Bugzilla – Bug 914463
VUL-0: CVE-2015-0311: flash-player: another critical vulnerability
Last modified: 2019-05-01 16:40:58 UTC
http://helpx.adobe.com/security/products/flash-player/apsa15-01.html preannouncement that Adobe is working on a fix for a currently exploited issue, tracked by CVE-2015-0311 Release will be next week most likely.
bugbot adjusting priority
http://get.adobe.com/cz/flashplayer/ still refers to the old version. And the URL (probably NDA) provided by you does not contain flashplayer binary (for ix86, x86_64 is not distributed for several years). Should I wait or do the same as we do for x86_64 in past: leave the old flashplayer version but stop installing it. (So we will completely lose flashplayer.)
openSUSE:Factory:NonFree: Created OBS submit request id 282901. openSUSE:Maintenance (13.1, 13.2): Created OBS maintenance request id 282902. SUSE:Maintenance (SLE12): Created IBS maintenance request id 49250. SUSE:SLE-11-SP1:Update:Test: Created IBS submit request id 49252.
This is an autogenerated message for OBS integration: This bug (914463) was mentioned in https://build.opensuse.org/request/show/282901 Factory:NonFree / flash-player
Linux Flash Version 11.2.202.440 adressing the vulnerabilities is out since yesterday (2015-01-25).
openSUSE-SU-2015:0150-1: An update that fixes one vulnerability is now available. Category: security (critical) Bug References: 914463 CVE References: CVE-2015-0311 Sources used:
An update workflow for this issue was started. This issue was rated as critical. Please submit fixed packages until 2015-01-29. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/60409
SUSE-SU-2015:0151-1: An update that fixes one vulnerability is now available. Category: security (critical) Bug References: 914463 CVE References: CVE-2015-0311 Sources used:
Update of flashplayer binary for ix86 is now available. Does it make sense to release another update, or should I keep it for the next security update?
Adobe released a follow up advisory, but it seems we covered that with the update already. http://helpx.adobe.com/security/products/flash-player/apsb15-03.html These updates resolve a use-after-free vulnerability that could lead to code execution (CVE-2015-0311). These updates resolve a double-free vulnerability that could lead to code execution (CVE-2015-0312). I would currently not respin the update, but include the fixed x86 standalone player in the next update.
all released
SUSE-SU-2015:0163-1: An update that fixes one vulnerability is now available. Category: security (critical) Bug References: 914463 CVE References: CVE-2015-0311 Sources used: SUSE Linux Enterprise Desktop 11 SP3 (src): flash-player-11.2.202.440-0.3.1
This is an autogenerated message for OBS integration: This bug (914463) was mentioned in https://build.opensuse.org/request/show/283284 12.3:NonFree / flash-player
openSUSE-SU-2015:0174-1: An update that fixes 11 vulnerabilities is now available. Category: security (critical) Bug References: 856386,913057,914333,914463 CVE References: CVE-2015-0301,CVE-2015-0302,CVE-2015-0303,CVE-2015-0304,CVE-2015-0305,CVE-2015-0306,CVE-2015-0307,CVE-2015-0308,CVE-2015-0309,CVE-2015-0310,CVE-2015-0311 Sources used:
Something is wrong here, I have updated the flash-player: # rpm -qi flash-player Name : flash-player Version : 11.2.202.440 Release : 2.29.1 Architecture: x86_64 Install Date: Wed Jan 28 11:06:11 2015 Group : Productivity/Networking/Web/Browsers Size : 21896275 License : SUSE-NonFree Signature : RSA/SHA256, Tue Jan 27 09:48:27 2015, Key ID b88b2fd43dbdc284 Source RPM : flash-player-11.2.202.440-2.29.1.nosrc.rpm Build Date : Mon Jan 26 19:41:54 2015 Build Host : cloud110 Relocations : (not relocatable) Packager : http://bugs.opensuse.org Vendor : openSUSE URL : http://get.adobe.com/flashplayer/ Summary : Adobe Flash Plugin and Standalone Player Description : This package contains Adobe's Flash Plugin for the supported Web browsers in addition to a standalone flash player application. Distribution: openSUSE 13.2 But firefox tells me I'm using 11.2.202.438 which is vulnerable.
do the error persist or could we close it?
I cannot reproduce. String search in the binaries from Adobe shows ocurrence of 11.2.202.440 in both libflashplayer.so and readme.txt for both i386 and x86_64, so the tarball version should match the declared version. (Adobe tarballs are unversioned, rename is done by update.sh script by extracting the version from the binary, but this time Adobe released new versions in advance through distributors' channel and I did the rename manually.
I'll double check my system later today. This works fine on my workstation, I'm puzzled right now.
Reinstallation of flash-player still showed the same problem. Reinstallation of Firefox solved this. Still strange ;(
Andreas Jaeger: Years ago we have had a time stamp issue: Firefox was optimizing the lookup for new plugins using time stamps. Maybe it happened to you.
openSUSE-SU-2015:0725-1: An update that fixes 45 vulnerabilities is now available. Category: security (important) Bug References: 856386,901334,905032,907257,909219,913057,914333,914463,922033,927089 CVE References: CVE-2014-0558,CVE-2014-0564,CVE-2014-0569,CVE-2014-0573,CVE-2014-0574,CVE-2014-0576,CVE-2014-0577,CVE-2014-0581,CVE-2014-0582,CVE-2014-0583,CVE-2014-0584,CVE-2014-0585,CVE-2014-0586,CVE-2014-0588,CVE-2014-0589,CVE-2014-0590,CVE-2014-8437,CVE-2014-8438,CVE-2014-8440,CVE-2014-8441,CVE-2014-8442,CVE-2015-0331,CVE-2015-0332,CVE-2015-0346,CVE-2015-0347,CVE-2015-0348,CVE-2015-0349,CVE-2015-0350,CVE-2015-0351,CVE-2015-0352,CVE-2015-0353,CVE-2015-0354,CVE-2015-0355,CVE-2015-0356,CVE-2015-0357,CVE-2015-0358,CVE-2015-0359,CVE-2015-0360,CVE-2015-3038,CVE-2015-3039,CVE-2015-3040,CVE-2015-3041,CVE-2015-3042,CVE-2015-3043,CVE-2015-3044 Sources used: