867808 – (CVE-2014-0503) VUL-0: CVE-2014-0503 CVE-2014-0504: flash-player: update to 11.2.202.346

Bug 867808 (CVE-2014-0503) - VUL-0: CVE-2014-0503 CVE-2014-0504: flash-player: update to 11.2.202.346

Summary: VUL-0: CVE-2014-0503 CVE-2014-0504: flash-player: update to 11.2.202.346

Status:	RESOLVED FIXED

Alias:	CVE-2014-0503

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Deadline:	2014-03-19
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:sle11-sp3:56639
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2014-03-11 15:36 UTC by Marcus Meissner
Modified:	2014-03-17 23:04 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2014-03-11 15:36:41 UTC

via adobe notices

http://helpx.adobe.com/security/products/flash-player/apsb14-08.html
...
CVE-2014-0503, CVE-2013-0504
....
These updates resolve a vulnerability that could be used to bypass the same origin policy (CVE-2014-0503).

These updates resolve a vulnerability that could be used to read the contents of the clipboard (CVE-2014-0504).

...
These updates address "important" vulnerabilities in the software.
...
Acknowledgments

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:

    Masato Kinugawa (CVE-2014-0503)
    Jordan Milne (CVE-2014-0504)

Comment 1 Swamp Workflow Management 2014-03-11 23:00:20 UTC

bugbot adjusting priority

Comment 2 Swamp Workflow Management 2014-03-12 08:31:30 UTC

The SWAMPID for this issue is 56636.
This issue was rated as important.
Please submit fixed packages until 2014-03-19.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

Comment 3 Marcus Meissner 2014-03-12 08:33:01 UTC

(The CVE typo does not seem to appear from me, I think it was from Adobe)

Both should be CVE-2014*

Comment 4 Stanislav Brabec 2014-03-12 17:47:34 UTC

openSUSE (12.3, 13.1): created OBS maintenance request id 225744
openSUSE:Factory:NonFree: created OBS request id 225746
SLE11: created IBS request id 34280
SLE12: created IBS request id 34281

Comment 6 Bernhard Wiedemann 2014-03-12 18:00:12 UTC

This is an autogenerated message for OBS integration:
This bug (867808) was mentioned in
https://build.opensuse.org/request/show/225746 Factory:NonFree / flash-player

Comment 7 Swamp Workflow Management 2014-03-14 20:04:22 UTC

openSUSE-SU-2014:0377-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 867808
CVE References: CVE-2013-0504,CVE-2014-0503
Sources used:

Comment 8 Swamp Workflow Management 2014-03-15 09:04:20 UTC

openSUSE-SU-2014:0379-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 867808
CVE References: CVE-2014-0503,CVE-2014-0504
Sources used:

Comment 9 Marcus Meissner 2014-03-17 14:30:52 UTC

released

Comment 10 Swamp Workflow Management 2014-03-17 19:45:53 UTC

Update released for: flash-player, flash-player-gnome, flash-player-kde4
Products:
SLE-DESKTOP 11-SP3 (i386, x86_64)

Comment 11 Swamp Workflow Management 2014-03-17 23:04:23 UTC

SUSE-SU-2014:0387-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 867808
CVE References: CVE-2014-0503,CVE-2014-0504
Sources used:
SUSE Linux Enterprise Desktop 11 SP3 (src):    flash-player-11.2.202.346-0.3.1