914333 – (CVE-2015-0310) VUL-0: CVE-2015-0310: flash-player: critical update release APSB15-02

Bug 914333 (CVE-2015-0310) - VUL-0: CVE-2015-0310: flash-player: critical update release APSB15-02

Summary: VUL-0: CVE-2015-0310: flash-player: critical update release APSB15-02

Status:	RESOLVED FIXED

Alias:	CVE-2015-0310

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P1 - Urgent Severity: Critical
Target Milestone:	---
Deadline:	2015-01-26
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:sle11-sp3:60376
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2015-01-22 17:12 UTC by Marcus Meissner
Modified:	2015-04-16 11:06 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2015-01-22 17:12:20 UTC

out of band update to fix a critical update.

http://helpx.adobe.com/security/products/flash-player/apsb15-02.html

Security updates available for Adobe Flash Player

Release date: January 22, 2015

Vulnerability identifier: APSB15-02

Priority: See table below

CVE number: CVE-2015-0310

Platform: All Platforms
Summary

Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux. These updates address a vulnerability that could be used to circumvent memory randomization mitigations on the Windows platform.

Adobe is aware of reports that an exploit for CVE-2015-0310 exists in the wild, which is being used in attacks against older versions of Flash Player. Additionally, we are investigating reports that a separate exploit for Flash Player 16.0.0.287 and earlier also exists in the wild. For the latest information, please refer to the PSIRT blog here.

Details

These updates resolve a memory leak that could be used to circumvent memory address randomization on the Windows platform (CVE-2015-0310).

Acknowledgments

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:

Yang Dingning, working with the Chromium Vulnerability Rewards Program, Timo Hirvonen of F-Secure and Kafeine (CVE-2015-0310)

Comment 1 Stanislav Brabec 2015-01-22 17:59:35 UTC

Submitted:

openSUSE:Factory:NonFree: Created OBS request id 282476
openSUSE:Maintenance (13.1, 13.2): Created OBS maintenance request id 282477
SUSE:Maintenance (SLE12): Created IBS maintenance request id 49098
SUSE:SLE-11-SP1:Update:Test: Created IBS request id 49100

Comment 2 Bernhard Wiedemann 2015-01-22 18:00:06 UTC

This is an autogenerated message for OBS integration:
This bug (914333) was mentioned in
https://build.opensuse.org/request/show/282476 Factory:NonFree / flash-player

Comment 4 Swamp Workflow Management 2015-01-22 18:54:02 UTC

An update workflow for this issue was started.
This issue was rated as critical.
Please submit fixed packages until 2015-01-26.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/60375

Comment 5 Swamp Workflow Management 2015-01-22 23:06:12 UTC

openSUSE-SU-2015:0110-1: An update that fixes one vulnerability is now available.

Category: security (critical)
Bug References: 914333
CVE References: CVE-2015-0310
Sources used:

Comment 6 Swamp Workflow Management 2015-01-23 14:04:53 UTC

SUSE-SU-2015:0129-1: An update that fixes one vulnerability is now available.

Category: security (critical)
Bug References: 914333
CVE References: CVE-2015-0310
Sources used:

Comment 7 Marcus Meissner 2015-01-23 17:45:06 UTC

all released

Comment 8 Swamp Workflow Management 2015-01-24 00:08:10 UTC

SUSE-SU-2015:0135-1: An update that fixes one vulnerability is now available.

Category: security (critical)
Bug References: 914333
CVE References: CVE-2015-0310
Sources used:
SUSE Linux Enterprise Desktop 11 SP3 (src):    flash-player-11.2.202.438-0.3.1

Comment 9 Bernhard Wiedemann 2015-01-29 08:00:22 UTC

This is an autogenerated message for OBS integration:
This bug (914333) was mentioned in
https://build.opensuse.org/request/show/283284 12.3:NonFree / flash-player

Comment 10 Swamp Workflow Management 2015-01-29 13:05:24 UTC

openSUSE-SU-2015:0174-1: An update that fixes 11 vulnerabilities is now available.

Category: security (critical)
Bug References: 856386,913057,914333,914463
CVE References: CVE-2015-0301,CVE-2015-0302,CVE-2015-0303,CVE-2015-0304,CVE-2015-0305,CVE-2015-0306,CVE-2015-0307,CVE-2015-0308,CVE-2015-0309,CVE-2015-0310,CVE-2015-0311
Sources used:

Comment 11 Swamp Workflow Management 2015-04-16 11:06:08 UTC

openSUSE-SU-2015:0725-1: An update that fixes 45 vulnerabilities is now available.

Category: security (important)
Bug References: 856386,901334,905032,907257,909219,913057,914333,914463,922033,927089
CVE References: CVE-2014-0558,CVE-2014-0564,CVE-2014-0569,CVE-2014-0573,CVE-2014-0574,CVE-2014-0576,CVE-2014-0577,CVE-2014-0581,CVE-2014-0582,CVE-2014-0583,CVE-2014-0584,CVE-2014-0585,CVE-2014-0586,CVE-2014-0588,CVE-2014-0589,CVE-2014-0590,CVE-2014-8437,CVE-2014-8438,CVE-2014-8440,CVE-2014-8441,CVE-2014-8442,CVE-2015-0331,CVE-2015-0332,CVE-2015-0346,CVE-2015-0347,CVE-2015-0348,CVE-2015-0349,CVE-2015-0350,CVE-2015-0351,CVE-2015-0352,CVE-2015-0353,CVE-2015-0354,CVE-2015-0355,CVE-2015-0356,CVE-2015-0357,CVE-2015-0358,CVE-2015-0359,CVE-2015-0360,CVE-2015-3038,CVE-2015-3039,CVE-2015-3040,CVE-2015-3041,CVE-2015-3042,CVE-2015-3043,CVE-2015-3044
Sources used: