Bug 895856 (CVE-2014-0547) - VUL-0: CVE-2014-0547 etc: flash-player: APSB14-21: 11.2.202.406 release
Summary: VUL-0: CVE-2014-0547 etc: flash-player: APSB14-21: 11.2.202.406 release
Status: RESOLVED FIXED
Alias: CVE-2014-0547
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Deadline: 2014-09-16
Assignee: Frederic Crozat
QA Contact: Security Team bot
URL:
Whiteboard: maint:released:sle11-sp3:58890
Keywords:
Depends on:
Blocks:
 
Reported: 2014-09-09 16:26 UTC by Marcus Meissner
Modified: 2014-09-15 23:04 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2014-09-09 16:26:33 UTC 
public via adobe


http://helpx.adobe.com/security/products/flash-player/apsb14-21.html

Vulnerability identifier: APSB14-21

Priority: See table below

CVE number: CVE-2014-0547, CVE-2014-0548, CVE-2014-0549, CVE-2014-0550, CVE-2014-0551, CVE-2014-0552, CVE-2014-0553, CVE-2014-0554, CVE-2014-0555, CVE-2014-0556, CVE-2014-0557, CVE-2014-0559

Platform: All Platforms
Summary

Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe recommends users update their product installations to the latest versions:

Users of Adobe Flash Player for Linux should update to Adobe Flash Player 11.2.202.406.



Details

Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe recommends users update their product installations to the latest versions:

    Users of the Adobe Flash Player desktop runtime for Windows and Macintosh should update to Adobe Flash Player 15.0.0.152.
    Users of the Adobe Flash Player Extended Support Release should update to Adobe Flash Player 13.0.0.244.
    Users of Adobe Flash Player for Linux should update to Adobe Flash Player 11.2.202.406.
    Adobe Flash Player installed with Google Chrome, Internet Explorer 10 and Internet Explorer 11 will be automatically updated to the current version.
    Users of the Adobe AIR desktop runtime, SDK and SDK and Compiler should update to version 15.0.0.249.
    Users of Adobe AIR for Android should update to Adobe AIR 15.0.0.252.

These updates resolve memory leakage vulnerabilities that could be used to bypass memory address randomization (CVE-2014-0557).

These updates resolve a security bypass vulnerability (CVE-2014-0554).

These updates resolve a use-after-free vulnerability that could lead to code execution (CVE-2014-0553).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2014-0547, CVE-2014-0549, CVE-2014-0550, CVE-2014-0551, CVE-2014-0552, CVE-2014-0555).

These updates resolve a vulnerability that could be used to bypass the same origin policy (CVE-2014-0548).

These updates resolve a heap buffer overflow vulnerability that could lead to code execution (CVE-2014-0556, CVE-2014-0559).
Comment 1 Swamp Workflow Management 2014-09-09 16:27:47 UTC 
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2014-09-16.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/58887
Comment 2 SMASH SMASH 2014-09-09 16:30:18 UTC 
Affected packages:

SLE-10-SP3-TERADATA: flash-player
SLE-11-SP3: flash-player
SLE-11-SP3-PRODUCTS: flash-player
SLE-11-SP3-UPTU: flash-player
Comment 4 Stanislav Brabec 2014-09-09 19:02:55 UTC 
As you mentioned SLE10, updating SLE10 as well.

Fix submitted:

SLE10: created IBS request id 43893.
SLE11: created IBS request id 43894.
SLE12: created IBS request id 43895.
openSUSE 12.3 and 13.1: created OBS maintenance request id 248248.
openSUSE:Factory:NonFree: created OBS request id 248250.
Comment 5 Swamp Workflow Management 2014-09-09 22:01:17 UTC 
bugbot adjusting priority
Comment 6 Swamp Workflow Management 2014-09-10 15:04:23 UTC 
openSUSE-SU-2014:1110-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 895856
CVE References: CVE-2014-0547,CVE-2014-0548,CVE-2014-0549,CVE-2014-0550,CVE-2014-0551,CVE-2014-0552,CVE-2014-0553,CVE-2014-0554,CVE-2014-0555,CVE-2014-0556,CVE-2014-0557,CVE-2014-0559
Sources used:
Comment 7 Marcus Meissner 2014-09-12 14:54:16 UTC 
released
Comment 10 Swamp Workflow Management 2014-09-12 23:04:26 UTC 
SUSE-SU-2014:1124-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 895856
CVE References: CVE-2014-0547,CVE-2014-0548,CVE-2014-0549,CVE-2014-0550,CVE-2014-0551,CVE-2014-0552,CVE-2014-0553,CVE-2014-0554,CVE-2014-0555,CVE-2014-0556,CVE-2014-0557,CVE-2014-0559
Sources used:
SUSE Linux Enterprise Desktop 11 SP3 (src):    flash-player-11.2.202.406-0.3.1
Comment 12 Marcus Meissner 2014-09-15 13:39:14 UTC 
also checked into SLE12 now.
Comment 13 Swamp Workflow Management 2014-09-15 23:04:29 UTC 
openSUSE-SU-2014:1130-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 895856
CVE References: CVE-2014-0547,CVE-2014-0548,CVE-2014-0549,CVE-2014-0550,CVE-2014-0551,CVE-2014-0552,CVE-2014-0553,CVE-2014-0554,CVE-2014-0555,CVE-2014-0556,CVE-2014-0557,CVE-2014-0559
Sources used: