118
[ 36 ] CVE-2015-5119
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5119
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201507-13
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:1214-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1214.html
Issue date: 2015-07-08
CVE Names: CVE-2014-0578 CVE-2015-3114 CVE-2015-3115
CVE-2015-3116 CVE-2015-3117 CVE-2015-3118
CVE-2015-3119 CVE-2015-3120 CVE-2015-3121
CVE-2015-3122 CVE-2015-3123 CVE-2015-3124
CVE-2015-3125 CVE-2015-3126 CVE-2015-3127
CVE-2015-3128 CVE-2015-3129 CVE-2015-3130
CVE-2015-3131 CVE-2015-3132 CVE-2015-3133
CVE-2015-3134 CVE-2015-3135 CVE-2015-3136
CVE-2015-3137 CVE-2015-4428 CVE-2015-4429
CVE-2015-4430 CVE-2015-4431 CVE-2015-4432
CVE-2015-4433 CVE-2015-5116 CVE-2015-5117
CVE-2015-5118 CVE-2015-5119
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security Bulletin APSB15-16
listed in the References section.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content. (CVE-2015-3117, CVE-2015-3118, CVE-2015-3119, CVE-2015-3120,
CVE-2015-3121, CVE-2015-3122, CVE-2015-3123, CVE-2015-3124, CVE-2015-3126,
CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3130, CVE-2015-3131,
CVE-2015-3132, CVE-2015-3133, CVE-2015-3134, CVE-2015-3135, CVE-2015-3136,
CVE-2015-3137, CVE-2015-4428, CVE-2015-4429, CVE-2015-4430, CVE-2015-4431,
CVE-2015-4432, CVE-2015-4433, CVE-2015-5117, CVE-2015-5118, CVE-2015-5119)
Multiple security bypass flaws were found in flash-plugin that could lead
to the disclosure of sensitive information.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1240832 - CVE-2015-5119 flash-plugin: code execution issue in APSA15-03 / APSB15-16
1241171 - flash-plugin: multiple code execution issues fixed in APSB15-16
1241173 - flash-plugin: information disclosure issues fixed in APSB15-16
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.481-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.481-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.481-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.481-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2014-0578
https://access.redhat.com/security/cve/CVE-2015-3114
https://access.redhat.com/security/cve/CVE-2015-3115
https://access.redhat.com/security/cve/CVE-2015-3116
https://access.redhat.com/security/cve/CVE-2015-3117
https://access.redhat.com/security/cve/CVE-2015-3118
https://access.redhat.com/security/cve/CVE-2015-3119
https://access.redhat.com/security/cve/CVE-2015-3120
https://access.redhat.com/security/cve/CVE-2015-3121
https://access.redhat.com/security/cve/CVE-2015-3122
https://access.redhat.com/security/cve/CVE-2015-3123
https://access.redhat.com/security/cve/CVE-2015-3124
https://access.redhat.com/security/cve/CVE-2015-3125
https://access.redhat.com/security/cve/CVE-2015-3126
https://access.redhat.com/security/cve/CVE-2015-3127
https://access.redhat.com/security/cve/CVE-2015-3128
https://access.redhat.com/security/cve/CVE-2015-3129
https://access.redhat.com/security/cve/CVE-2015-3130
https://access.redhat.com/security/cve/CVE-2015-3131
https://access.redhat.com/security/cve/CVE-2015-3132
https://access.redhat.com/security/cve/CVE-2015-3133
https://access.redhat.com/security/cve/CVE-2015-3134
https://access.redhat.com/security/cve/CVE-2015-3135
https://access.redhat.com/security/cve/CVE-2015-3136
https://access.redhat.com/security/cve/CVE-2015-3137
https://access.redhat.com/security/cve/CVE-2015-4428
https://access.redhat.com/security/cve/CVE-2015-4429
https://access.redhat.com/security/cve/CVE-2015-4430
https://access.redhat.com/security/cve/CVE-2015-4431
https://access.redhat.com/security/cve/CVE-2015-4432
https://access.redhat.com/security/cve/CVE-2015-4433
https://access.redhat.com/security/cve/CVE-2015-5116
https://access.redhat.com/security/cve/CVE-2015-5117
https://access.redhat.com/security/cve/CVE-2015-5118
https://access.redhat.com/security/cve/CVE-2015-5119
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-16.html
https://helpx.adobe.com/security/products/flash-player/apsa15-03.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFVnYzEXlSAg2UNWIIRAiYOAJ4hyudjAqMbqOcLAA47WlvgoVG25gCdF1BZ
bxdi7YGr3vmk1ppaEImDJNg=
=KEcy
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201507-0077 | CVE-2015-3133 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3134, and CVE-2015-4431. This vulnerability CVE-2015-3117 , CVE-2015-3123 , CVE-2015-3130 , CVE-2015-3134 ,and CVE-2015-4431 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state. Failed exploit attempts will likely result in denial-of-service conditions. Security flaws exist in several Adobe products.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.481"
References
==========
[ 1 ] CVE-2014-0578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0578
[ 2 ] CVE-2015-3113
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3113
[ 3 ] CVE-2015-3114
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3114
[ 4 ] CVE-2015-3115
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3115
[ 5 ] CVE-2015-3116
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3116
[ 6 ] CVE-2015-3117
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3117
[ 7 ] CVE-2015-3118
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3118
[ 8 ] CVE-2015-3119
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3119
[ 9 ] CVE-2015-3120
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3120
[ 10 ] CVE-2015-3121
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3121
[ 11 ] CVE-2015-3122
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3122
[ 12 ] CVE-2015-3123
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3123
[ 13 ] CVE-2015-3124
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3124
[ 14 ] CVE-2015-3125
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3125
[ 15 ] CVE-2015-3126
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3126
[ 16 ] CVE-2015-3127
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3127
[ 17 ] CVE-2015-3128
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3128
[ 18 ] CVE-2015-3129
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3129
[ 19 ] CVE-2015-3130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3130
[ 20 ] CVE-2015-3131
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3131
[ 21 ] CVE-2015-3132
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3132
[ 22 ] CVE-2015-3133
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3133
[ 23 ] CVE-2015-3134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3134
[ 24 ] CVE-2015-3135
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3135
[ 25 ] CVE-2015-3136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3136
[ 26 ] CVE-2015-3137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3137
[ 27 ] CVE-2015-4428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4428
[ 28 ] CVE-2015-4429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4429
[ 29 ] CVE-2015-4430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4430
[ 30 ] CVE-2015-4431
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4431
[ 31 ] CVE-2015-4432
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4432
[ 32 ] CVE-2015-4433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4433
[ 33 ] CVE-2015-5116
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5116
[ 34 ] CVE-2015-5117
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5117
[ 35 ] CVE-2015-5118
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5118
[ 36 ] CVE-2015-5119
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5119
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201507-13
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:1214-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1214.html
Issue date: 2015-07-08
CVE Names: CVE-2014-0578 CVE-2015-3114 CVE-2015-3115
CVE-2015-3116 CVE-2015-3117 CVE-2015-3118
CVE-2015-3119 CVE-2015-3120 CVE-2015-3121
CVE-2015-3122 CVE-2015-3123 CVE-2015-3124
CVE-2015-3125 CVE-2015-3126 CVE-2015-3127
CVE-2015-3128 CVE-2015-3129 CVE-2015-3130
CVE-2015-3131 CVE-2015-3132 CVE-2015-3133
CVE-2015-3134 CVE-2015-3135 CVE-2015-3136
CVE-2015-3137 CVE-2015-4428 CVE-2015-4429
CVE-2015-4430 CVE-2015-4431 CVE-2015-4432
CVE-2015-4433 CVE-2015-5116 CVE-2015-5117
CVE-2015-5118 CVE-2015-5119
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security Bulletin APSB15-16
listed in the References section.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content. (CVE-2015-3117, CVE-2015-3118, CVE-2015-3119, CVE-2015-3120,
CVE-2015-3121, CVE-2015-3122, CVE-2015-3123, CVE-2015-3124, CVE-2015-3126,
CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3130, CVE-2015-3131,
CVE-2015-3132, CVE-2015-3133, CVE-2015-3134, CVE-2015-3135, CVE-2015-3136,
CVE-2015-3137, CVE-2015-4428, CVE-2015-4429, CVE-2015-4430, CVE-2015-4431,
CVE-2015-4432, CVE-2015-4433, CVE-2015-5117, CVE-2015-5118, CVE-2015-5119)
Multiple security bypass flaws were found in flash-plugin that could lead
to the disclosure of sensitive information.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1240832 - CVE-2015-5119 flash-plugin: code execution issue in APSA15-03 / APSB15-16
1241171 - flash-plugin: multiple code execution issues fixed in APSB15-16
1241173 - flash-plugin: information disclosure issues fixed in APSB15-16
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.481-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.481-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.481-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.481-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2014-0578
https://access.redhat.com/security/cve/CVE-2015-3114
https://access.redhat.com/security/cve/CVE-2015-3115
https://access.redhat.com/security/cve/CVE-2015-3116
https://access.redhat.com/security/cve/CVE-2015-3117
https://access.redhat.com/security/cve/CVE-2015-3118
https://access.redhat.com/security/cve/CVE-2015-3119
https://access.redhat.com/security/cve/CVE-2015-3120
https://access.redhat.com/security/cve/CVE-2015-3121
https://access.redhat.com/security/cve/CVE-2015-3122
https://access.redhat.com/security/cve/CVE-2015-3123
https://access.redhat.com/security/cve/CVE-2015-3124
https://access.redhat.com/security/cve/CVE-2015-3125
https://access.redhat.com/security/cve/CVE-2015-3126
https://access.redhat.com/security/cve/CVE-2015-3127
https://access.redhat.com/security/cve/CVE-2015-3128
https://access.redhat.com/security/cve/CVE-2015-3129
https://access.redhat.com/security/cve/CVE-2015-3130
https://access.redhat.com/security/cve/CVE-2015-3131
https://access.redhat.com/security/cve/CVE-2015-3132
https://access.redhat.com/security/cve/CVE-2015-3133
https://access.redhat.com/security/cve/CVE-2015-3134
https://access.redhat.com/security/cve/CVE-2015-3135
https://access.redhat.com/security/cve/CVE-2015-3136
https://access.redhat.com/security/cve/CVE-2015-3137
https://access.redhat.com/security/cve/CVE-2015-4428
https://access.redhat.com/security/cve/CVE-2015-4429
https://access.redhat.com/security/cve/CVE-2015-4430
https://access.redhat.com/security/cve/CVE-2015-4431
https://access.redhat.com/security/cve/CVE-2015-4432
https://access.redhat.com/security/cve/CVE-2015-4433
https://access.redhat.com/security/cve/CVE-2015-5116
https://access.redhat.com/security/cve/CVE-2015-5117
https://access.redhat.com/security/cve/CVE-2015-5118
https://access.redhat.com/security/cve/CVE-2015-5119
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-16.html
https://helpx.adobe.com/security/products/flash-player/apsa15-03.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFVnYzEXlSAg2UNWIIRAiYOAJ4hyudjAqMbqOcLAA47WlvgoVG25gCdF1BZ
bxdi7YGr3vmk1ppaEImDJNg=
=KEcy
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201507-0073 | CVE-2015-3129 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3118, CVE-2015-3124, CVE-2015-3127, CVE-2015-3128, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, and CVE-2015-5117. This vulnerability CVE-2015-3118 , CVE-2015-3124 , CVE-2015-3127 , CVE-2015-3128 , CVE-2015-3131 , CVE-2015-3132 , CVE-2015-3136 , CVE-2015-3137 , CVE-2015-4428 , CVE-2015-4430 ,and CVE-2015-5117 Is a different vulnerability. Supplementary information : CWE Vulnerability type by CWE-416: Use-after-free ( Use of freed memory ) Has been identified. http://cwe.mitre.org/data/definitions/416.htmlAn attacker could execute arbitrary code. Failed exploit attempts will likely cause a denial-of-service condition. The product enables viewing of applications, content and video across screens and browsers. A use-after-free vulnerability exists in several Adobe products.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information, or bypass security restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.481"
References
==========
[ 1 ] CVE-2014-0578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0578
[ 2 ] CVE-2015-3113
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3113
[ 3 ] CVE-2015-3114
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3114
[ 4 ] CVE-2015-3115
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3115
[ 5 ] CVE-2015-3116
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3116
[ 6 ] CVE-2015-3117
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3117
[ 7 ] CVE-2015-3118
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3118
[ 8 ] CVE-2015-3119
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3119
[ 9 ] CVE-2015-3120
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3120
[ 10 ] CVE-2015-3121
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3121
[ 11 ] CVE-2015-3122
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3122
[ 12 ] CVE-2015-3123
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3123
[ 13 ] CVE-2015-3124
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3124
[ 14 ] CVE-2015-3125
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3125
[ 15 ] CVE-2015-3126
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3126
[ 16 ] CVE-2015-3127
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3127
[ 17 ] CVE-2015-3128
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3128
[ 18 ] CVE-2015-3129
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3129
[ 19 ] CVE-2015-3130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3130
[ 20 ] CVE-2015-3131
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3131
[ 21 ] CVE-2015-3132
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3132
[ 22 ] CVE-2015-3133
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3133
[ 23 ] CVE-2015-3134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3134
[ 24 ] CVE-2015-3135
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3135
[ 25 ] CVE-2015-3136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3136
[ 26 ] CVE-2015-3137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3137
[ 27 ] CVE-2015-4428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4428
[ 28 ] CVE-2015-4429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4429
[ 29 ] CVE-2015-4430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4430
[ 30 ] CVE-2015-4431
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4431
[ 31 ] CVE-2015-4432
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4432
[ 32 ] CVE-2015-4433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4433
[ 33 ] CVE-2015-5116
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5116
[ 34 ] CVE-2015-5117
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5117
[ 35 ] CVE-2015-5118
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5118
[ 36 ] CVE-2015-5119
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5119
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201507-13
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:1214-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1214.html
Issue date: 2015-07-08
CVE Names: CVE-2014-0578 CVE-2015-3114 CVE-2015-3115
CVE-2015-3116 CVE-2015-3117 CVE-2015-3118
CVE-2015-3119 CVE-2015-3120 CVE-2015-3121
CVE-2015-3122 CVE-2015-3123 CVE-2015-3124
CVE-2015-3125 CVE-2015-3126 CVE-2015-3127
CVE-2015-3128 CVE-2015-3129 CVE-2015-3130
CVE-2015-3131 CVE-2015-3132 CVE-2015-3133
CVE-2015-3134 CVE-2015-3135 CVE-2015-3136
CVE-2015-3137 CVE-2015-4428 CVE-2015-4429
CVE-2015-4430 CVE-2015-4431 CVE-2015-4432
CVE-2015-4433 CVE-2015-5116 CVE-2015-5117
CVE-2015-5118 CVE-2015-5119
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security Bulletin APSB15-16
listed in the References section.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content. (CVE-2015-3117, CVE-2015-3118, CVE-2015-3119, CVE-2015-3120,
CVE-2015-3121, CVE-2015-3122, CVE-2015-3123, CVE-2015-3124, CVE-2015-3126,
CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3130, CVE-2015-3131,
CVE-2015-3132, CVE-2015-3133, CVE-2015-3134, CVE-2015-3135, CVE-2015-3136,
CVE-2015-3137, CVE-2015-4428, CVE-2015-4429, CVE-2015-4430, CVE-2015-4431,
CVE-2015-4432, CVE-2015-4433, CVE-2015-5117, CVE-2015-5118, CVE-2015-5119)
Multiple security bypass flaws were found in flash-plugin that could lead
to the disclosure of sensitive information. (CVE-2014-0578, CVE-2015-3114,
CVE-2015-3115, CVE-2015-3116, CVE-2015-3125, CVE-2015-5116)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 11.2.202.481.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1240832 - CVE-2015-5119 flash-plugin: code execution issue in APSA15-03 / APSB15-16
1241171 - flash-plugin: multiple code execution issues fixed in APSB15-16
1241173 - flash-plugin: information disclosure issues fixed in APSB15-16
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.481-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.481-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.481-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.481-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2014-0578
https://access.redhat.com/security/cve/CVE-2015-3114
https://access.redhat.com/security/cve/CVE-2015-3115
https://access.redhat.com/security/cve/CVE-2015-3116
https://access.redhat.com/security/cve/CVE-2015-3117
https://access.redhat.com/security/cve/CVE-2015-3118
https://access.redhat.com/security/cve/CVE-2015-3119
https://access.redhat.com/security/cve/CVE-2015-3120
https://access.redhat.com/security/cve/CVE-2015-3121
https://access.redhat.com/security/cve/CVE-2015-3122
https://access.redhat.com/security/cve/CVE-2015-3123
https://access.redhat.com/security/cve/CVE-2015-3124
https://access.redhat.com/security/cve/CVE-2015-3125
https://access.redhat.com/security/cve/CVE-2015-3126
https://access.redhat.com/security/cve/CVE-2015-3127
https://access.redhat.com/security/cve/CVE-2015-3128
https://access.redhat.com/security/cve/CVE-2015-3129
https://access.redhat.com/security/cve/CVE-2015-3130
https://access.redhat.com/security/cve/CVE-2015-3131
https://access.redhat.com/security/cve/CVE-2015-3132
https://access.redhat.com/security/cve/CVE-2015-3133
https://access.redhat.com/security/cve/CVE-2015-3134
https://access.redhat.com/security/cve/CVE-2015-3135
https://access.redhat.com/security/cve/CVE-2015-3136
https://access.redhat.com/security/cve/CVE-2015-3137
https://access.redhat.com/security/cve/CVE-2015-4428
https://access.redhat.com/security/cve/CVE-2015-4429
https://access.redhat.com/security/cve/CVE-2015-4430
https://access.redhat.com/security/cve/CVE-2015-4431
https://access.redhat.com/security/cve/CVE-2015-4432
https://access.redhat.com/security/cve/CVE-2015-4433
https://access.redhat.com/security/cve/CVE-2015-5116
https://access.redhat.com/security/cve/CVE-2015-5117
https://access.redhat.com/security/cve/CVE-2015-5118
https://access.redhat.com/security/cve/CVE-2015-5119
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-16.html
https://helpx.adobe.com/security/products/flash-player/apsa15-03.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFVnYzEXlSAg2UNWIIRAiYOAJ4hyudjAqMbqOcLAA47WlvgoVG25gCdF1BZ
bxdi7YGr3vmk1ppaEImDJNg=
=KEcy
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201507-0075 | CVE-2015-3131 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3118, CVE-2015-3124, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, and CVE-2015-5117. This vulnerability CVE-2015-3118 , CVE-2015-3124 , CVE-2015-3127 , CVE-2015-3128 , CVE-2015-3129 , CVE-2015-3132 , CVE-2015-3136 , CVE-2015-3137 , CVE-2015-4428 , CVE-2015-4430 ,and CVE-2015-5117 Is a different vulnerability. Supplementary information : CWE Vulnerability type by CWE-416: Use-after-free ( Use of freed memory ) Has been identified. http://cwe.mitre.org/data/definitions/416.htmlAn attacker could execute arbitrary code. Failed exploit attempts will likely cause a denial-of-service condition. A use-after-free vulnerability exists in several Adobe products.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information, or bypass security restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.481"
References
==========
[ 1 ] CVE-2014-0578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0578
[ 2 ] CVE-2015-3113
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3113
[ 3 ] CVE-2015-3114
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3114
[ 4 ] CVE-2015-3115
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3115
[ 5 ] CVE-2015-3116
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3116
[ 6 ] CVE-2015-3117
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3117
[ 7 ] CVE-2015-3118
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3118
[ 8 ] CVE-2015-3119
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3119
[ 9 ] CVE-2015-3120
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3120
[ 10 ] CVE-2015-3121
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3121
[ 11 ] CVE-2015-3122
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3122
[ 12 ] CVE-2015-3123
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3123
[ 13 ] CVE-2015-3124
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3124
[ 14 ] CVE-2015-3125
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3125
[ 15 ] CVE-2015-3126
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3126
[ 16 ] CVE-2015-3127
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3127
[ 17 ] CVE-2015-3128
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3128
[ 18 ] CVE-2015-3129
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3129
[ 19 ] CVE-2015-3130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3130
[ 20 ] CVE-2015-3131
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3131
[ 21 ] CVE-2015-3132
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3132
[ 22 ] CVE-2015-3133
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3133
[ 23 ] CVE-2015-3134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3134
[ 24 ] CVE-2015-3135
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3135
[ 25 ] CVE-2015-3136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3136
[ 26 ] CVE-2015-3137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3137
[ 27 ] CVE-2015-4428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4428
[ 28 ] CVE-2015-4429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4429
[ 29 ] CVE-2015-4430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4430
[ 30 ] CVE-2015-4431
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4431
[ 31 ] CVE-2015-4432
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4432
[ 32 ] CVE-2015-4433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4433
[ 33 ] CVE-2015-5116
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5116
[ 34 ] CVE-2015-5117
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5117
[ 35 ] CVE-2015-5118
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5118
[ 36 ] CVE-2015-5119
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5119
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201507-13
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:1214-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1214.html
Issue date: 2015-07-08
CVE Names: CVE-2014-0578 CVE-2015-3114 CVE-2015-3115
CVE-2015-3116 CVE-2015-3117 CVE-2015-3118
CVE-2015-3119 CVE-2015-3120 CVE-2015-3121
CVE-2015-3122 CVE-2015-3123 CVE-2015-3124
CVE-2015-3125 CVE-2015-3126 CVE-2015-3127
CVE-2015-3128 CVE-2015-3129 CVE-2015-3130
CVE-2015-3131 CVE-2015-3132 CVE-2015-3133
CVE-2015-3134 CVE-2015-3135 CVE-2015-3136
CVE-2015-3137 CVE-2015-4428 CVE-2015-4429
CVE-2015-4430 CVE-2015-4431 CVE-2015-4432
CVE-2015-4433 CVE-2015-5116 CVE-2015-5117
CVE-2015-5118 CVE-2015-5119
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security Bulletin APSB15-16
listed in the References section.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content. (CVE-2015-3117, CVE-2015-3118, CVE-2015-3119, CVE-2015-3120,
CVE-2015-3121, CVE-2015-3122, CVE-2015-3123, CVE-2015-3124, CVE-2015-3126,
CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3130, CVE-2015-3131,
CVE-2015-3132, CVE-2015-3133, CVE-2015-3134, CVE-2015-3135, CVE-2015-3136,
CVE-2015-3137, CVE-2015-4428, CVE-2015-4429, CVE-2015-4430, CVE-2015-4431,
CVE-2015-4432, CVE-2015-4433, CVE-2015-5117, CVE-2015-5118, CVE-2015-5119)
Multiple security bypass flaws were found in flash-plugin that could lead
to the disclosure of sensitive information. (CVE-2014-0578, CVE-2015-3114,
CVE-2015-3115, CVE-2015-3116, CVE-2015-3125, CVE-2015-5116)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 11.2.202.481.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1240832 - CVE-2015-5119 flash-plugin: code execution issue in APSA15-03 / APSB15-16
1241171 - flash-plugin: multiple code execution issues fixed in APSB15-16
1241173 - flash-plugin: information disclosure issues fixed in APSB15-16
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.481-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.481-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.481-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.481-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2014-0578
https://access.redhat.com/security/cve/CVE-2015-3114
https://access.redhat.com/security/cve/CVE-2015-3115
https://access.redhat.com/security/cve/CVE-2015-3116
https://access.redhat.com/security/cve/CVE-2015-3117
https://access.redhat.com/security/cve/CVE-2015-3118
https://access.redhat.com/security/cve/CVE-2015-3119
https://access.redhat.com/security/cve/CVE-2015-3120
https://access.redhat.com/security/cve/CVE-2015-3121
https://access.redhat.com/security/cve/CVE-2015-3122
https://access.redhat.com/security/cve/CVE-2015-3123
https://access.redhat.com/security/cve/CVE-2015-3124
https://access.redhat.com/security/cve/CVE-2015-3125
https://access.redhat.com/security/cve/CVE-2015-3126
https://access.redhat.com/security/cve/CVE-2015-3127
https://access.redhat.com/security/cve/CVE-2015-3128
https://access.redhat.com/security/cve/CVE-2015-3129
https://access.redhat.com/security/cve/CVE-2015-3130
https://access.redhat.com/security/cve/CVE-2015-3131
https://access.redhat.com/security/cve/CVE-2015-3132
https://access.redhat.com/security/cve/CVE-2015-3133
https://access.redhat.com/security/cve/CVE-2015-3134
https://access.redhat.com/security/cve/CVE-2015-3135
https://access.redhat.com/security/cve/CVE-2015-3136
https://access.redhat.com/security/cve/CVE-2015-3137
https://access.redhat.com/security/cve/CVE-2015-4428
https://access.redhat.com/security/cve/CVE-2015-4429
https://access.redhat.com/security/cve/CVE-2015-4430
https://access.redhat.com/security/cve/CVE-2015-4431
https://access.redhat.com/security/cve/CVE-2015-4432
https://access.redhat.com/security/cve/CVE-2015-4433
https://access.redhat.com/security/cve/CVE-2015-5116
https://access.redhat.com/security/cve/CVE-2015-5117
https://access.redhat.com/security/cve/CVE-2015-5118
https://access.redhat.com/security/cve/CVE-2015-5119
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-16.html
https://helpx.adobe.com/security/products/flash-player/apsa15-03.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFVnYzEXlSAg2UNWIIRAiYOAJ4hyudjAqMbqOcLAA47WlvgoVG25gCdF1BZ
bxdi7YGr3vmk1ppaEImDJNg=
=KEcy
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201507-0070 | CVE-2015-3126 | Adobe Flash Player and Adobe AIR Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow attackers to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2015-4429. This vulnerability CVE-2015-4429 Is a different vulnerability. Supplementary information : CWE Vulnerability type by CWE-476: NULL Pointer Dereference (NULL Pointer dereference ) Has been identified. http://cwe.mitre.org/data/definitions/476.htmlDenial of service by attacker (NULL Pointer dereference ) There is a possibility of being affected unspecified, such as being in a state.
Attackers can exploit these issues to cause a denial-of-service condition. The product enables viewing of applications, content and video across screens and browsers. Security flaws exist in several Adobe products.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information, or bypass security restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.481"
References
==========
[ 1 ] CVE-2014-0578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0578
[ 2 ] CVE-2015-3113
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3113
[ 3 ] CVE-2015-3114
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3114
[ 4 ] CVE-2015-3115
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3115
[ 5 ] CVE-2015-3116
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3116
[ 6 ] CVE-2015-3117
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3117
[ 7 ] CVE-2015-3118
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3118
[ 8 ] CVE-2015-3119
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3119
[ 9 ] CVE-2015-3120
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3120
[ 10 ] CVE-2015-3121
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3121
[ 11 ] CVE-2015-3122
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3122
[ 12 ] CVE-2015-3123
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3123
[ 13 ] CVE-2015-3124
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3124
[ 14 ] CVE-2015-3125
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3125
[ 15 ] CVE-2015-3126
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3126
[ 16 ] CVE-2015-3127
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3127
[ 17 ] CVE-2015-3128
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3128
[ 18 ] CVE-2015-3129
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3129
[ 19 ] CVE-2015-3130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3130
[ 20 ] CVE-2015-3131
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3131
[ 21 ] CVE-2015-3132
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3132
[ 22 ] CVE-2015-3133
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3133
[ 23 ] CVE-2015-3134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3134
[ 24 ] CVE-2015-3135
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3135
[ 25 ] CVE-2015-3136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3136
[ 26 ] CVE-2015-3137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3137
[ 27 ] CVE-2015-4428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4428
[ 28 ] CVE-2015-4429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4429
[ 29 ] CVE-2015-4430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4430
[ 30 ] CVE-2015-4431
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4431
[ 31 ] CVE-2015-4432
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4432
[ 32 ] CVE-2015-4433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4433
[ 33 ] CVE-2015-5116
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5116
[ 34 ] CVE-2015-5117
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5117
[ 35 ] CVE-2015-5118
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5118
[ 36 ] CVE-2015-5119
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5119
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201507-13
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:1214-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1214.html
Issue date: 2015-07-08
CVE Names: CVE-2014-0578 CVE-2015-3114 CVE-2015-3115
CVE-2015-3116 CVE-2015-3117 CVE-2015-3118
CVE-2015-3119 CVE-2015-3120 CVE-2015-3121
CVE-2015-3122 CVE-2015-3123 CVE-2015-3124
CVE-2015-3125 CVE-2015-3126 CVE-2015-3127
CVE-2015-3128 CVE-2015-3129 CVE-2015-3130
CVE-2015-3131 CVE-2015-3132 CVE-2015-3133
CVE-2015-3134 CVE-2015-3135 CVE-2015-3136
CVE-2015-3137 CVE-2015-4428 CVE-2015-4429
CVE-2015-4430 CVE-2015-4431 CVE-2015-4432
CVE-2015-4433 CVE-2015-5116 CVE-2015-5117
CVE-2015-5118 CVE-2015-5119
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security Bulletin APSB15-16
listed in the References section.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content. (CVE-2015-3117, CVE-2015-3118, CVE-2015-3119, CVE-2015-3120,
CVE-2015-3121, CVE-2015-3122, CVE-2015-3123, CVE-2015-3124, CVE-2015-3126,
CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3130, CVE-2015-3131,
CVE-2015-3132, CVE-2015-3133, CVE-2015-3134, CVE-2015-3135, CVE-2015-3136,
CVE-2015-3137, CVE-2015-4428, CVE-2015-4429, CVE-2015-4430, CVE-2015-4431,
CVE-2015-4432, CVE-2015-4433, CVE-2015-5117, CVE-2015-5118, CVE-2015-5119)
Multiple security bypass flaws were found in flash-plugin that could lead
to the disclosure of sensitive information. (CVE-2014-0578, CVE-2015-3114,
CVE-2015-3115, CVE-2015-3116, CVE-2015-3125, CVE-2015-5116)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 11.2.202.481.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1240832 - CVE-2015-5119 flash-plugin: code execution issue in APSA15-03 / APSB15-16
1241171 - flash-plugin: multiple code execution issues fixed in APSB15-16
1241173 - flash-plugin: information disclosure issues fixed in APSB15-16
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.481-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.481-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.481-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.481-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2014-0578
https://access.redhat.com/security/cve/CVE-2015-3114
https://access.redhat.com/security/cve/CVE-2015-3115
https://access.redhat.com/security/cve/CVE-2015-3116
https://access.redhat.com/security/cve/CVE-2015-3117
https://access.redhat.com/security/cve/CVE-2015-3118
https://access.redhat.com/security/cve/CVE-2015-3119
https://access.redhat.com/security/cve/CVE-2015-3120
https://access.redhat.com/security/cve/CVE-2015-3121
https://access.redhat.com/security/cve/CVE-2015-3122
https://access.redhat.com/security/cve/CVE-2015-3123
https://access.redhat.com/security/cve/CVE-2015-3124
https://access.redhat.com/security/cve/CVE-2015-3125
https://access.redhat.com/security/cve/CVE-2015-3126
https://access.redhat.com/security/cve/CVE-2015-3127
https://access.redhat.com/security/cve/CVE-2015-3128
https://access.redhat.com/security/cve/CVE-2015-3129
https://access.redhat.com/security/cve/CVE-2015-3130
https://access.redhat.com/security/cve/CVE-2015-3131
https://access.redhat.com/security/cve/CVE-2015-3132
https://access.redhat.com/security/cve/CVE-2015-3133
https://access.redhat.com/security/cve/CVE-2015-3134
https://access.redhat.com/security/cve/CVE-2015-3135
https://access.redhat.com/security/cve/CVE-2015-3136
https://access.redhat.com/security/cve/CVE-2015-3137
https://access.redhat.com/security/cve/CVE-2015-4428
https://access.redhat.com/security/cve/CVE-2015-4429
https://access.redhat.com/security/cve/CVE-2015-4430
https://access.redhat.com/security/cve/CVE-2015-4431
https://access.redhat.com/security/cve/CVE-2015-4432
https://access.redhat.com/security/cve/CVE-2015-4433
https://access.redhat.com/security/cve/CVE-2015-5116
https://access.redhat.com/security/cve/CVE-2015-5117
https://access.redhat.com/security/cve/CVE-2015-5118
https://access.redhat.com/security/cve/CVE-2015-5119
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-16.html
https://helpx.adobe.com/security/products/flash-player/apsa15-03.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFVnYzEXlSAg2UNWIIRAiYOAJ4hyudjAqMbqOcLAA47WlvgoVG25gCdF1BZ
bxdi7YGr3vmk1ppaEImDJNg=
=KEcy
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201507-0072 | CVE-2015-3128 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3118, CVE-2015-3124, CVE-2015-3127, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, and CVE-2015-5117. This vulnerability CVE-2015-3118 , CVE-2015-3124 , CVE-2015-3127 , CVE-2015-3129 , CVE-2015-3131 , CVE-2015-3132 , CVE-2015-3136 , CVE-2015-3137 , CVE-2015-4428 , CVE-2015-4430 ,and CVE-2015-5117 Is a different vulnerability. Supplementary information : CWE Vulnerability type by CWE-416: Use-after-free ( Use of freed memory ) Has been identified. http://cwe.mitre.org/data/definitions/416.htmlAn attacker could execute arbitrary code. Failed exploit attempts will likely cause a denial-of-service condition. A use-after-free vulnerability exists in several Adobe products.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information, or bypass security restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.481"
References
==========
[ 1 ] CVE-2014-0578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0578
[ 2 ] CVE-2015-3113
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3113
[ 3 ] CVE-2015-3114
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3114
[ 4 ] CVE-2015-3115
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3115
[ 5 ] CVE-2015-3116
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3116
[ 6 ] CVE-2015-3117
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3117
[ 7 ] CVE-2015-3118
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3118
[ 8 ] CVE-2015-3119
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3119
[ 9 ] CVE-2015-3120
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3120
[ 10 ] CVE-2015-3121
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3121
[ 11 ] CVE-2015-3122
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3122
[ 12 ] CVE-2015-3123
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3123
[ 13 ] CVE-2015-3124
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3124
[ 14 ] CVE-2015-3125
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3125
[ 15 ] CVE-2015-3126
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3126
[ 16 ] CVE-2015-3127
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3127
[ 17 ] CVE-2015-3128
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3128
[ 18 ] CVE-2015-3129
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3129
[ 19 ] CVE-2015-3130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3130
[ 20 ] CVE-2015-3131
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3131
[ 21 ] CVE-2015-3132
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3132
[ 22 ] CVE-2015-3133
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3133
[ 23 ] CVE-2015-3134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3134
[ 24 ] CVE-2015-3135
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3135
[ 25 ] CVE-2015-3136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3136
[ 26 ] CVE-2015-3137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3137
[ 27 ] CVE-2015-4428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4428
[ 28 ] CVE-2015-4429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4429
[ 29 ] CVE-2015-4430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4430
[ 30 ] CVE-2015-4431
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4431
[ 31 ] CVE-2015-4432
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4432
[ 32 ] CVE-2015-4433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4433
[ 33 ] CVE-2015-5116
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5116
[ 34 ] CVE-2015-5117
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5117
[ 35 ] CVE-2015-5118
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5118
[ 36 ] CVE-2015-5119
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5119
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201507-13
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:1214-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1214.html
Issue date: 2015-07-08
CVE Names: CVE-2014-0578 CVE-2015-3114 CVE-2015-3115
CVE-2015-3116 CVE-2015-3117 CVE-2015-3118
CVE-2015-3119 CVE-2015-3120 CVE-2015-3121
CVE-2015-3122 CVE-2015-3123 CVE-2015-3124
CVE-2015-3125 CVE-2015-3126 CVE-2015-3127
CVE-2015-3128 CVE-2015-3129 CVE-2015-3130
CVE-2015-3131 CVE-2015-3132 CVE-2015-3133
CVE-2015-3134 CVE-2015-3135 CVE-2015-3136
CVE-2015-3137 CVE-2015-4428 CVE-2015-4429
CVE-2015-4430 CVE-2015-4431 CVE-2015-4432
CVE-2015-4433 CVE-2015-5116 CVE-2015-5117
CVE-2015-5118 CVE-2015-5119
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security Bulletin APSB15-16
listed in the References section.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content. (CVE-2015-3117, CVE-2015-3118, CVE-2015-3119, CVE-2015-3120,
CVE-2015-3121, CVE-2015-3122, CVE-2015-3123, CVE-2015-3124, CVE-2015-3126,
CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3130, CVE-2015-3131,
CVE-2015-3132, CVE-2015-3133, CVE-2015-3134, CVE-2015-3135, CVE-2015-3136,
CVE-2015-3137, CVE-2015-4428, CVE-2015-4429, CVE-2015-4430, CVE-2015-4431,
CVE-2015-4432, CVE-2015-4433, CVE-2015-5117, CVE-2015-5118, CVE-2015-5119)
Multiple security bypass flaws were found in flash-plugin that could lead
to the disclosure of sensitive information. (CVE-2014-0578, CVE-2015-3114,
CVE-2015-3115, CVE-2015-3116, CVE-2015-3125, CVE-2015-5116)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 11.2.202.481.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1240832 - CVE-2015-5119 flash-plugin: code execution issue in APSA15-03 / APSB15-16
1241171 - flash-plugin: multiple code execution issues fixed in APSB15-16
1241173 - flash-plugin: information disclosure issues fixed in APSB15-16
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.481-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.481-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.481-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.481-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2014-0578
https://access.redhat.com/security/cve/CVE-2015-3114
https://access.redhat.com/security/cve/CVE-2015-3115
https://access.redhat.com/security/cve/CVE-2015-3116
https://access.redhat.com/security/cve/CVE-2015-3117
https://access.redhat.com/security/cve/CVE-2015-3118
https://access.redhat.com/security/cve/CVE-2015-3119
https://access.redhat.com/security/cve/CVE-2015-3120
https://access.redhat.com/security/cve/CVE-2015-3121
https://access.redhat.com/security/cve/CVE-2015-3122
https://access.redhat.com/security/cve/CVE-2015-3123
https://access.redhat.com/security/cve/CVE-2015-3124
https://access.redhat.com/security/cve/CVE-2015-3125
https://access.redhat.com/security/cve/CVE-2015-3126
https://access.redhat.com/security/cve/CVE-2015-3127
https://access.redhat.com/security/cve/CVE-2015-3128
https://access.redhat.com/security/cve/CVE-2015-3129
https://access.redhat.com/security/cve/CVE-2015-3130
https://access.redhat.com/security/cve/CVE-2015-3131
https://access.redhat.com/security/cve/CVE-2015-3132
https://access.redhat.com/security/cve/CVE-2015-3133
https://access.redhat.com/security/cve/CVE-2015-3134
https://access.redhat.com/security/cve/CVE-2015-3135
https://access.redhat.com/security/cve/CVE-2015-3136
https://access.redhat.com/security/cve/CVE-2015-3137
https://access.redhat.com/security/cve/CVE-2015-4428
https://access.redhat.com/security/cve/CVE-2015-4429
https://access.redhat.com/security/cve/CVE-2015-4430
https://access.redhat.com/security/cve/CVE-2015-4431
https://access.redhat.com/security/cve/CVE-2015-4432
https://access.redhat.com/security/cve/CVE-2015-4433
https://access.redhat.com/security/cve/CVE-2015-5116
https://access.redhat.com/security/cve/CVE-2015-5117
https://access.redhat.com/security/cve/CVE-2015-5118
https://access.redhat.com/security/cve/CVE-2015-5119
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-16.html
https://helpx.adobe.com/security/products/flash-player/apsa15-03.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFVnYzEXlSAg2UNWIIRAiYOAJ4hyudjAqMbqOcLAA47WlvgoVG25gCdF1BZ
bxdi7YGr3vmk1ppaEImDJNg=
=KEcy
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201507-0069 | CVE-2015-3125 | Adobe Flash Player and Adobe AIR Vulnerabilities that bypass the same origin policy |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow remote attackers to bypass the Same Origin Policy via unspecified vectors, a different vulnerability than CVE-2014-0578, CVE-2015-3115, CVE-2015-3116, and CVE-2015-5116. This vulnerability CVE-2014-0578 , CVE-2015-3115 , CVE-2015-3116 ,and CVE-2015-5116 Is a different vulnerability. Supplementary information : CWE Vulnerability type by CWE-284: Improper Access Control ( Inappropriate access control ) Has been identified. http://cwe.mitre.org/data/definitions/284.htmlA third party can bypass the same origin policy. This vulnerability allows remote attackers to read arbitrary data on vulnerable Adobe Flash installations. Authentication is not required to exploit this vulnerability.The specific flaw exists within the handling of Sound objects. A remote attacker can run arbitrary script in the context of any domain. An attacker can leverage this vulnerability to read browser cookies or saved passwords.
Attackers can exploit these issues to view content from a browser window in another domain or security zone. This may allow the attacker to obtain sensitive information or aid in further attacks. Security flaws exist in several Adobe products.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information, or bypass security restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.481"
References
==========
[ 1 ] CVE-2014-0578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0578
[ 2 ] CVE-2015-3113
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3113
[ 3 ] CVE-2015-3114
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3114
[ 4 ] CVE-2015-3115
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3115
[ 5 ] CVE-2015-3116
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3116
[ 6 ] CVE-2015-3117
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3117
[ 7 ] CVE-2015-3118
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3118
[ 8 ] CVE-2015-3119
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3119
[ 9 ] CVE-2015-3120
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3120
[ 10 ] CVE-2015-3121
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3121
[ 11 ] CVE-2015-3122
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3122
[ 12 ] CVE-2015-3123
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3123
[ 13 ] CVE-2015-3124
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3124
[ 14 ] CVE-2015-3125
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3125
[ 15 ] CVE-2015-3126
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3126
[ 16 ] CVE-2015-3127
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3127
[ 17 ] CVE-2015-3128
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3128
[ 18 ] CVE-2015-3129
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3129
[ 19 ] CVE-2015-3130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3130
[ 20 ] CVE-2015-3131
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3131
[ 21 ] CVE-2015-3132
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3132
[ 22 ] CVE-2015-3133
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3133
[ 23 ] CVE-2015-3134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3134
[ 24 ] CVE-2015-3135
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3135
[ 25 ] CVE-2015-3136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3136
[ 26 ] CVE-2015-3137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3137
[ 27 ] CVE-2015-4428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4428
[ 28 ] CVE-2015-4429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4429
[ 29 ] CVE-2015-4430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4430
[ 30 ] CVE-2015-4431
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4431
[ 31 ] CVE-2015-4432
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4432
[ 32 ] CVE-2015-4433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4433
[ 33 ] CVE-2015-5116
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5116
[ 34 ] CVE-2015-5117
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5117
[ 35 ] CVE-2015-5118
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5118
[ 36 ] CVE-2015-5119
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5119
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201507-13
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:1214-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1214.html
Issue date: 2015-07-08
CVE Names: CVE-2014-0578 CVE-2015-3114 CVE-2015-3115
CVE-2015-3116 CVE-2015-3117 CVE-2015-3118
CVE-2015-3119 CVE-2015-3120 CVE-2015-3121
CVE-2015-3122 CVE-2015-3123 CVE-2015-3124
CVE-2015-3125 CVE-2015-3126 CVE-2015-3127
CVE-2015-3128 CVE-2015-3129 CVE-2015-3130
CVE-2015-3131 CVE-2015-3132 CVE-2015-3133
CVE-2015-3134 CVE-2015-3135 CVE-2015-3136
CVE-2015-3137 CVE-2015-4428 CVE-2015-4429
CVE-2015-4430 CVE-2015-4431 CVE-2015-4432
CVE-2015-4433 CVE-2015-5116 CVE-2015-5117
CVE-2015-5118 CVE-2015-5119
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. These
vulnerabilities are detailed in the Adobe Security Bulletin APSB15-16
listed in the References section.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content. (CVE-2015-3117, CVE-2015-3118, CVE-2015-3119, CVE-2015-3120,
CVE-2015-3121, CVE-2015-3122, CVE-2015-3123, CVE-2015-3124, CVE-2015-3126,
CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3130, CVE-2015-3131,
CVE-2015-3132, CVE-2015-3133, CVE-2015-3134, CVE-2015-3135, CVE-2015-3136,
CVE-2015-3137, CVE-2015-4428, CVE-2015-4429, CVE-2015-4430, CVE-2015-4431,
CVE-2015-4432, CVE-2015-4433, CVE-2015-5117, CVE-2015-5118, CVE-2015-5119)
Multiple security bypass flaws were found in flash-plugin that could lead
to the disclosure of sensitive information. (CVE-2014-0578, CVE-2015-3114,
CVE-2015-3115, CVE-2015-3116, CVE-2015-3125, CVE-2015-5116)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 11.2.202.481.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1240832 - CVE-2015-5119 flash-plugin: code execution issue in APSA15-03 / APSB15-16
1241171 - flash-plugin: multiple code execution issues fixed in APSB15-16
1241173 - flash-plugin: information disclosure issues fixed in APSB15-16
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.481-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.481-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.481-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.481-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2014-0578
https://access.redhat.com/security/cve/CVE-2015-3114
https://access.redhat.com/security/cve/CVE-2015-3115
https://access.redhat.com/security/cve/CVE-2015-3116
https://access.redhat.com/security/cve/CVE-2015-3117
https://access.redhat.com/security/cve/CVE-2015-3118
https://access.redhat.com/security/cve/CVE-2015-3119
https://access.redhat.com/security/cve/CVE-2015-3120
https://access.redhat.com/security/cve/CVE-2015-3121
https://access.redhat.com/security/cve/CVE-2015-3122
https://access.redhat.com/security/cve/CVE-2015-3123
https://access.redhat.com/security/cve/CVE-2015-3124
https://access.redhat.com/security/cve/CVE-2015-3125
https://access.redhat.com/security/cve/CVE-2015-3126
https://access.redhat.com/security/cve/CVE-2015-3127
https://access.redhat.com/security/cve/CVE-2015-3128
https://access.redhat.com/security/cve/CVE-2015-3129
https://access.redhat.com/security/cve/CVE-2015-3130
https://access.redhat.com/security/cve/CVE-2015-3131
https://access.redhat.com/security/cve/CVE-2015-3132
https://access.redhat.com/security/cve/CVE-2015-3133
https://access.redhat.com/security/cve/CVE-2015-3134
https://access.redhat.com/security/cve/CVE-2015-3135
https://access.redhat.com/security/cve/CVE-2015-3136
https://access.redhat.com/security/cve/CVE-2015-3137
https://access.redhat.com/security/cve/CVE-2015-4428
https://access.redhat.com/security/cve/CVE-2015-4429
https://access.redhat.com/security/cve/CVE-2015-4430
https://access.redhat.com/security/cve/CVE-2015-4431
https://access.redhat.com/security/cve/CVE-2015-4432
https://access.redhat.com/security/cve/CVE-2015-4433
https://access.redhat.com/security/cve/CVE-2015-5116
https://access.redhat.com/security/cve/CVE-2015-5117
https://access.redhat.com/security/cve/CVE-2015-5118
https://access.redhat.com/security/cve/CVE-2015-5119
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-16.html
https://helpx.adobe.com/security/products/flash-player/apsa15-03.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFVnYzEXlSAg2UNWIIRAiYOAJ4hyudjAqMbqOcLAA47WlvgoVG25gCdF1BZ
bxdi7YGr3vmk1ppaEImDJNg=
=KEcy
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201507-0071 | CVE-2015-3127 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3118, CVE-2015-3124, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, and CVE-2015-5117. This vulnerability CVE-2015-3118 , CVE-2015-3124 , CVE-2015-3128 , CVE-2015-3129 , CVE-2015-3131 , CVE-2015-3132 , CVE-2015-3136 , CVE-2015-3137 , CVE-2015-4428 , CVE-2015-4430 ,and CVE-2015-5117 Is a different vulnerability. Supplementary information : CWE Vulnerability type by CWE-416: Use-after-free ( Use of freed memory ) Has been identified. http://cwe.mitre.org/data/definitions/416.htmlAn attacker could execute arbitrary code. Failed exploit attempts will likely cause a denial-of-service condition. A use-after-free vulnerability exists in several Adobe products.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information, or bypass security restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.481"
References
==========
[ 1 ] CVE-2014-0578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0578
[ 2 ] CVE-2015-3113
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3113
[ 3 ] CVE-2015-3114
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3114
[ 4 ] CVE-2015-3115
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3115
[ 5 ] CVE-2015-3116
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3116
[ 6 ] CVE-2015-3117
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3117
[ 7 ] CVE-2015-3118
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3118
[ 8 ] CVE-2015-3119
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3119
[ 9 ] CVE-2015-3120
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3120
[ 10 ] CVE-2015-3121
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3121
[ 11 ] CVE-2015-3122
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3122
[ 12 ] CVE-2015-3123
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3123
[ 13 ] CVE-2015-3124
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3124
[ 14 ] CVE-2015-3125
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3125
[ 15 ] CVE-2015-3126
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3126
[ 16 ] CVE-2015-3127
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3127
[ 17 ] CVE-2015-3128
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3128
[ 18 ] CVE-2015-3129
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3129
[ 19 ] CVE-2015-3130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3130
[ 20 ] CVE-2015-3131
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3131
[ 21 ] CVE-2015-3132
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3132
[ 22 ] CVE-2015-3133
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3133
[ 23 ] CVE-2015-3134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3134
[ 24 ] CVE-2015-3135
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3135
[ 25 ] CVE-2015-3136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3136
[ 26 ] CVE-2015-3137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3137
[ 27 ] CVE-2015-4428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4428
[ 28 ] CVE-2015-4429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4429
[ 29 ] CVE-2015-4430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4430
[ 30 ] CVE-2015-4431
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4431
[ 31 ] CVE-2015-4432
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4432
[ 32 ] CVE-2015-4433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4433
[ 33 ] CVE-2015-5116
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5116
[ 34 ] CVE-2015-5117
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5117
[ 35 ] CVE-2015-5118
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5118
[ 36 ] CVE-2015-5119
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5119
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201507-13
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:1214-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1214.html
Issue date: 2015-07-08
CVE Names: CVE-2014-0578 CVE-2015-3114 CVE-2015-3115
CVE-2015-3116 CVE-2015-3117 CVE-2015-3118
CVE-2015-3119 CVE-2015-3120 CVE-2015-3121
CVE-2015-3122 CVE-2015-3123 CVE-2015-3124
CVE-2015-3125 CVE-2015-3126 CVE-2015-3127
CVE-2015-3128 CVE-2015-3129 CVE-2015-3130
CVE-2015-3131 CVE-2015-3132 CVE-2015-3133
CVE-2015-3134 CVE-2015-3135 CVE-2015-3136
CVE-2015-3137 CVE-2015-4428 CVE-2015-4429
CVE-2015-4430 CVE-2015-4431 CVE-2015-4432
CVE-2015-4433 CVE-2015-5116 CVE-2015-5117
CVE-2015-5118 CVE-2015-5119
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security Bulletin APSB15-16
listed in the References section.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content. (CVE-2015-3117, CVE-2015-3118, CVE-2015-3119, CVE-2015-3120,
CVE-2015-3121, CVE-2015-3122, CVE-2015-3123, CVE-2015-3124, CVE-2015-3126,
CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3130, CVE-2015-3131,
CVE-2015-3132, CVE-2015-3133, CVE-2015-3134, CVE-2015-3135, CVE-2015-3136,
CVE-2015-3137, CVE-2015-4428, CVE-2015-4429, CVE-2015-4430, CVE-2015-4431,
CVE-2015-4432, CVE-2015-4433, CVE-2015-5117, CVE-2015-5118, CVE-2015-5119)
Multiple security bypass flaws were found in flash-plugin that could lead
to the disclosure of sensitive information. (CVE-2014-0578, CVE-2015-3114,
CVE-2015-3115, CVE-2015-3116, CVE-2015-3125, CVE-2015-5116)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 11.2.202.481.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1240832 - CVE-2015-5119 flash-plugin: code execution issue in APSA15-03 / APSB15-16
1241171 - flash-plugin: multiple code execution issues fixed in APSB15-16
1241173 - flash-plugin: information disclosure issues fixed in APSB15-16
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.481-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.481-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.481-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.481-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2014-0578
https://access.redhat.com/security/cve/CVE-2015-3114
https://access.redhat.com/security/cve/CVE-2015-3115
https://access.redhat.com/security/cve/CVE-2015-3116
https://access.redhat.com/security/cve/CVE-2015-3117
https://access.redhat.com/security/cve/CVE-2015-3118
https://access.redhat.com/security/cve/CVE-2015-3119
https://access.redhat.com/security/cve/CVE-2015-3120
https://access.redhat.com/security/cve/CVE-2015-3121
https://access.redhat.com/security/cve/CVE-2015-3122
https://access.redhat.com/security/cve/CVE-2015-3123
https://access.redhat.com/security/cve/CVE-2015-3124
https://access.redhat.com/security/cve/CVE-2015-3125
https://access.redhat.com/security/cve/CVE-2015-3126
https://access.redhat.com/security/cve/CVE-2015-3127
https://access.redhat.com/security/cve/CVE-2015-3128
https://access.redhat.com/security/cve/CVE-2015-3129
https://access.redhat.com/security/cve/CVE-2015-3130
https://access.redhat.com/security/cve/CVE-2015-3131
https://access.redhat.com/security/cve/CVE-2015-3132
https://access.redhat.com/security/cve/CVE-2015-3133
https://access.redhat.com/security/cve/CVE-2015-3134
https://access.redhat.com/security/cve/CVE-2015-3135
https://access.redhat.com/security/cve/CVE-2015-3136
https://access.redhat.com/security/cve/CVE-2015-3137
https://access.redhat.com/security/cve/CVE-2015-4428
https://access.redhat.com/security/cve/CVE-2015-4429
https://access.redhat.com/security/cve/CVE-2015-4430
https://access.redhat.com/security/cve/CVE-2015-4431
https://access.redhat.com/security/cve/CVE-2015-4432
https://access.redhat.com/security/cve/CVE-2015-4433
https://access.redhat.com/security/cve/CVE-2015-5116
https://access.redhat.com/security/cve/CVE-2015-5117
https://access.redhat.com/security/cve/CVE-2015-5118
https://access.redhat.com/security/cve/CVE-2015-5119
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-16.html
https://helpx.adobe.com/security/products/flash-player/apsa15-03.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFVnYzEXlSAg2UNWIIRAiYOAJ4hyudjAqMbqOcLAA47WlvgoVG25gCdF1BZ
bxdi7YGr3vmk1ppaEImDJNg=
=KEcy
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201507-0067 | CVE-2015-3123 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-3117, CVE-2015-3130, CVE-2015-3133, CVE-2015-3134, and CVE-2015-4431. This vulnerability CVE-2015-3117 , CVE-2015-3130 , CVE-2015-3133 , CVE-2015-3134 ,and CVE-2015-4431 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state. Failed exploit attempts will likely result in denial-of-service conditions. Security flaws exist in several Adobe products.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.481"
References
==========
[ 1 ] CVE-2014-0578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0578
[ 2 ] CVE-2015-3113
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3113
[ 3 ] CVE-2015-3114
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3114
[ 4 ] CVE-2015-3115
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3115
[ 5 ] CVE-2015-3116
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3116
[ 6 ] CVE-2015-3117
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3117
[ 7 ] CVE-2015-3118
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3118
[ 8 ] CVE-2015-3119
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3119
[ 9 ] CVE-2015-3120
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3120
[ 10 ] CVE-2015-3121
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3121
[ 11 ] CVE-2015-3122
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3122
[ 12 ] CVE-2015-3123
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3123
[ 13 ] CVE-2015-3124
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3124
[ 14 ] CVE-2015-3125
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3125
[ 15 ] CVE-2015-3126
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3126
[ 16 ] CVE-2015-3127
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3127
[ 17 ] CVE-2015-3128
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3128
[ 18 ] CVE-2015-3129
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3129
[ 19 ] CVE-2015-3130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3130
[ 20 ] CVE-2015-3131
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3131
[ 21 ] CVE-2015-3132
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3132
[ 22 ] CVE-2015-3133
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3133
[ 23 ] CVE-2015-3134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3134
[ 24 ] CVE-2015-3135
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3135
[ 25 ] CVE-2015-3136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3136
[ 26 ] CVE-2015-3137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3137
[ 27 ] CVE-2015-4428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4428
[ 28 ] CVE-2015-4429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4429
[ 29 ] CVE-2015-4430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4430
[ 30 ] CVE-2015-4431
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4431
[ 31 ] CVE-2015-4432
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4432
[ 32 ] CVE-2015-4433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4433
[ 33 ] CVE-2015-5116
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5116
[ 34 ] CVE-2015-5117
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5117
[ 35 ] CVE-2015-5118
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5118
[ 36 ] CVE-2015-5119
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5119
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201507-13
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:1214-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1214.html
Issue date: 2015-07-08
CVE Names: CVE-2014-0578 CVE-2015-3114 CVE-2015-3115
CVE-2015-3116 CVE-2015-3117 CVE-2015-3118
CVE-2015-3119 CVE-2015-3120 CVE-2015-3121
CVE-2015-3122 CVE-2015-3123 CVE-2015-3124
CVE-2015-3125 CVE-2015-3126 CVE-2015-3127
CVE-2015-3128 CVE-2015-3129 CVE-2015-3130
CVE-2015-3131 CVE-2015-3132 CVE-2015-3133
CVE-2015-3134 CVE-2015-3135 CVE-2015-3136
CVE-2015-3137 CVE-2015-4428 CVE-2015-4429
CVE-2015-4430 CVE-2015-4431 CVE-2015-4432
CVE-2015-4433 CVE-2015-5116 CVE-2015-5117
CVE-2015-5118 CVE-2015-5119
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security Bulletin APSB15-16
listed in the References section.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content. (CVE-2015-3117, CVE-2015-3118, CVE-2015-3119, CVE-2015-3120,
CVE-2015-3121, CVE-2015-3122, CVE-2015-3123, CVE-2015-3124, CVE-2015-3126,
CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3130, CVE-2015-3131,
CVE-2015-3132, CVE-2015-3133, CVE-2015-3134, CVE-2015-3135, CVE-2015-3136,
CVE-2015-3137, CVE-2015-4428, CVE-2015-4429, CVE-2015-4430, CVE-2015-4431,
CVE-2015-4432, CVE-2015-4433, CVE-2015-5117, CVE-2015-5118, CVE-2015-5119)
Multiple security bypass flaws were found in flash-plugin that could lead
to the disclosure of sensitive information.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1240832 - CVE-2015-5119 flash-plugin: code execution issue in APSA15-03 / APSB15-16
1241171 - flash-plugin: multiple code execution issues fixed in APSB15-16
1241173 - flash-plugin: information disclosure issues fixed in APSB15-16
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.481-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.481-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.481-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.481-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2014-0578
https://access.redhat.com/security/cve/CVE-2015-3114
https://access.redhat.com/security/cve/CVE-2015-3115
https://access.redhat.com/security/cve/CVE-2015-3116
https://access.redhat.com/security/cve/CVE-2015-3117
https://access.redhat.com/security/cve/CVE-2015-3118
https://access.redhat.com/security/cve/CVE-2015-3119
https://access.redhat.com/security/cve/CVE-2015-3120
https://access.redhat.com/security/cve/CVE-2015-3121
https://access.redhat.com/security/cve/CVE-2015-3122
https://access.redhat.com/security/cve/CVE-2015-3123
https://access.redhat.com/security/cve/CVE-2015-3124
https://access.redhat.com/security/cve/CVE-2015-3125
https://access.redhat.com/security/cve/CVE-2015-3126
https://access.redhat.com/security/cve/CVE-2015-3127
https://access.redhat.com/security/cve/CVE-2015-3128
https://access.redhat.com/security/cve/CVE-2015-3129
https://access.redhat.com/security/cve/CVE-2015-3130
https://access.redhat.com/security/cve/CVE-2015-3131
https://access.redhat.com/security/cve/CVE-2015-3132
https://access.redhat.com/security/cve/CVE-2015-3133
https://access.redhat.com/security/cve/CVE-2015-3134
https://access.redhat.com/security/cve/CVE-2015-3135
https://access.redhat.com/security/cve/CVE-2015-3136
https://access.redhat.com/security/cve/CVE-2015-3137
https://access.redhat.com/security/cve/CVE-2015-4428
https://access.redhat.com/security/cve/CVE-2015-4429
https://access.redhat.com/security/cve/CVE-2015-4430
https://access.redhat.com/security/cve/CVE-2015-4431
https://access.redhat.com/security/cve/CVE-2015-4432
https://access.redhat.com/security/cve/CVE-2015-4433
https://access.redhat.com/security/cve/CVE-2015-5116
https://access.redhat.com/security/cve/CVE-2015-5117
https://access.redhat.com/security/cve/CVE-2015-5118
https://access.redhat.com/security/cve/CVE-2015-5119
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-16.html
https://helpx.adobe.com/security/products/flash-player/apsa15-03.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFVnYzEXlSAg2UNWIIRAiYOAJ4hyudjAqMbqOcLAA47WlvgoVG25gCdF1BZ
bxdi7YGr3vmk1ppaEImDJNg=
=KEcy
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201507-0065 | CVE-2015-3137 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3118, CVE-2015-3124, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-4428, CVE-2015-4430, and CVE-2015-5117. This vulnerability CVE-2015-3118 , CVE-2015-3124 , CVE-2015-3127 , CVE-2015-3128 , CVE-2015-3129 , CVE-2015-3131 , CVE-2015-3132 , CVE-2015-3136 , CVE-2015-4428 , CVE-2015-4430 ,and CVE-2015-5117 Is a different vulnerability. Supplementary information : CWE Vulnerability type by CWE-416: Use-after-free ( Use of freed memory ) Has been identified. http://cwe.mitre.org/data/definitions/416.htmlAn attacker could execute arbitrary code. Failed exploit attempts will likely cause a denial-of-service condition. A use-after-free vulnerability exists in several Adobe products.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information, or bypass security restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.481"
References
==========
[ 1 ] CVE-2014-0578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0578
[ 2 ] CVE-2015-3113
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3113
[ 3 ] CVE-2015-3114
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3114
[ 4 ] CVE-2015-3115
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3115
[ 5 ] CVE-2015-3116
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3116
[ 6 ] CVE-2015-3117
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3117
[ 7 ] CVE-2015-3118
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3118
[ 8 ] CVE-2015-3119
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3119
[ 9 ] CVE-2015-3120
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3120
[ 10 ] CVE-2015-3121
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3121
[ 11 ] CVE-2015-3122
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3122
[ 12 ] CVE-2015-3123
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3123
[ 13 ] CVE-2015-3124
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3124
[ 14 ] CVE-2015-3125
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3125
[ 15 ] CVE-2015-3126
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3126
[ 16 ] CVE-2015-3127
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3127
[ 17 ] CVE-2015-3128
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3128
[ 18 ] CVE-2015-3129
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3129
[ 19 ] CVE-2015-3130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3130
[ 20 ] CVE-2015-3131
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3131
[ 21 ] CVE-2015-3132
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3132
[ 22 ] CVE-2015-3133
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3133
[ 23 ] CVE-2015-3134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3134
[ 24 ] CVE-2015-3135
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3135
[ 25 ] CVE-2015-3136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3136
[ 26 ] CVE-2015-3137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3137
[ 27 ] CVE-2015-4428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4428
[ 28 ] CVE-2015-4429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4429
[ 29 ] CVE-2015-4430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4430
[ 30 ] CVE-2015-4431
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4431
[ 31 ] CVE-2015-4432
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4432
[ 32 ] CVE-2015-4433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4433
[ 33 ] CVE-2015-5116
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5116
[ 34 ] CVE-2015-5117
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5117
[ 35 ] CVE-2015-5118
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5118
[ 36 ] CVE-2015-5119
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5119
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201507-13
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:1214-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1214.html
Issue date: 2015-07-08
CVE Names: CVE-2014-0578 CVE-2015-3114 CVE-2015-3115
CVE-2015-3116 CVE-2015-3117 CVE-2015-3118
CVE-2015-3119 CVE-2015-3120 CVE-2015-3121
CVE-2015-3122 CVE-2015-3123 CVE-2015-3124
CVE-2015-3125 CVE-2015-3126 CVE-2015-3127
CVE-2015-3128 CVE-2015-3129 CVE-2015-3130
CVE-2015-3131 CVE-2015-3132 CVE-2015-3133
CVE-2015-3134 CVE-2015-3135 CVE-2015-3136
CVE-2015-3137 CVE-2015-4428 CVE-2015-4429
CVE-2015-4430 CVE-2015-4431 CVE-2015-4432
CVE-2015-4433 CVE-2015-5116 CVE-2015-5117
CVE-2015-5118 CVE-2015-5119
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security Bulletin APSB15-16
listed in the References section.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content. (CVE-2015-3117, CVE-2015-3118, CVE-2015-3119, CVE-2015-3120,
CVE-2015-3121, CVE-2015-3122, CVE-2015-3123, CVE-2015-3124, CVE-2015-3126,
CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3130, CVE-2015-3131,
CVE-2015-3132, CVE-2015-3133, CVE-2015-3134, CVE-2015-3135, CVE-2015-3136,
CVE-2015-3137, CVE-2015-4428, CVE-2015-4429, CVE-2015-4430, CVE-2015-4431,
CVE-2015-4432, CVE-2015-4433, CVE-2015-5117, CVE-2015-5118, CVE-2015-5119)
Multiple security bypass flaws were found in flash-plugin that could lead
to the disclosure of sensitive information. (CVE-2014-0578, CVE-2015-3114,
CVE-2015-3115, CVE-2015-3116, CVE-2015-3125, CVE-2015-5116)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 11.2.202.481.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1240832 - CVE-2015-5119 flash-plugin: code execution issue in APSA15-03 / APSB15-16
1241171 - flash-plugin: multiple code execution issues fixed in APSB15-16
1241173 - flash-plugin: information disclosure issues fixed in APSB15-16
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.481-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.481-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.481-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.481-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2014-0578
https://access.redhat.com/security/cve/CVE-2015-3114
https://access.redhat.com/security/cve/CVE-2015-3115
https://access.redhat.com/security/cve/CVE-2015-3116
https://access.redhat.com/security/cve/CVE-2015-3117
https://access.redhat.com/security/cve/CVE-2015-3118
https://access.redhat.com/security/cve/CVE-2015-3119
https://access.redhat.com/security/cve/CVE-2015-3120
https://access.redhat.com/security/cve/CVE-2015-3121
https://access.redhat.com/security/cve/CVE-2015-3122
https://access.redhat.com/security/cve/CVE-2015-3123
https://access.redhat.com/security/cve/CVE-2015-3124
https://access.redhat.com/security/cve/CVE-2015-3125
https://access.redhat.com/security/cve/CVE-2015-3126
https://access.redhat.com/security/cve/CVE-2015-3127
https://access.redhat.com/security/cve/CVE-2015-3128
https://access.redhat.com/security/cve/CVE-2015-3129
https://access.redhat.com/security/cve/CVE-2015-3130
https://access.redhat.com/security/cve/CVE-2015-3131
https://access.redhat.com/security/cve/CVE-2015-3132
https://access.redhat.com/security/cve/CVE-2015-3133
https://access.redhat.com/security/cve/CVE-2015-3134
https://access.redhat.com/security/cve/CVE-2015-3135
https://access.redhat.com/security/cve/CVE-2015-3136
https://access.redhat.com/security/cve/CVE-2015-3137
https://access.redhat.com/security/cve/CVE-2015-4428
https://access.redhat.com/security/cve/CVE-2015-4429
https://access.redhat.com/security/cve/CVE-2015-4430
https://access.redhat.com/security/cve/CVE-2015-4431
https://access.redhat.com/security/cve/CVE-2015-4432
https://access.redhat.com/security/cve/CVE-2015-4433
https://access.redhat.com/security/cve/CVE-2015-5116
https://access.redhat.com/security/cve/CVE-2015-5117
https://access.redhat.com/security/cve/CVE-2015-5118
https://access.redhat.com/security/cve/CVE-2015-5119
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-16.html
https://helpx.adobe.com/security/products/flash-player/apsa15-03.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFVnYzEXlSAg2UNWIIRAiYOAJ4hyudjAqMbqOcLAA47WlvgoVG25gCdF1BZ
bxdi7YGr3vmk1ppaEImDJNg=
=KEcy
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201507-0053 | CVE-2015-5357 | plural Juniper Switch products Junos OS Service disruption in (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The Juniper EX4600, QFX3500, QFX3600, and QFX5100 switches with Junos 13.2X51-D15 through 13.2X51-D25, 13.2X51 before 13.2X51-D30, and 14.1X53 before 14.1X53-D10 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors. Juniper Junos is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to cause a high CPU consumption, resulting in a denial-of-service condition. Juniper Networks EX4600, QFX3500, QFX3600 and QFX5100 switche with Junos is a set of network operating systems running on EX4600, QFX3500, QFX3600 and QFX5100 switch devices of Juniper Networks. The operating system provides a secure programming interface and Junos SDK
| VAR-201507-0068 | CVE-2015-3124 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3118, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, and CVE-2015-5117. This vulnerability CVE-2015-3118 , CVE-2015-3127 , CVE-2015-3128 , CVE-2015-3129 , CVE-2015-3131 , CVE-2015-3132 , CVE-2015-3136 , CVE-2015-3137 , CVE-2015-4428 , CVE-2015-4430 ,and CVE-2015-5117 Is a different vulnerability. Supplementary information : CWE Vulnerability type by CWE-416: Use-after-free ( Use of freed memory ) Has been identified. http://cwe.mitre.org/data/definitions/416.htmlAn attacker could execute arbitrary code. Failed exploit attempts will likely cause a denial-of-service condition. A use-after-free vulnerability exists in several Adobe products.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information, or bypass security restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.481"
References
==========
[ 1 ] CVE-2014-0578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0578
[ 2 ] CVE-2015-3113
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3113
[ 3 ] CVE-2015-3114
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3114
[ 4 ] CVE-2015-3115
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3115
[ 5 ] CVE-2015-3116
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3116
[ 6 ] CVE-2015-3117
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3117
[ 7 ] CVE-2015-3118
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3118
[ 8 ] CVE-2015-3119
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3119
[ 9 ] CVE-2015-3120
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3120
[ 10 ] CVE-2015-3121
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3121
[ 11 ] CVE-2015-3122
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3122
[ 12 ] CVE-2015-3123
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3123
[ 13 ] CVE-2015-3124
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3124
[ 14 ] CVE-2015-3125
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3125
[ 15 ] CVE-2015-3126
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3126
[ 16 ] CVE-2015-3127
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3127
[ 17 ] CVE-2015-3128
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3128
[ 18 ] CVE-2015-3129
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3129
[ 19 ] CVE-2015-3130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3130
[ 20 ] CVE-2015-3131
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3131
[ 21 ] CVE-2015-3132
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3132
[ 22 ] CVE-2015-3133
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3133
[ 23 ] CVE-2015-3134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3134
[ 24 ] CVE-2015-3135
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3135
[ 25 ] CVE-2015-3136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3136
[ 26 ] CVE-2015-3137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3137
[ 27 ] CVE-2015-4428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4428
[ 28 ] CVE-2015-4429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4429
[ 29 ] CVE-2015-4430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4430
[ 30 ] CVE-2015-4431
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4431
[ 31 ] CVE-2015-4432
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4432
[ 32 ] CVE-2015-4433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4433
[ 33 ] CVE-2015-5116
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5116
[ 34 ] CVE-2015-5117
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5117
[ 35 ] CVE-2015-5118
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5118
[ 36 ] CVE-2015-5119
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5119
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201507-13
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:1214-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1214.html
Issue date: 2015-07-08
CVE Names: CVE-2014-0578 CVE-2015-3114 CVE-2015-3115
CVE-2015-3116 CVE-2015-3117 CVE-2015-3118
CVE-2015-3119 CVE-2015-3120 CVE-2015-3121
CVE-2015-3122 CVE-2015-3123 CVE-2015-3124
CVE-2015-3125 CVE-2015-3126 CVE-2015-3127
CVE-2015-3128 CVE-2015-3129 CVE-2015-3130
CVE-2015-3131 CVE-2015-3132 CVE-2015-3133
CVE-2015-3134 CVE-2015-3135 CVE-2015-3136
CVE-2015-3137 CVE-2015-4428 CVE-2015-4429
CVE-2015-4430 CVE-2015-4431 CVE-2015-4432
CVE-2015-4433 CVE-2015-5116 CVE-2015-5117
CVE-2015-5118 CVE-2015-5119
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security Bulletin APSB15-16
listed in the References section.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content. (CVE-2015-3117, CVE-2015-3118, CVE-2015-3119, CVE-2015-3120,
CVE-2015-3121, CVE-2015-3122, CVE-2015-3123, CVE-2015-3124, CVE-2015-3126,
CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3130, CVE-2015-3131,
CVE-2015-3132, CVE-2015-3133, CVE-2015-3134, CVE-2015-3135, CVE-2015-3136,
CVE-2015-3137, CVE-2015-4428, CVE-2015-4429, CVE-2015-4430, CVE-2015-4431,
CVE-2015-4432, CVE-2015-4433, CVE-2015-5117, CVE-2015-5118, CVE-2015-5119)
Multiple security bypass flaws were found in flash-plugin that could lead
to the disclosure of sensitive information. (CVE-2014-0578, CVE-2015-3114,
CVE-2015-3115, CVE-2015-3116, CVE-2015-3125, CVE-2015-5116)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 11.2.202.481.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1240832 - CVE-2015-5119 flash-plugin: code execution issue in APSA15-03 / APSB15-16
1241171 - flash-plugin: multiple code execution issues fixed in APSB15-16
1241173 - flash-plugin: information disclosure issues fixed in APSB15-16
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.481-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.481-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.481-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.481-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2014-0578
https://access.redhat.com/security/cve/CVE-2015-3114
https://access.redhat.com/security/cve/CVE-2015-3115
https://access.redhat.com/security/cve/CVE-2015-3116
https://access.redhat.com/security/cve/CVE-2015-3117
https://access.redhat.com/security/cve/CVE-2015-3118
https://access.redhat.com/security/cve/CVE-2015-3119
https://access.redhat.com/security/cve/CVE-2015-3120
https://access.redhat.com/security/cve/CVE-2015-3121
https://access.redhat.com/security/cve/CVE-2015-3122
https://access.redhat.com/security/cve/CVE-2015-3123
https://access.redhat.com/security/cve/CVE-2015-3124
https://access.redhat.com/security/cve/CVE-2015-3125
https://access.redhat.com/security/cve/CVE-2015-3126
https://access.redhat.com/security/cve/CVE-2015-3127
https://access.redhat.com/security/cve/CVE-2015-3128
https://access.redhat.com/security/cve/CVE-2015-3129
https://access.redhat.com/security/cve/CVE-2015-3130
https://access.redhat.com/security/cve/CVE-2015-3131
https://access.redhat.com/security/cve/CVE-2015-3132
https://access.redhat.com/security/cve/CVE-2015-3133
https://access.redhat.com/security/cve/CVE-2015-3134
https://access.redhat.com/security/cve/CVE-2015-3135
https://access.redhat.com/security/cve/CVE-2015-3136
https://access.redhat.com/security/cve/CVE-2015-3137
https://access.redhat.com/security/cve/CVE-2015-4428
https://access.redhat.com/security/cve/CVE-2015-4429
https://access.redhat.com/security/cve/CVE-2015-4430
https://access.redhat.com/security/cve/CVE-2015-4431
https://access.redhat.com/security/cve/CVE-2015-4432
https://access.redhat.com/security/cve/CVE-2015-4433
https://access.redhat.com/security/cve/CVE-2015-5116
https://access.redhat.com/security/cve/CVE-2015-5117
https://access.redhat.com/security/cve/CVE-2015-5118
https://access.redhat.com/security/cve/CVE-2015-5119
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-16.html
https://helpx.adobe.com/security/products/flash-player/apsa15-03.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFVnYzEXlSAg2UNWIIRAiYOAJ4hyudjAqMbqOcLAA47WlvgoVG25gCdF1BZ
bxdi7YGr3vmk1ppaEImDJNg=
=KEcy
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201507-0044 | CVE-2015-5362 | Juniper Junos OS of BFD Service disruption in daemon (DoS) Vulnerabilities |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
The BFD daemon in Juniper Junos OS 12.1X44 before 12.1X44-D50, 12.1X46 before 12.1X46-D35, 12.1X47 before 12.1X47-D25, 12.3 before 12.3R10, 12.3X48 before 12.3X48-D15, 13.2 before 13.2R8, 13.3 before 13.3R6, 14.1 before 14.1R5, 14.1X50 before 14.1X50-D85, 14.1X55 before 14.1X55-D20, 14.2 before 14.2R3, 15.1 before 15.1R1, and 15.1X49 before 15.1X49-D10 allows remote attackers to cause a denial of service (bfdd crash and restart) or execute arbitrary code via a crafted BFD packet. Juniper Junos is prone to a remote code-execution vulnerability.
Attackers can exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely cause a denial-of-service condition. Juniper Junos OS is a set of network operating system of Juniper Networks (Juniper Networks) dedicated to the company's hardware systems. The operating system provides a secure programming interface and Junos SDK. A security vulnerability exists in the BFD daemon of Juniper Networks Junos OS. The following versions are affected: Juniper Networks Junos OS 12.1X44 before 12.1X44-D50, 12.1X46 before 12.1X46-D35, 12.1X47 before 12.1X47-D25, 12.3 before 12.3R10, 12.3X48 before 12.3X48-D15 , Version 13.2 before 13.2R8, Version 13.3 before 13.3R6, Version 14.1 before 14.1R5, Version 14.1X50 before 14.1X50-D85, Version 14.1X55 before 14.1X55-D20, Version 14.2 before 14.2R3, Version 15.1 before 15.1R1, 15.1 Version 15.1X49 before X49-D10
| VAR-201507-0043 | CVE-2015-5360 | Juniper Junos OS of IPv6 sendd Service disruption in (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
IPv6 sendd in Juniper Junos 12.1X44 before 12.1X44-D51, 12.1X46 before 12.1X46-D36, 12.1X46 before 12.1X46-D40, 12.1X47 before 12.1X47-D25, 12.3 before 12.3R10, 12.3X48 before 12.3X48-D20, 13.2 before 13.2R8, 13.3 before 13.3R6, 14.1 before 14.1R5, 14.2 before 14.2R3, 15.1 before 15.1R1, and 15.1X49 before 15.1X49-D20, when the "set protocols neighbor-discovery secure security-level default" option is configured, allows remote attackers to cause a denial of service (CPU consumption) via a crafted Secure Neighbor Discovery (SEND) Protocol packet. Juniper Junos is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to cause a high CPU consumption, resulting in a denial-of-service condition. Juniper Junos is a set of network operating system of Juniper Networks (Juniper Networks) dedicated to the company's hardware system. The operating system provides a secure programming interface and Junos SDK. A denial of service vulnerability exists in IPv6 sendd in Juniper Networks Junos. The following versions are affected: Juniper Junos 12.1X44 before 12.1X44-D51, 12.1X46 before 12.1X46-D36, 12.1X46 before 12.1X46-D40, 12.1X47 before 12.1X47-D25, 12.3R10 12.3 before 12.3X48-D20, 12.3X48 before 13.2R8, 13.2 before 13.3R6, 14.1 before 14.1R5, 14.2 before 14.2R3, 15.1 before 15.1R1, 15.1 15.1X49 versions prior to X49-D20
| VAR-201507-0066 | CVE-2015-3122 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow attackers to execute arbitrary code by leveraging an unspecified "type confusion," a different vulnerability than CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, and CVE-2015-4433. This vulnerability CVE-2015-3119 , CVE-2015-3120 , CVE-2015-3121 ,and CVE-2015-4433 Is a different vulnerability. Supplementary information : CWE Vulnerability type by CWE-843:Access of Resource Using Incompatible Type ( Mixing of molds ) Has been identified. http://cwe.mitre.org/data/definitions/843.htmlUnspecified by attacker " Mixing of molds (type confusion)" May be used to execute arbitrary code. Failed exploit attempts will likely cause a denial-of-service condition. Security flaws exist in several Adobe products.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information, or bypass security restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.481"
References
==========
[ 1 ] CVE-2014-0578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0578
[ 2 ] CVE-2015-3113
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3113
[ 3 ] CVE-2015-3114
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3114
[ 4 ] CVE-2015-3115
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3115
[ 5 ] CVE-2015-3116
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3116
[ 6 ] CVE-2015-3117
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3117
[ 7 ] CVE-2015-3118
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3118
[ 8 ] CVE-2015-3119
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3119
[ 9 ] CVE-2015-3120
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3120
[ 10 ] CVE-2015-3121
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3121
[ 11 ] CVE-2015-3122
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3122
[ 12 ] CVE-2015-3123
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3123
[ 13 ] CVE-2015-3124
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3124
[ 14 ] CVE-2015-3125
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3125
[ 15 ] CVE-2015-3126
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3126
[ 16 ] CVE-2015-3127
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3127
[ 17 ] CVE-2015-3128
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3128
[ 18 ] CVE-2015-3129
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3129
[ 19 ] CVE-2015-3130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3130
[ 20 ] CVE-2015-3131
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3131
[ 21 ] CVE-2015-3132
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3132
[ 22 ] CVE-2015-3133
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3133
[ 23 ] CVE-2015-3134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3134
[ 24 ] CVE-2015-3135
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3135
[ 25 ] CVE-2015-3136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3136
[ 26 ] CVE-2015-3137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3137
[ 27 ] CVE-2015-4428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4428
[ 28 ] CVE-2015-4429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4429
[ 29 ] CVE-2015-4430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4430
[ 30 ] CVE-2015-4431
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4431
[ 31 ] CVE-2015-4432
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4432
[ 32 ] CVE-2015-4433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4433
[ 33 ] CVE-2015-5116
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5116
[ 34 ] CVE-2015-5117
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5117
[ 35 ] CVE-2015-5118
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5118
[ 36 ] CVE-2015-5119
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5119
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201507-13
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:1214-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1214.html
Issue date: 2015-07-08
CVE Names: CVE-2014-0578 CVE-2015-3114 CVE-2015-3115
CVE-2015-3116 CVE-2015-3117 CVE-2015-3118
CVE-2015-3119 CVE-2015-3120 CVE-2015-3121
CVE-2015-3122 CVE-2015-3123 CVE-2015-3124
CVE-2015-3125 CVE-2015-3126 CVE-2015-3127
CVE-2015-3128 CVE-2015-3129 CVE-2015-3130
CVE-2015-3131 CVE-2015-3132 CVE-2015-3133
CVE-2015-3134 CVE-2015-3135 CVE-2015-3136
CVE-2015-3137 CVE-2015-4428 CVE-2015-4429
CVE-2015-4430 CVE-2015-4431 CVE-2015-4432
CVE-2015-4433 CVE-2015-5116 CVE-2015-5117
CVE-2015-5118 CVE-2015-5119
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. These
vulnerabilities are detailed in the Adobe Security Bulletin APSB15-16
listed in the References section.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content. (CVE-2015-3117, CVE-2015-3118, CVE-2015-3119, CVE-2015-3120,
CVE-2015-3121, CVE-2015-3122, CVE-2015-3123, CVE-2015-3124, CVE-2015-3126,
CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3130, CVE-2015-3131,
CVE-2015-3132, CVE-2015-3133, CVE-2015-3134, CVE-2015-3135, CVE-2015-3136,
CVE-2015-3137, CVE-2015-4428, CVE-2015-4429, CVE-2015-4430, CVE-2015-4431,
CVE-2015-4432, CVE-2015-4433, CVE-2015-5117, CVE-2015-5118, CVE-2015-5119)
Multiple security bypass flaws were found in flash-plugin that could lead
to the disclosure of sensitive information.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1240832 - CVE-2015-5119 flash-plugin: code execution issue in APSA15-03 / APSB15-16
1241171 - flash-plugin: multiple code execution issues fixed in APSB15-16
1241173 - flash-plugin: information disclosure issues fixed in APSB15-16
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.481-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.481-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.481-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.481-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2014-0578
https://access.redhat.com/security/cve/CVE-2015-3114
https://access.redhat.com/security/cve/CVE-2015-3115
https://access.redhat.com/security/cve/CVE-2015-3116
https://access.redhat.com/security/cve/CVE-2015-3117
https://access.redhat.com/security/cve/CVE-2015-3118
https://access.redhat.com/security/cve/CVE-2015-3119
https://access.redhat.com/security/cve/CVE-2015-3120
https://access.redhat.com/security/cve/CVE-2015-3121
https://access.redhat.com/security/cve/CVE-2015-3122
https://access.redhat.com/security/cve/CVE-2015-3123
https://access.redhat.com/security/cve/CVE-2015-3124
https://access.redhat.com/security/cve/CVE-2015-3125
https://access.redhat.com/security/cve/CVE-2015-3126
https://access.redhat.com/security/cve/CVE-2015-3127
https://access.redhat.com/security/cve/CVE-2015-3128
https://access.redhat.com/security/cve/CVE-2015-3129
https://access.redhat.com/security/cve/CVE-2015-3130
https://access.redhat.com/security/cve/CVE-2015-3131
https://access.redhat.com/security/cve/CVE-2015-3132
https://access.redhat.com/security/cve/CVE-2015-3133
https://access.redhat.com/security/cve/CVE-2015-3134
https://access.redhat.com/security/cve/CVE-2015-3135
https://access.redhat.com/security/cve/CVE-2015-3136
https://access.redhat.com/security/cve/CVE-2015-3137
https://access.redhat.com/security/cve/CVE-2015-4428
https://access.redhat.com/security/cve/CVE-2015-4429
https://access.redhat.com/security/cve/CVE-2015-4430
https://access.redhat.com/security/cve/CVE-2015-4431
https://access.redhat.com/security/cve/CVE-2015-4432
https://access.redhat.com/security/cve/CVE-2015-4433
https://access.redhat.com/security/cve/CVE-2015-5116
https://access.redhat.com/security/cve/CVE-2015-5117
https://access.redhat.com/security/cve/CVE-2015-5118
https://access.redhat.com/security/cve/CVE-2015-5119
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-16.html
https://helpx.adobe.com/security/products/flash-player/apsa15-03.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFVnYzEXlSAg2UNWIIRAiYOAJ4hyudjAqMbqOcLAA47WlvgoVG25gCdF1BZ
bxdi7YGr3vmk1ppaEImDJNg=
=KEcy
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201507-0061 | CVE-2015-3114 | Adobe Flash Player and Adobe AIR Vulnerable to access restrictions |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow attackers to bypass intended access restrictions and obtain sensitive information via unspecified vectors. Supplementary information : CWE Vulnerability type by CWE-284: Improper Access Control ( Inappropriate access control ) Has been identified. http://cwe.mitre.org/data/definitions/284.htmlAn attacker could bypass access restrictions and obtain important information.
Attackers can exploit this issue to bypass certain security restrictions and perform unauthorized actions; this may aid in launching further attacks. Security flaws exist in several Adobe products.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.481"
References
==========
[ 1 ] CVE-2014-0578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0578
[ 2 ] CVE-2015-3113
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3113
[ 3 ] CVE-2015-3114
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3114
[ 4 ] CVE-2015-3115
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3115
[ 5 ] CVE-2015-3116
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3116
[ 6 ] CVE-2015-3117
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3117
[ 7 ] CVE-2015-3118
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3118
[ 8 ] CVE-2015-3119
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3119
[ 9 ] CVE-2015-3120
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3120
[ 10 ] CVE-2015-3121
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3121
[ 11 ] CVE-2015-3122
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3122
[ 12 ] CVE-2015-3123
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3123
[ 13 ] CVE-2015-3124
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3124
[ 14 ] CVE-2015-3125
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3125
[ 15 ] CVE-2015-3126
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3126
[ 16 ] CVE-2015-3127
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3127
[ 17 ] CVE-2015-3128
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3128
[ 18 ] CVE-2015-3129
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3129
[ 19 ] CVE-2015-3130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3130
[ 20 ] CVE-2015-3131
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3131
[ 21 ] CVE-2015-3132
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3132
[ 22 ] CVE-2015-3133
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3133
[ 23 ] CVE-2015-3134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3134
[ 24 ] CVE-2015-3135
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3135
[ 25 ] CVE-2015-3136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3136
[ 26 ] CVE-2015-3137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3137
[ 27 ] CVE-2015-4428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4428
[ 28 ] CVE-2015-4429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4429
[ 29 ] CVE-2015-4430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4430
[ 30 ] CVE-2015-4431
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4431
[ 31 ] CVE-2015-4432
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4432
[ 32 ] CVE-2015-4433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4433
[ 33 ] CVE-2015-5116
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5116
[ 34 ] CVE-2015-5117
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5117
[ 35 ] CVE-2015-5118
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5118
[ 36 ] CVE-2015-5119
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5119
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201507-13
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:1214-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1214.html
Issue date: 2015-07-08
CVE Names: CVE-2014-0578 CVE-2015-3114 CVE-2015-3115
CVE-2015-3116 CVE-2015-3117 CVE-2015-3118
CVE-2015-3119 CVE-2015-3120 CVE-2015-3121
CVE-2015-3122 CVE-2015-3123 CVE-2015-3124
CVE-2015-3125 CVE-2015-3126 CVE-2015-3127
CVE-2015-3128 CVE-2015-3129 CVE-2015-3130
CVE-2015-3131 CVE-2015-3132 CVE-2015-3133
CVE-2015-3134 CVE-2015-3135 CVE-2015-3136
CVE-2015-3137 CVE-2015-4428 CVE-2015-4429
CVE-2015-4430 CVE-2015-4431 CVE-2015-4432
CVE-2015-4433 CVE-2015-5116 CVE-2015-5117
CVE-2015-5118 CVE-2015-5119
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security Bulletin APSB15-16
listed in the References section.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content. (CVE-2015-3117, CVE-2015-3118, CVE-2015-3119, CVE-2015-3120,
CVE-2015-3121, CVE-2015-3122, CVE-2015-3123, CVE-2015-3124, CVE-2015-3126,
CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3130, CVE-2015-3131,
CVE-2015-3132, CVE-2015-3133, CVE-2015-3134, CVE-2015-3135, CVE-2015-3136,
CVE-2015-3137, CVE-2015-4428, CVE-2015-4429, CVE-2015-4430, CVE-2015-4431,
CVE-2015-4432, CVE-2015-4433, CVE-2015-5117, CVE-2015-5118, CVE-2015-5119)
Multiple security bypass flaws were found in flash-plugin that could lead
to the disclosure of sensitive information.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1240832 - CVE-2015-5119 flash-plugin: code execution issue in APSA15-03 / APSB15-16
1241171 - flash-plugin: multiple code execution issues fixed in APSB15-16
1241173 - flash-plugin: information disclosure issues fixed in APSB15-16
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.481-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.481-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.481-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.481-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2014-0578
https://access.redhat.com/security/cve/CVE-2015-3114
https://access.redhat.com/security/cve/CVE-2015-3115
https://access.redhat.com/security/cve/CVE-2015-3116
https://access.redhat.com/security/cve/CVE-2015-3117
https://access.redhat.com/security/cve/CVE-2015-3118
https://access.redhat.com/security/cve/CVE-2015-3119
https://access.redhat.com/security/cve/CVE-2015-3120
https://access.redhat.com/security/cve/CVE-2015-3121
https://access.redhat.com/security/cve/CVE-2015-3122
https://access.redhat.com/security/cve/CVE-2015-3123
https://access.redhat.com/security/cve/CVE-2015-3124
https://access.redhat.com/security/cve/CVE-2015-3125
https://access.redhat.com/security/cve/CVE-2015-3126
https://access.redhat.com/security/cve/CVE-2015-3127
https://access.redhat.com/security/cve/CVE-2015-3128
https://access.redhat.com/security/cve/CVE-2015-3129
https://access.redhat.com/security/cve/CVE-2015-3130
https://access.redhat.com/security/cve/CVE-2015-3131
https://access.redhat.com/security/cve/CVE-2015-3132
https://access.redhat.com/security/cve/CVE-2015-3133
https://access.redhat.com/security/cve/CVE-2015-3134
https://access.redhat.com/security/cve/CVE-2015-3135
https://access.redhat.com/security/cve/CVE-2015-3136
https://access.redhat.com/security/cve/CVE-2015-3137
https://access.redhat.com/security/cve/CVE-2015-4428
https://access.redhat.com/security/cve/CVE-2015-4429
https://access.redhat.com/security/cve/CVE-2015-4430
https://access.redhat.com/security/cve/CVE-2015-4431
https://access.redhat.com/security/cve/CVE-2015-4432
https://access.redhat.com/security/cve/CVE-2015-4433
https://access.redhat.com/security/cve/CVE-2015-5116
https://access.redhat.com/security/cve/CVE-2015-5117
https://access.redhat.com/security/cve/CVE-2015-5118
https://access.redhat.com/security/cve/CVE-2015-5119
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-16.html
https://helpx.adobe.com/security/products/flash-player/apsa15-03.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFVnYzEXlSAg2UNWIIRAiYOAJ4hyudjAqMbqOcLAA47WlvgoVG25gCdF1BZ
bxdi7YGr3vmk1ppaEImDJNg=
=KEcy
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201507-0064 | CVE-2015-3136 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3118, CVE-2015-3124, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, and CVE-2015-5117. This vulnerability CVE-2015-3118 , CVE-2015-3124 , CVE-2015-3127 , CVE-2015-3128 , CVE-2015-3129 , CVE-2015-3131 , CVE-2015-3132 , CVE-2015-3137 , CVE-2015-4428 , CVE-2015-4430 ,and CVE-2015-5117 Is a different vulnerability. Supplementary information : CWE Vulnerability type by CWE-416: Use-after-free ( Use of freed memory ) Has been identified. http://cwe.mitre.org/data/definitions/416.htmlAn attacker could execute arbitrary code. Failed exploit attempts will likely cause a denial-of-service condition. A use-after-free vulnerability exists in several Adobe products.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information, or bypass security restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.481"
References
==========
[ 1 ] CVE-2014-0578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0578
[ 2 ] CVE-2015-3113
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3113
[ 3 ] CVE-2015-3114
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3114
[ 4 ] CVE-2015-3115
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3115
[ 5 ] CVE-2015-3116
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3116
[ 6 ] CVE-2015-3117
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3117
[ 7 ] CVE-2015-3118
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3118
[ 8 ] CVE-2015-3119
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3119
[ 9 ] CVE-2015-3120
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3120
[ 10 ] CVE-2015-3121
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3121
[ 11 ] CVE-2015-3122
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3122
[ 12 ] CVE-2015-3123
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3123
[ 13 ] CVE-2015-3124
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3124
[ 14 ] CVE-2015-3125
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3125
[ 15 ] CVE-2015-3126
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3126
[ 16 ] CVE-2015-3127
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3127
[ 17 ] CVE-2015-3128
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3128
[ 18 ] CVE-2015-3129
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3129
[ 19 ] CVE-2015-3130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3130
[ 20 ] CVE-2015-3131
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3131
[ 21 ] CVE-2015-3132
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3132
[ 22 ] CVE-2015-3133
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3133
[ 23 ] CVE-2015-3134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3134
[ 24 ] CVE-2015-3135
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3135
[ 25 ] CVE-2015-3136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3136
[ 26 ] CVE-2015-3137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3137
[ 27 ] CVE-2015-4428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4428
[ 28 ] CVE-2015-4429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4429
[ 29 ] CVE-2015-4430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4430
[ 30 ] CVE-2015-4431
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4431
[ 31 ] CVE-2015-4432
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4432
[ 32 ] CVE-2015-4433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4433
[ 33 ] CVE-2015-5116
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5116
[ 34 ] CVE-2015-5117
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5117
[ 35 ] CVE-2015-5118
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5118
[ 36 ] CVE-2015-5119
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5119
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201507-13
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:1214-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1214.html
Issue date: 2015-07-08
CVE Names: CVE-2014-0578 CVE-2015-3114 CVE-2015-3115
CVE-2015-3116 CVE-2015-3117 CVE-2015-3118
CVE-2015-3119 CVE-2015-3120 CVE-2015-3121
CVE-2015-3122 CVE-2015-3123 CVE-2015-3124
CVE-2015-3125 CVE-2015-3126 CVE-2015-3127
CVE-2015-3128 CVE-2015-3129 CVE-2015-3130
CVE-2015-3131 CVE-2015-3132 CVE-2015-3133
CVE-2015-3134 CVE-2015-3135 CVE-2015-3136
CVE-2015-3137 CVE-2015-4428 CVE-2015-4429
CVE-2015-4430 CVE-2015-4431 CVE-2015-4432
CVE-2015-4433 CVE-2015-5116 CVE-2015-5117
CVE-2015-5118 CVE-2015-5119
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security Bulletin APSB15-16
listed in the References section.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content. (CVE-2015-3117, CVE-2015-3118, CVE-2015-3119, CVE-2015-3120,
CVE-2015-3121, CVE-2015-3122, CVE-2015-3123, CVE-2015-3124, CVE-2015-3126,
CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3130, CVE-2015-3131,
CVE-2015-3132, CVE-2015-3133, CVE-2015-3134, CVE-2015-3135, CVE-2015-3136,
CVE-2015-3137, CVE-2015-4428, CVE-2015-4429, CVE-2015-4430, CVE-2015-4431,
CVE-2015-4432, CVE-2015-4433, CVE-2015-5117, CVE-2015-5118, CVE-2015-5119)
Multiple security bypass flaws were found in flash-plugin that could lead
to the disclosure of sensitive information. (CVE-2014-0578, CVE-2015-3114,
CVE-2015-3115, CVE-2015-3116, CVE-2015-3125, CVE-2015-5116)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 11.2.202.481.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1240832 - CVE-2015-5119 flash-plugin: code execution issue in APSA15-03 / APSB15-16
1241171 - flash-plugin: multiple code execution issues fixed in APSB15-16
1241173 - flash-plugin: information disclosure issues fixed in APSB15-16
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.481-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.481-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.481-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.481-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2014-0578
https://access.redhat.com/security/cve/CVE-2015-3114
https://access.redhat.com/security/cve/CVE-2015-3115
https://access.redhat.com/security/cve/CVE-2015-3116
https://access.redhat.com/security/cve/CVE-2015-3117
https://access.redhat.com/security/cve/CVE-2015-3118
https://access.redhat.com/security/cve/CVE-2015-3119
https://access.redhat.com/security/cve/CVE-2015-3120
https://access.redhat.com/security/cve/CVE-2015-3121
https://access.redhat.com/security/cve/CVE-2015-3122
https://access.redhat.com/security/cve/CVE-2015-3123
https://access.redhat.com/security/cve/CVE-2015-3124
https://access.redhat.com/security/cve/CVE-2015-3125
https://access.redhat.com/security/cve/CVE-2015-3126
https://access.redhat.com/security/cve/CVE-2015-3127
https://access.redhat.com/security/cve/CVE-2015-3128
https://access.redhat.com/security/cve/CVE-2015-3129
https://access.redhat.com/security/cve/CVE-2015-3130
https://access.redhat.com/security/cve/CVE-2015-3131
https://access.redhat.com/security/cve/CVE-2015-3132
https://access.redhat.com/security/cve/CVE-2015-3133
https://access.redhat.com/security/cve/CVE-2015-3134
https://access.redhat.com/security/cve/CVE-2015-3135
https://access.redhat.com/security/cve/CVE-2015-3136
https://access.redhat.com/security/cve/CVE-2015-3137
https://access.redhat.com/security/cve/CVE-2015-4428
https://access.redhat.com/security/cve/CVE-2015-4429
https://access.redhat.com/security/cve/CVE-2015-4430
https://access.redhat.com/security/cve/CVE-2015-4431
https://access.redhat.com/security/cve/CVE-2015-4432
https://access.redhat.com/security/cve/CVE-2015-4433
https://access.redhat.com/security/cve/CVE-2015-5116
https://access.redhat.com/security/cve/CVE-2015-5117
https://access.redhat.com/security/cve/CVE-2015-5118
https://access.redhat.com/security/cve/CVE-2015-5119
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-16.html
https://helpx.adobe.com/security/products/flash-player/apsa15-03.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFVnYzEXlSAg2UNWIIRAiYOAJ4hyudjAqMbqOcLAA47WlvgoVG25gCdF1BZ
bxdi7YGr3vmk1ppaEImDJNg=
=KEcy
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201507-0062 | CVE-2015-3115 | Adobe Flash Player and Adobe AIR Vulnerabilities that bypass the same origin policy |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow remote attackers to bypass the Same Origin Policy via unspecified vectors, a different vulnerability than CVE-2014-0578, CVE-2015-3116, CVE-2015-3125, and CVE-2015-5116. This vulnerability CVE-2014-0578 , CVE-2015-3116 , CVE-2015-3125 ,and CVE-2015-5116 Is a different vulnerability. Supplementary information : CWE Vulnerability type by CWE-284: Improper Access Control ( Inappropriate access control ) Has been identified. http://cwe.mitre.org/data/definitions/284.htmlA third party can bypass the same origin policy.
Attackers can exploit these issues to view content from a browser window in another domain or security zone. This may allow the attacker to obtain sensitive information or aid in further attacks. Security flaws exist in several Adobe products.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information, or bypass security restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.481"
References
==========
[ 1 ] CVE-2014-0578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0578
[ 2 ] CVE-2015-3113
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3113
[ 3 ] CVE-2015-3114
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3114
[ 4 ] CVE-2015-3115
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3115
[ 5 ] CVE-2015-3116
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3116
[ 6 ] CVE-2015-3117
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3117
[ 7 ] CVE-2015-3118
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3118
[ 8 ] CVE-2015-3119
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3119
[ 9 ] CVE-2015-3120
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3120
[ 10 ] CVE-2015-3121
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3121
[ 11 ] CVE-2015-3122
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3122
[ 12 ] CVE-2015-3123
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3123
[ 13 ] CVE-2015-3124
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3124
[ 14 ] CVE-2015-3125
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3125
[ 15 ] CVE-2015-3126
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3126
[ 16 ] CVE-2015-3127
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3127
[ 17 ] CVE-2015-3128
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3128
[ 18 ] CVE-2015-3129
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3129
[ 19 ] CVE-2015-3130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3130
[ 20 ] CVE-2015-3131
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3131
[ 21 ] CVE-2015-3132
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3132
[ 22 ] CVE-2015-3133
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3133
[ 23 ] CVE-2015-3134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3134
[ 24 ] CVE-2015-3135
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3135
[ 25 ] CVE-2015-3136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3136
[ 26 ] CVE-2015-3137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3137
[ 27 ] CVE-2015-4428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4428
[ 28 ] CVE-2015-4429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4429
[ 29 ] CVE-2015-4430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4430
[ 30 ] CVE-2015-4431
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4431
[ 31 ] CVE-2015-4432
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4432
[ 32 ] CVE-2015-4433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4433
[ 33 ] CVE-2015-5116
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5116
[ 34 ] CVE-2015-5117
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5117
[ 35 ] CVE-2015-5118
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5118
[ 36 ] CVE-2015-5119
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5119
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201507-13
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:1214-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1214.html
Issue date: 2015-07-08
CVE Names: CVE-2014-0578 CVE-2015-3114 CVE-2015-3115
CVE-2015-3116 CVE-2015-3117 CVE-2015-3118
CVE-2015-3119 CVE-2015-3120 CVE-2015-3121
CVE-2015-3122 CVE-2015-3123 CVE-2015-3124
CVE-2015-3125 CVE-2015-3126 CVE-2015-3127
CVE-2015-3128 CVE-2015-3129 CVE-2015-3130
CVE-2015-3131 CVE-2015-3132 CVE-2015-3133
CVE-2015-3134 CVE-2015-3135 CVE-2015-3136
CVE-2015-3137 CVE-2015-4428 CVE-2015-4429
CVE-2015-4430 CVE-2015-4431 CVE-2015-4432
CVE-2015-4433 CVE-2015-5116 CVE-2015-5117
CVE-2015-5118 CVE-2015-5119
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. These
vulnerabilities are detailed in the Adobe Security Bulletin APSB15-16
listed in the References section.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content. (CVE-2015-3117, CVE-2015-3118, CVE-2015-3119, CVE-2015-3120,
CVE-2015-3121, CVE-2015-3122, CVE-2015-3123, CVE-2015-3124, CVE-2015-3126,
CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3130, CVE-2015-3131,
CVE-2015-3132, CVE-2015-3133, CVE-2015-3134, CVE-2015-3135, CVE-2015-3136,
CVE-2015-3137, CVE-2015-4428, CVE-2015-4429, CVE-2015-4430, CVE-2015-4431,
CVE-2015-4432, CVE-2015-4433, CVE-2015-5117, CVE-2015-5118, CVE-2015-5119)
Multiple security bypass flaws were found in flash-plugin that could lead
to the disclosure of sensitive information. (CVE-2014-0578, CVE-2015-3114,
CVE-2015-3115, CVE-2015-3116, CVE-2015-3125, CVE-2015-5116)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 11.2.202.481.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1240832 - CVE-2015-5119 flash-plugin: code execution issue in APSA15-03 / APSB15-16
1241171 - flash-plugin: multiple code execution issues fixed in APSB15-16
1241173 - flash-plugin: information disclosure issues fixed in APSB15-16
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.481-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.481-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.481-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.481-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
x86_64:
flash-plugin-11.2.202.481-1.el6_6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2014-0578
https://access.redhat.com/security/cve/CVE-2015-3114
https://access.redhat.com/security/cve/CVE-2015-3115
https://access.redhat.com/security/cve/CVE-2015-3116
https://access.redhat.com/security/cve/CVE-2015-3117
https://access.redhat.com/security/cve/CVE-2015-3118
https://access.redhat.com/security/cve/CVE-2015-3119
https://access.redhat.com/security/cve/CVE-2015-3120
https://access.redhat.com/security/cve/CVE-2015-3121
https://access.redhat.com/security/cve/CVE-2015-3122
https://access.redhat.com/security/cve/CVE-2015-3123
https://access.redhat.com/security/cve/CVE-2015-3124
https://access.redhat.com/security/cve/CVE-2015-3125
https://access.redhat.com/security/cve/CVE-2015-3126
https://access.redhat.com/security/cve/CVE-2015-3127
https://access.redhat.com/security/cve/CVE-2015-3128
https://access.redhat.com/security/cve/CVE-2015-3129
https://access.redhat.com/security/cve/CVE-2015-3130
https://access.redhat.com/security/cve/CVE-2015-3131
https://access.redhat.com/security/cve/CVE-2015-3132
https://access.redhat.com/security/cve/CVE-2015-3133
https://access.redhat.com/security/cve/CVE-2015-3134
https://access.redhat.com/security/cve/CVE-2015-3135
https://access.redhat.com/security/cve/CVE-2015-3136
https://access.redhat.com/security/cve/CVE-2015-3137
https://access.redhat.com/security/cve/CVE-2015-4428
https://access.redhat.com/security/cve/CVE-2015-4429
https://access.redhat.com/security/cve/CVE-2015-4430
https://access.redhat.com/security/cve/CVE-2015-4431
https://access.redhat.com/security/cve/CVE-2015-4432
https://access.redhat.com/security/cve/CVE-2015-4433
https://access.redhat.com/security/cve/CVE-2015-5116
https://access.redhat.com/security/cve/CVE-2015-5117
https://access.redhat.com/security/cve/CVE-2015-5118
https://access.redhat.com/security/cve/CVE-2015-5119
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-16.html
https://helpx.adobe.com/security/products/flash-player/apsa15-03.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFVnYzEXlSAg2UNWIIRAiYOAJ4hyudjAqMbqOcLAA47WlvgoVG25gCdF1BZ
bxdi7YGr3vmk1ppaEImDJNg=
=KEcy
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201508-0365 | CVE-2015-1819 | libxml2 of xmlreader Service operation interruption in (DoS) Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The xmlreader in libxml allows remote attackers to cause a denial of service (memory consumption) via crafted XML data, related to an XML Entity Expansion (XEE) attack. It supports multiple encoding formats, XPath analysis, Well-formed and valid verification, etc. xmlreader is one of the components used to read XML. A security vulnerability exists in libxml's xmlreader component.
CVE-ID
CVE-2016-1722 : Joshua J.
For the oldstable distribution (wheezy), these problems have been fixed
in version 2.8.0+dfsg1-7+wheezy5.
For the stable distribution (jessie), these problems have been fixed in
version 2.9.1+dfsg1-5+deb8u1.
For the testing distribution (stretch), these problems have been fixed
in version 2.9.3+dfsg1-1 or earlier versions.
For the unstable distribution (sid), these problems have been fixed in
version 2.9.3+dfsg1-1 or earlier versions. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: libxml2 security update
Advisory ID: RHSA-2015:2550-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2550.html
Issue date: 2015-12-07
CVE Names: CVE-2015-1819 CVE-2015-5312 CVE-2015-7497
CVE-2015-7498 CVE-2015-7499 CVE-2015-7500
CVE-2015-7941 CVE-2015-7942 CVE-2015-8241
CVE-2015-8242 CVE-2015-8317
=====================================================================
1. Summary:
Updated libxml2 packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
3. Description:
The libxml2 library is a development toolbox providing the implementation
of various XML standards.
Several denial of service flaws were found in libxml2, a library providing
support for reading, modifying, and writing XML and HTML files. A remote
attacker could provide a specially crafted XML or HTML file that, when
processed by an application using libxml2, would cause that application to
use an excessive amount of CPU, leak potentially sensitive information, or
in certain cases crash the application. (CVE-2015-1819, CVE-2015-5312,
CVE-2015-7497, CVE-2015-7498, CVE-2015-7499, CVE-2015-7500 CVE-2015-7941,
CVE-2015-7942, CVE-2015-8241, CVE-2015-8242, CVE-2015-8317, BZ#1213957,
BZ#1281955)
Red Hat would like to thank the GNOME project for reporting CVE-2015-7497,
CVE-2015-7498, CVE-2015-7499, CVE-2015-7500, CVE-2015-8241, CVE-2015-8242,
and CVE-2015-8317. Upstream acknowledges Kostya Serebryany of Google as the
original reporter of CVE-2015-7497, CVE-2015-7498, CVE-2015-7499, and
CVE-2015-7500; Hugh Davenport as the original reporter of CVE-2015-8241 and
CVE-2015-8242; and Hanno Boeck as the original reporter of CVE-2015-8317.
All libxml2 users are advised to upgrade to these updated packages, which
contain a backported patch to correct these issues. The desktop must be
restarted (log out, then log back in) for this update to take effect.
4. Bugs fixed (https://bugzilla.redhat.com/):
1211278 - CVE-2015-1819 libxml2: denial of service processing a crafted XML document
1213957 - libxml2: out-of-bounds memory access when parsing an unclosed HTML comment
1274222 - CVE-2015-7941 libxml2: Out-of-bounds memory access
1276297 - CVE-2015-7942 libxml2: heap-based buffer overflow in xmlParseConditionalSections()
1276693 - CVE-2015-5312 libxml2: CPU exhaustion when processing specially crafted XML input
1281862 - CVE-2015-7497 libxml2: Heap-based buffer overflow in xmlDictComputeFastQKey
1281879 - CVE-2015-7498 libxml2: Heap-based buffer overflow in xmlParseXmlDecl
1281925 - CVE-2015-7499 libxml2: Heap-based buffer overflow in xmlGROW
1281930 - CVE-2015-8317 libxml2: Out-of-bounds heap read when parsing file with unfinished xml declaration
1281936 - CVE-2015-8241 libxml2: Buffer overread with XML parser in xmlNextChar
1281943 - CVE-2015-7500 libxml2: Heap buffer overflow in xmlParseMisc
1281950 - CVE-2015-8242 libxml2: Buffer overread with HTML parser in push mode in xmlSAX2TextNode
1281955 - libxml2: Multiple out-of-bounds reads in xmlDictComputeFastKey.isra.2 and xmlDictAddString.isra.O
6. Package List:
Red Hat Enterprise Linux Client (v. 7):
Source:
libxml2-2.9.1-6.el7_2.2.src.rpm
x86_64:
libxml2-2.9.1-6.el7_2.2.i686.rpm
libxml2-2.9.1-6.el7_2.2.x86_64.rpm
libxml2-debuginfo-2.9.1-6.el7_2.2.i686.rpm
libxml2-debuginfo-2.9.1-6.el7_2.2.x86_64.rpm
libxml2-python-2.9.1-6.el7_2.2.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64:
libxml2-debuginfo-2.9.1-6.el7_2.2.i686.rpm
libxml2-debuginfo-2.9.1-6.el7_2.2.x86_64.rpm
libxml2-devel-2.9.1-6.el7_2.2.i686.rpm
libxml2-devel-2.9.1-6.el7_2.2.x86_64.rpm
libxml2-static-2.9.1-6.el7_2.2.i686.rpm
libxml2-static-2.9.1-6.el7_2.2.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
libxml2-2.9.1-6.el7_2.2.src.rpm
x86_64:
libxml2-2.9.1-6.el7_2.2.i686.rpm
libxml2-2.9.1-6.el7_2.2.x86_64.rpm
libxml2-debuginfo-2.9.1-6.el7_2.2.i686.rpm
libxml2-debuginfo-2.9.1-6.el7_2.2.x86_64.rpm
libxml2-python-2.9.1-6.el7_2.2.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
x86_64:
libxml2-debuginfo-2.9.1-6.el7_2.2.i686.rpm
libxml2-debuginfo-2.9.1-6.el7_2.2.x86_64.rpm
libxml2-devel-2.9.1-6.el7_2.2.i686.rpm
libxml2-devel-2.9.1-6.el7_2.2.x86_64.rpm
libxml2-static-2.9.1-6.el7_2.2.i686.rpm
libxml2-static-2.9.1-6.el7_2.2.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
libxml2-2.9.1-6.el7_2.2.src.rpm
aarch64:
libxml2-2.9.1-6.el7_2.2.aarch64.rpm
libxml2-debuginfo-2.9.1-6.el7_2.2.aarch64.rpm
libxml2-devel-2.9.1-6.el7_2.2.aarch64.rpm
libxml2-python-2.9.1-6.el7_2.2.aarch64.rpm
ppc64:
libxml2-2.9.1-6.el7_2.2.ppc.rpm
libxml2-2.9.1-6.el7_2.2.ppc64.rpm
libxml2-debuginfo-2.9.1-6.el7_2.2.ppc.rpm
libxml2-debuginfo-2.9.1-6.el7_2.2.ppc64.rpm
libxml2-devel-2.9.1-6.el7_2.2.ppc.rpm
libxml2-devel-2.9.1-6.el7_2.2.ppc64.rpm
libxml2-python-2.9.1-6.el7_2.2.ppc64.rpm
ppc64le:
libxml2-2.9.1-6.el7_2.2.ppc64le.rpm
libxml2-debuginfo-2.9.1-6.el7_2.2.ppc64le.rpm
libxml2-devel-2.9.1-6.el7_2.2.ppc64le.rpm
libxml2-python-2.9.1-6.el7_2.2.ppc64le.rpm
s390x:
libxml2-2.9.1-6.el7_2.2.s390.rpm
libxml2-2.9.1-6.el7_2.2.s390x.rpm
libxml2-debuginfo-2.9.1-6.el7_2.2.s390.rpm
libxml2-debuginfo-2.9.1-6.el7_2.2.s390x.rpm
libxml2-devel-2.9.1-6.el7_2.2.s390.rpm
libxml2-devel-2.9.1-6.el7_2.2.s390x.rpm
libxml2-python-2.9.1-6.el7_2.2.s390x.rpm
x86_64:
libxml2-2.9.1-6.el7_2.2.i686.rpm
libxml2-2.9.1-6.el7_2.2.x86_64.rpm
libxml2-debuginfo-2.9.1-6.el7_2.2.i686.rpm
libxml2-debuginfo-2.9.1-6.el7_2.2.x86_64.rpm
libxml2-devel-2.9.1-6.el7_2.2.i686.rpm
libxml2-devel-2.9.1-6.el7_2.2.x86_64.rpm
libxml2-python-2.9.1-6.el7_2.2.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
aarch64:
libxml2-debuginfo-2.9.1-6.el7_2.2.aarch64.rpm
libxml2-static-2.9.1-6.el7_2.2.aarch64.rpm
ppc64:
libxml2-debuginfo-2.9.1-6.el7_2.2.ppc.rpm
libxml2-debuginfo-2.9.1-6.el7_2.2.ppc64.rpm
libxml2-static-2.9.1-6.el7_2.2.ppc.rpm
libxml2-static-2.9.1-6.el7_2.2.ppc64.rpm
ppc64le:
libxml2-debuginfo-2.9.1-6.el7_2.2.ppc64le.rpm
libxml2-static-2.9.1-6.el7_2.2.ppc64le.rpm
s390x:
libxml2-debuginfo-2.9.1-6.el7_2.2.s390.rpm
libxml2-debuginfo-2.9.1-6.el7_2.2.s390x.rpm
libxml2-static-2.9.1-6.el7_2.2.s390.rpm
libxml2-static-2.9.1-6.el7_2.2.s390x.rpm
x86_64:
libxml2-debuginfo-2.9.1-6.el7_2.2.i686.rpm
libxml2-debuginfo-2.9.1-6.el7_2.2.x86_64.rpm
libxml2-static-2.9.1-6.el7_2.2.i686.rpm
libxml2-static-2.9.1-6.el7_2.2.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
libxml2-2.9.1-6.el7_2.2.src.rpm
x86_64:
libxml2-2.9.1-6.el7_2.2.i686.rpm
libxml2-2.9.1-6.el7_2.2.x86_64.rpm
libxml2-debuginfo-2.9.1-6.el7_2.2.i686.rpm
libxml2-debuginfo-2.9.1-6.el7_2.2.x86_64.rpm
libxml2-devel-2.9.1-6.el7_2.2.i686.rpm
libxml2-devel-2.9.1-6.el7_2.2.x86_64.rpm
libxml2-python-2.9.1-6.el7_2.2.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64:
libxml2-debuginfo-2.9.1-6.el7_2.2.i686.rpm
libxml2-debuginfo-2.9.1-6.el7_2.2.x86_64.rpm
libxml2-static-2.9.1-6.el7_2.2.i686.rpm
libxml2-static-2.9.1-6.el7_2.2.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-1819
https://access.redhat.com/security/cve/CVE-2015-5312
https://access.redhat.com/security/cve/CVE-2015-7497
https://access.redhat.com/security/cve/CVE-2015-7498
https://access.redhat.com/security/cve/CVE-2015-7499
https://access.redhat.com/security/cve/CVE-2015-7500
https://access.redhat.com/security/cve/CVE-2015-7941
https://access.redhat.com/security/cve/CVE-2015-7942
https://access.redhat.com/security/cve/CVE-2015-8241
https://access.redhat.com/security/cve/CVE-2015-8242
https://access.redhat.com/security/cve/CVE-2015-8317
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFWZZK6XlSAg2UNWIIRAlx5AKCfIxP9TLM+V/vmQq6MVeUpjiGltgCgnOgZ
IOmptwborGrgz5fLqra3STg=
=bVgd
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. ============================================================================
Ubuntu Security Notice USN-2812-1
November 16, 2015
libxml2 vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.10
- Ubuntu 15.04
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in libxml2. This issue only affected
Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 15.04. (CVE-2015-1819)
Michal Zalewski discovered that libxml2 incorrectly handled certain XML
data. If a user or automated system were tricked into opening a specially
crafted document, an attacker could possibly cause libxml2 to crash,
resulting in a denial of service. This issue only affected
Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 15.04. (CVE-2015-7941)
Kostya Serebryany discovered that libxml2 incorrectly handled certain XML
data. If a user or automated system were tricked into opening a specially
crafted document, an attacker could possibly cause libxml2 to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2015-7942)
Gustavo Grieco discovered that libxml2 incorrectly handled certain XML
data. If a user or automated system were tricked into opening a specially
crafted document, an attacker could possibly cause libxml2 to crash,
resulting in a denial of service. This issue only affected
Ubuntu 14.04 LTS. (CVE-2015-8035)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.10:
libxml2 2.9.2+zdfsg1-4ubuntu0.1
Ubuntu 15.04:
libxml2 2.9.2+dfsg1-3ubuntu0.1
Ubuntu 14.04 LTS:
libxml2 2.9.1+dfsg1-3ubuntu4.5
Ubuntu 12.04 LTS:
libxml2 2.7.8.dfsg-5.1ubuntu4.12
After a standard system update you need to reboot your computer to make
all the necessary changes.
CVE-ID
CVE-2016-1781 : Devdatta Akhawe of Dropbox, Inc.
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A website may be able to track sensitive user information
Description: A hidden web page may be able to access device-
orientation and device-motion data. This issue was addressed by
suspending the availability of this data when the web view is hidden.
CVE-ID
CVE-2016-1780 : Maryam Mehrnezhad, Ehsan Toreini, Siamak F.
Shahandashti, and Feng Hao of the School of Computing Science,
Newcastle University, UK
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may reveal a user's
current location
Description: An issue existed in the parsing of geolocation
requests.
CVE-ID
CVE-2016-1779 : xisigr of Tencent's Xuanwu Lab
(http://www.tencent.com)
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious website may be able to access restricted ports
on arbitrary servers
Description: A port redirection issue was addressed through
additional port validation.
CVE-ID
CVE-2016-1782 : Muneaki Nishimura (nishimunea) of Recruit
Technologies Co.,Ltd.
CVE-ID
CVE-2016-1784 : Moony Li and Jack Tang of TrendMicro and 李普君 of
无声信息技术PKAV Team (PKAV.net)
WebKit Page Loading
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a malicious website may lead to user interface
spoofing
Description: Redirect responses may have allowed a malicious website
to display an arbitrary URL and read cached contents of the
destination origin.
CVE-ID
CVE-2016-1786 : ma.la of LINE Corporation
WebKit Page Loading
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious website may exfiltrate data cross-origin
Description: A caching issue existed with character encoding.
CVE-ID
CVE-2016-0801 : an anonymous researcher
CVE-2016-0802 : an anonymous researcher
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
APPLE-SA-2016-03-21-5 OS X El Capitan 10.11.4 and Security Update
2016-002
OS X El Capitan 10.11.4 and Security Update 2016-002 is now available
and addresses the following:
apache_mod_php
Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan v10.11 to v10.11.3
Impact: Processing a maliciously crafted .png file may lead to
arbitrary code execution
Description: Multiple vulnerabilities existed in libpng versions
prior to 1.6.20. These were addressed by updating libpng to version
1.6.20.
CVE-ID
CVE-2015-8126 : Adam Mariš
CVE-2015-8472 : Adam Mariš
AppleRAID
Available for: OS X El Capitan v10.11 to v10.11.3
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed through
improved input validation.
CVE-ID
CVE-2016-1733 : Proteas of Qihoo 360 Nirvan Team
AppleRAID
Available for: OS X El Capitan v10.11 to v10.11.3
Impact: A local user may be able to determine kernel memory layout
Description: An out-of-bounds read issue existed that led to the
disclosure of kernel memory. This was addressed through improved
input validation.
CVE-ID
CVE-2016-1732 : Proteas of Qihoo 360 Nirvan Team
AppleUSBNetworking
Available for: OS X El Capitan v10.11 to v10.11.3
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue existed in the parsing of
data from USB devices. This issue was addressed through improved
input validation.
CVE-ID
CVE-2016-1734 : Andrea Barisani and Andrej Rosano of Inverse Path
Bluetooth
Available for: OS X El Capitan v10.11 to v10.11.3
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2016-1735 : Jeonghoon Shin@A.D.D
CVE-2016-1736 : beist and ABH of BoB
Carbon
Available for: OS X El Capitan v10.11 to v10.11.3
Impact: Processing a maliciously crafted .dfont file may lead to
arbitrary code execution
Description: Multiple memory corruption issues existed in the
handling of font files. These issues were addressed through improved
bounds checking.
CVE-ID
CVE-2016-1737 : an anonymous researcher
dyld
Available for: OS X El Capitan v10.11 to v10.11.3
Impact: An attacker may tamper with code-signed applications to
execute arbitrary code in the application's context
Description: A code signing verification issue existed in dyld. This
issue was addressed with improved validation.
CVE-ID
CVE-2016-1738 : beist and ABH of BoB
FontParser
Available for: OS X El Capitan v10.11 to v10.11.3
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue was addressed through
improved memory handling.
CVE-ID
CVE-2016-1740 : HappilyCoded (ant4g0nist and r3dsm0k3) working with
Trend Micro's Zero Day Initiative (ZDI)
HTTPProtocol
Available for: OS X El Capitan v10.11 to v10.11.3
Impact: A remote attacker may be able to execute arbitrary code
Description: Multiple vulnerabilities existed in nghttp2 versions
prior to 1.6.0, the most serious of which may have led to remote code
execution. These were addressed by updating nghttp2 to version 1.6.0.
CVE-ID
CVE-2015-8659
Intel Graphics Driver
Available for: OS X El Capitan v10.11 to v10.11.3
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2016-1743 : Piotr Bania of Cisco Talos
CVE-2016-1744 : Ian Beer of Google Project Zero
IOFireWireFamily
Available for: OS X El Capitan v10.11 to v10.11.3
Impact: A local user may be able to cause a denial of service
Description: A null pointer dereference was addressed through
improved validation.
CVE-ID
CVE-2016-1745 : sweetchip of Grayhash
IOGraphics
Available for: OS X El Capitan v10.11 to v10.11.3
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed through
improved input validation.
CVE-ID
CVE-2016-1746 : Peter Pi of Trend Micro working with Trend Micro's
Zero Day Initiative (ZDI)
CVE-2016-1747 : Juwei Lin of Trend Micro working with Trend Micro's
Zero Day Initiative (ZDI)
IOHIDFamily
Available for: OS X El Capitan v10.11 to v10.11.3
Impact: An application may be able to determine kernel memory layout
Description: A memory corruption issue was addressed through
improved memory handling.
CVE-ID
CVE-2016-1748 : Brandon Azad
IOUSBFamily
Available for: OS X El Capitan v10.11 to v10.11.3
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2016-1749 : Ian Beer of Google Project Zero and Juwei Lin of
Trend Micro working with Trend Micro's Zero Day Initiative (ZDI)
Kernel
Available for: OS X El Capitan v10.11 to v10.11.3
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A use after free issue was addressed through improved
memory management.
CVE-ID
CVE-2016-1750 : CESG
Kernel
Available for: OS X El Capitan v10.11 to v10.11.3
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A race condition existed during the creation of new
processes. This was addressed through improved state handling.
CVE-ID
CVE-2016-1757 : Ian Beer of Google Project Zero and Pedro Vilaca
Kernel
Available for: OS X El Capitan v10.11 to v10.11.3
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A null pointer dereference was addressed through
improved input validation.
CVE-ID
CVE-2016-1756 : Lufeng Li of Qihoo 360 Vulcan Team
Kernel
Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan v10.11 to v10.11.3
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2016-1754 : Lufeng Li of Qihoo 360 Vulcan Team
CVE-2016-1755 : Ian Beer of Google Project Zero
CVE-2016-1759 : lokihardt
Kernel
Available for: OS X El Capitan v10.11 to v10.11.3
Impact: An application may be able to determine kernel memory layout
Description: An out-of-bounds read issue existed that led to the
disclosure of kernel memory. This was addressed through improved
input validation.
CVE-ID
CVE-2016-1758 : Brandon Azad
Kernel
Available for: OS X El Capitan v10.11 to v10.11.3
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: Multiple integer overflows were addressed through
improved input validation.
CVE-ID
CVE-2016-1753 : Juwei Lin Trend Micro working with Trend Micro's Zero
Day Initiative (ZDI)
Kernel
Available for: OS X El Capitan v10.11 to v10.11.3
Impact: An application may be able to cause a denial of service
Description: A denial of service issue was addressed through
improved validation.
CVE-ID
CVE-2016-1752 : CESG
libxml2
Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan v10.11 to v10.11.3
Impact: Processing maliciously crafted XML may lead to unexpected
application termination or arbitrary code execution
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2015-1819
CVE-2015-5312 : David Drysdale of Google
CVE-2015-7499
CVE-2015-7500 : Kostya Serebryany of Google
CVE-2015-7942 : Kostya Serebryany of Google
CVE-2015-8035 : gustavo.grieco
CVE-2015-8242 : Hugh Davenport
CVE-2016-1761 : wol0xff working with Trend Micro's Zero Day
Initiative (ZDI)
CVE-2016-1762
Messages
Available for: OS X El Capitan v10.11 to v10.11.3
Impact: An attacker who is able to bypass Apple's certificate
pinning, intercept TLS connections, inject messages, and record
encrypted attachment-type messages may be able to read attachments
Description: A cryptographic issue was addressed by rejecting
duplicate messages on the client.
CVE-ID
CVE-2016-1788 : Christina Garman, Matthew Green, Gabriel Kaptchuk,
Ian Miers, and Michael Rushanan of Johns Hopkins University
Messages
Available for: OS X El Capitan v10.11 to v10.11.3
Impact: Clicking a JavaScript link can reveal sensitive user
information
Description: An issue existed in the processing of JavaScript links.
This issue was addressed through improved content security policy
checks.
CVE-ID
CVE-2016-1764 : Matthew Bryan of the Uber Security Team (formerly of
Bishop Fox), Joe DeMesy and Shubham Shah of Bishop Fox
NVIDIA Graphics Drivers
Available for: OS X El Capitan v10.11 to v10.11.3
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2016-1741 : Ian Beer of Google Project Zero
OpenSSH
Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan v10.11 to v10.11.3
Impact: Connecting to a server may leak sensitive user information,
such as a client's private keys
Description: Roaming, which was on by default in the OpenSSH client,
exposed an information leak and a buffer overflow. These issues were
addressed by disabling roaming in the client.
CVE-ID
CVE-2016-0777 : Qualys
CVE-2016-0778 : Qualys
OpenSSH
Available for: OS X Mavericks v10.9.5 and OS X Yosemite v10.10.5
Impact: Multiple vulnerabilities in LibreSSL
Description: Multiple vulnerabilities existed in LibreSSL versions
prior to 2.1.8. These were addressed by updating LibreSSL to version
2.1.8.
CVE-ID
CVE-2015-5333 : Qualys
CVE-2015-5334 : Qualys
OpenSSL
Available for: OS X El Capitan v10.11 to v10.11.3
Impact: A remote attacker may be able to cause a denial of service
Description: A memory leak existed in OpenSSL versions prior to
0.9.8zh. This issue was addressed by updating OpenSSL to version
0.9.8zh.
CVE-ID
CVE-2015-3195
Python
Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan v10.11 to v10.11.3
Impact: Processing a maliciously crafted .png file may lead to
arbitrary code execution
Description: Multiple vulnerabilities existed in libpng versions
prior to 1.6.20. These were addressed by updating libpng to version
1.6.20.
CVE-ID
CVE-2014-9495
CVE-2015-0973
CVE-2015-8126 : Adam Mariš
CVE-2015-8472 : Adam Mariš
QuickTime
Available for: OS X El Capitan v10.11 to v10.11.3
Impact: Processing a maliciously crafted FlashPix Bitmap Image may
lead to unexpected application termination or arbitrary code
execution
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2016-1767 : Francis Provencher from COSIG
CVE-2016-1768 : Francis Provencher from COSIG
QuickTime
Available for: OS X El Capitan v10.11 to v10.11.3
Impact: Processing a maliciously crafted Photoshop document may lead
to unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2016-1769 : Francis Provencher from COSIG
Reminders
Available for: OS X El Capitan v10.11 to v10.11.3
Impact: Clicking a tel link can make a call without prompting the
user
Description: A user was not prompted before invoking a call. This
was addressed through improved entitlement checks.
CVE-ID
CVE-2016-1770 : Guillaume Ross of Rapid7 and Laurent Chouinard of
Laurent.ca
Ruby
Available for: OS X El Capitan v10.11 to v10.11.3
Impact: A local attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: An unsafe tainted string usage vulnerability existed in
versions prior to 2.0.0-p648. This issue was addressed by updating to
version 2.0.0-p648.
CVE-ID
CVE-2015-7551
Security
Available for: OS X El Capitan v10.11 to v10.11.3
Impact: A local user may be able to check for the existence of
arbitrary files
Description: A permissions issue existed in code signing tools. This
was addressed though additional ownership checks.
CVE-ID
CVE-2016-1773 : Mark Mentovai of Google Inc.
Security
Available for: OS X El Capitan v10.11 to v10.11.3
Impact: Processing a maliciously crafted certificate may lead to
arbitrary code execution
Description: A memory corruption issue existed in the ASN.1 decoder.
This issue was addressed through improved input validation.
CVE-ID
CVE-2016-1950 : Francis Gabriel of Quarkslab
Tcl
Available for:
OS X Yosemite v10.10.5 and OS X El Capitan v10.11 to v10.11.3
Impact: Processing a maliciously crafted .png file may lead to
arbitrary code execution
Description: Multiple vulnerabilities existed in libpng versions
prior to 1.6.20. These were addressed by removing libpng.
CVE-ID
CVE-2015-8126 : Adam Mariš
TrueTypeScaler
Available for: OS X El Capitan v10.11 to v10.11.3
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2016-1775 : 0x1byte working with Trend Micro's Zero Day
Initiative (ZDI)
Wi-Fi
Available for: OS X El Capitan v10.11 to v10.11.3
Impact: An attacker with a privileged network position may be able
to execute arbitrary code
Description: A frame validation and memory corruption issue existed
for a given ethertype. This issue was addressed through additional
ethertype validation and improved memory handling.
CVE-ID
CVE-2016-0801 : an anonymous researcher
CVE-2016-0802 : an anonymous researcher
OS X El Capitan 10.11.4 includes the security content of Safari 9.1.
https://support.apple.com/kb/HT206171
OS X El Capitan v10.11.4 and Security Update 2016-002 may be obtained
from the Mac App Store or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJW8JQFAAoJEBcWfLTuOo7tZSYP/1bHFA1qemkD37uu7nYpk/q6
ARVsPgME1I1+5tOxX0TQJgzMBmdQsKYdsTiLpDk5HTuv+dAMsFfasaUItGk8Sz1w
HiYjSfVsxL+Pjz3vK8/4/fsi2lX6472MElRw8gudITOhXtniGcKo/vuA5dB+vM3l
Jy1NLHHhZ6BD2t0bBmlz41mZMG3AMxal2wfqE+5LkjUwASzcvC/3B1sh7Fntwyau
/71vIgMQ5AaETdgQJAuQivxPyTlFduBRgLjqvPiB9eSK4Ctu5t/hErFIrP2NiDCi
UhfZC48XbiRjJfkUsUD/5TIKnI+jkZxOnch9ny32dw2kUIkbIAbqufTkzsMXOpng
O+rI93Ni7nfzgI3EkI2bq+C+arOoRiveWuJvc3SMPD5RQHo4NCQVs0ekQJKNHF78
juPnY29n8WMjwLS6Zfm+bH+n8ELIXrmmEscRztK2efa9S7vJe+AgIxx7JE/f8OHF
i9K7UQBXFXcpMjXi1aTby/IUnpL5Ny4NVwYwIhctj0Mf6wTH7uf/FMWYIQOXcIfP
Izo+GXxNeLd4H2ypZ+UpkZg/Sn2mtCd88wLc96+owlZPBlSqWl3X1wTlp8i5FP2X
qlQ7RcTHJDv8jPT/MOfzxEK1n/azp45ahHA0o6nohUdxlA7PLci9vPiJxqKPo/0q
VZmOKa8qMxB1L/JmdCqy
=mZR+
-----END PGP SIGNATURE-----
| VAR-201507-0148 | CVE-2015-2866 | Grandstream GXV3611_HD Camera SQL Injection Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
SQL injection vulnerability on the Grandstream GXV3611_HD camera with firmware before 1.0.3.9 beta allows remote attackers to execute arbitrary SQL commands by attempting to establish a TELNET session with a crafted username. Grandstream GXV3611_HD Is a network camera for surveillance. Grandstream GXV3611_HD Is SQL There is an injection vulnerability. An attacker can use this vulnerability to SQL It is possible to perform injection attacks. CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') http://cwe.mitre.org/data/definitions/89.htmlBy a remote third party SQL By injection, the settings of the device may be viewed or changed. Grandstream GXV3611_HD is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Grandstream GXV3611_HD 1.0.3.6 is vulnerable