958324 – (CVE-2015-8045) VUL-0: flash-player: 11.2.202.554 version (APSB15-32)

Bug 958324 (CVE-2015-8045) - VUL-0: flash-player: 11.2.202.554 version (APSB15-32)

Summary: VUL-0: flash-player: 11.2.202.554 version (APSB15-32)

Status:	RESOLVED FIXED

Alias:	CVE-2015-8045

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P1 - Urgent Severity: Major
Target Milestone:	---
Assignee:	Stanislav Brabec
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv2:NVD:CVE-2015-8045:10.0:(AV:N/...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2015-12-08 11:10 UTC by Marcus Meissner
Modified:	2019-05-01 16:54 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2015-12-08 11:10:13 UTC

Adobe released Flash Player version 11.2.202.554 for public. Please update.

Comment 1 SMASH SMASH 2015-12-08 11:41:30 UTC

An update workflow for this issue was started.

This issue was rated as "important".
Please submit fixed packages until "Dec. 15, 2015".

When done, reassign the bug to "security-team@suse.de".
/update/121102/.

Comment 2 Stanislav Brabec 2015-12-08 13:22:56 UTC

Waiting for APSA/APSB with CVE references.

Comment 3 Marcus Meissner 2015-12-09 09:22:35 UTC

https://helpx.adobe.com/security/products/flash-player/apsb15-32.html

Release date: December 8, 2015

Last updated: December 8, 2015

Vulnerability identifier: APSB15-32

Priority: See table below

CVE number: CVE-2015-8045, CVE-2015-8047, CVE-2015-8048, CVE-2015-8049, CVE-2015-8050, CVE-2015-8418, CVE-2015-8454, CVE-2015-8455, CVE-2015-8055, CVE-2015-8056, CVE-2015-8057, CVE-2015-8058, CVE-2015-8059, CVE-2015-8060, CVE-2015-8061, CVE-2015-8062, CVE-2015-8063, CVE-2015-8064, CVE-2015-8065, CVE-2015-8066, CVE-2015-8067, CVE-2015-8068, CVE-2015-8069, CVE-2015-8070, CVE-2015-8071, CVE-2015-8401, CVE-2015-8402, CVE-2015-8403, CVE-2015-8404, CVE-2015-8405, CVE-2015-8406, CVE-2015-8407, CVE-2015-8408, CVE-2015-8409, CVE-2015-8410, CVE-2015-8411, CVE-2015-8412, CVE-2015-8413, CVE-2015-8414, CVE-2015-8415, CVE-2015-8416, CVE-2015-8417, CVE-2015-8419, CVE-2015-8420, CVE-2015-8421, CVE-2015-8422, CVE-2015-8423, CVE-2015-8424, CVE-2015-8425, CVE-2015-8426, CVE-2015-8427, CVE-2015-8428, CVE-2015-8429, CVE-2015-8430, CVE-2015-8431, CVE-2015-8432, CVE-2015-8433, CVE-2015-8434, CVE-2015-8435, CVE-2015-8436, CVE-2015-8437, CVE-2015-8438, CVE-2015-8439, CVE-2015-8440, CVE-2015-8441, CVE-2015-8442, CVE-2015-8443, CVE-2015-8444, CVE-2015-8445, CVE-2015-8446, CVE-2015-8447, CVE-2015-8448, CVE-2015-8449, CVE-2015-8450, CVE-2015-8451, CVE-2015-8452, CVE-2015-8453

Platform: All Platforms
Summary

Adobe has released security updates for Adobe Flash Player.  These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.

...


Vulnerability Details

    These updates resolve heap buffer overflow vulnerabilities that could lead to code execution (CVE-2015-8438, CVE-2015-8446).
    These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2015-8444, CVE-2015-8443, CVE-2015-8417, CVE-2015-8416, CVE-2015-8451, CVE-2015-8047, CVE-2015-8455, CVE-2015-8045, CVE-2015-8418, CVE-2015-8060, CVE-2015-8419, CVE-2015-8408).
    These updates resolve security bypass vulnerabilities (CVE-2015-8453, CVE-2015-8440, CVE-2015-8409).
    These updates resolve a stack overflow vulnerability that could lead to code execution (CVE-2015-8407).
    These updates resolve a type confusion vulnerability that could lead to code execution (CVE-2015-8439).
    These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2015-8445).
    These updates resolve a buffer overflow vulnerability that could lead to code execution (CVE-2015-8415)
    These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2015-8050, CVE-2015-8049, CVE-2015-8437, CVE-2015-8450, CVE-2015-8449, CVE-2015-8448, CVE-2015-8436, CVE-2015-8452, CVE-2015-8048, CVE-2015-8413, CVE-2015-8412, CVE-2015-8410, CVE-2015-8411, CVE-2015-8424, CVE-2015-8422, CVE-2015-8420, CVE-2015-8421, CVE-2015-8423, CVE-2015-8425, CVE-2015-8433, CVE-2015-8432, CVE-2015-8431, CVE-2015-8426, CVE-2015-8430, CVE-2015-8427, CVE-2015-8428, CVE-2015-8429, CVE-2015-8434, CVE-2015-8435, CVE-2015-8414, CVE-2015-8454, CVE-2015-8059, CVE-2015-8058, CVE-2015-8055, CVE-2015-8057, CVE-2015-8056, CVE-2015-8061, CVE-2015-8067, CVE-2015-8066, CVE-2015-8062, CVE-2015-8068, CVE-2015-8064, CVE-2015-8065, CVE-2015-8063, CVE-2015-8405, CVE-2015-8404, CVE-2015-8402, CVE-2015-8403, CVE-2015-8071, CVE-2015-8401, CVE-2015-8406, CVE-2015-8069, CVE-2015-8070, CVE-2015-8441, CVE-2015-8442, CVE-2015-8447).

Acknowledgments

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers: 

    Anonymous working with HPE's Zero Day Initiative (CVE-2015-8050, CVE-2015-8049, CVE-2015-8437, CVE-2015-8438, CVE-2015-8446)
    bee13oy, working with the Chromium Vulnerability Rewards Program (CVE-2015-8418)
    bilou working with HPE's Zero Day Initiative (CVE-2015-8450, CVE-2015-8449, CVE-2015-8448, CVE-2015-8442, CVE-2015-8447, CVE-2015-8445, CVE-2015-8439)
    Furugawa Nagisa working with HPE's Zero Day Initiative (CVE-2015-8436)
    Hui Gao of Palo Alto Networks (CVE-2015-8443, CVE-2015-8444)
    instruder of Alibaba Security Threat Information Center (CVE-2015-8060, CVE-2015-8408, CVE-2015-8419)
    Jie Zeng of Qihoo 360 (CVE-2015-8415, CVE-2015-8416, CVE-2015-8417)
    LMX of Qihoo 360 (CVE-2015-8451, CVE-2015-8452)
    Natalie Silvanovich of Google Project Zero (CVE-2015-8048, CVE-2015-8413, CVE-2015-8412, CVE-2015-8410, CVE-2015-8411, CVE-2015-8424, CVE-2015-8422, CVE-2015-8420, CVE-2015-8421, CVE-2015-8423, CVE-2015-8425, CVE-2015-8433, CVE-2015-8432, CVE-2015-8431, CVE-2015-8426, CVE-2015-8430, CVE-2015-8427, CVE-2015-8428, CVE-2015-8429, CVE-2015-8434)
    Nicolas Joly of Microsoft Security (CVE-2015-8414, CVE-2015-8435)
    VUPEN working with HPE's Zero Day Initiative (CVE-2015-8453)
    willJ of Tencent PC Manager (CVE-2015-8407)
    Yuki Chen of Qihoo 360 Vulcan Team (CVE-2015-8454, CVE-2015-8059, CVE-2015-8058, CVE-2015-8055, CVE-2015-8057, CVE-2015-8056, CVE-2015-8061, CVE-2015-8067, CVE-2015-8066, CVE-2015-8062, CVE-2015-8068, CVE-2015-8064, CVE-2015-8065, CVE-2015-8063, CVE-2015-8405, CVE-2015-8404, CVE-2015-8402, CVE-2015-8403, CVE-2015-8071, CVE-2015-8401, CVE-2015-8406, CVE-2015-8069, CVE-2015-8070, CVE-2015-8440, CVE-2015-8409, CVE-2015-8047, CVE-2015-8455, CVE-2015-8045, CVE-2015-8441)

Revisions

December 8, 2015: Removed CVE-2015-8051, CVE-2015-8052 and CVE-2015-8053 (all were previously assigned).  Added CVE-2015-8418 (replacement for CVE-2015-8051), CVE-2015-8454 (replacement for CVE-2015-8052) and CVE-2015-8455 (replacement for CVE-2015-8053).  Also removed CVE-2015-8054, which was mistakenly included in the original bulletin.

Comment 5 Marcus Meissner 2015-12-09 10:16:08 UTC

I have submitted opensuse and sle packages.

Comment 6 Swamp Workflow Management 2015-12-09 19:10:43 UTC

SUSE-SU-2015:2236-1: An update that fixes 77 vulnerabilities is now available.

Category: security (important)
Bug References: 958324
CVE References: CVE-2015-8045,CVE-2015-8047,CVE-2015-8048,CVE-2015-8049,CVE-2015-8050,CVE-2015-8055,CVE-2015-8056,CVE-2015-8057,CVE-2015-8058,CVE-2015-8059,CVE-2015-8060,CVE-2015-8061,CVE-2015-8062,CVE-2015-8063,CVE-2015-8064,CVE-2015-8065,CVE-2015-8066,CVE-2015-8067,CVE-2015-8068,CVE-2015-8069,CVE-2015-8070,CVE-2015-8071,CVE-2015-8401,CVE-2015-8402,CVE-2015-8403,CVE-2015-8404,CVE-2015-8405,CVE-2015-8406,CVE-2015-8407,CVE-2015-8408,CVE-2015-8409,CVE-2015-8410,CVE-2015-8411,CVE-2015-8412,CVE-2015-8413,CVE-2015-8414,CVE-2015-8415,CVE-2015-8416,CVE-2015-8417,CVE-2015-8418,CVE-2015-8419,CVE-2015-8420,CVE-2015-8421,CVE-2015-8422,CVE-2015-8423,CVE-2015-8424,CVE-2015-8425,CVE-2015-8426,CVE-2015-8427,CVE-2015-8428,CVE-2015-8429,CVE-2015-8430,CVE-2015-8431,CVE-2015-8432,CVE-2015-8433,CVE-2015-8434,CVE-2015-8435,CVE-2015-8436,CVE-2015-8437,CVE-2015-8438,CVE-2015-8439,CVE-2015-8440,CVE-2015-8441,CVE-2015-8442,CVE-2015-8443,CVE-2015-8444,CVE-2015-8445,CVE-2015-8446,CVE-2015-8447,CVE-2015-8448,CVE-2015-8449,CVE-2015-8450,CVE-2015-8451,CVE-2015-8452,CVE-2015-8453,CVE-2015-8454,CVE-2015-8455
Sources used:
SUSE Linux Enterprise Desktop 11-SP4 (src):    flash-player-11.2.202.554-0.29.1
SUSE Linux Enterprise Desktop 11-SP3 (src):    flash-player-11.2.202.554-0.29.1

Comment 7 Swamp Workflow Management 2015-12-10 11:10:41 UTC

openSUSE-SU-2015:2239-1: An update that fixes 77 vulnerabilities is now available.

Category: security (important)
Bug References: 958324
CVE References: CVE-2015-8045,CVE-2015-8047,CVE-2015-8048,CVE-2015-8049,CVE-2015-8050,CVE-2015-8055,CVE-2015-8056,CVE-2015-8057,CVE-2015-8058,CVE-2015-8059,CVE-2015-8060,CVE-2015-8061,CVE-2015-8062,CVE-2015-8063,CVE-2015-8064,CVE-2015-8065,CVE-2015-8066,CVE-2015-8067,CVE-2015-8068,CVE-2015-8069,CVE-2015-8070,CVE-2015-8071,CVE-2015-8401,CVE-2015-8402,CVE-2015-8403,CVE-2015-8404,CVE-2015-8405,CVE-2015-8406,CVE-2015-8407,CVE-2015-8408,CVE-2015-8409,CVE-2015-8410,CVE-2015-8411,CVE-2015-8412,CVE-2015-8413,CVE-2015-8414,CVE-2015-8415,CVE-2015-8416,CVE-2015-8417,CVE-2015-8418,CVE-2015-8419,CVE-2015-8420,CVE-2015-8421,CVE-2015-8422,CVE-2015-8423,CVE-2015-8424,CVE-2015-8425,CVE-2015-8426,CVE-2015-8427,CVE-2015-8428,CVE-2015-8429,CVE-2015-8430,CVE-2015-8431,CVE-2015-8432,CVE-2015-8433,CVE-2015-8434,CVE-2015-8435,CVE-2015-8436,CVE-2015-8437,CVE-2015-8438,CVE-2015-8439,CVE-2015-8440,CVE-2015-8441,CVE-2015-8442,CVE-2015-8443,CVE-2015-8444,CVE-2015-8445,CVE-2015-8446,CVE-2015-8447,CVE-2015-8448,CVE-2015-8449,CVE-2015-8450,CVE-2015-8451,CVE-2015-8452,CVE-2015-8453,CVE-2015-8454,CVE-2015-8455
Sources used:
openSUSE 13.2 NonFree (src):    flash-player-11.2.202.554-2.82.1
openSUSE 13.1 NonFree (src):    flash-player-11.2.202.554-147.1

Comment 8 Marcus Meissner 2015-12-10 11:37:53 UTC

released

Comment 9 Swamp Workflow Management 2015-12-10 14:10:32 UTC

SUSE-SU-2015:2247-1: An update that fixes 77 vulnerabilities is now available.

Category: security (important)
Bug References: 958324
CVE References: CVE-2015-8045,CVE-2015-8047,CVE-2015-8048,CVE-2015-8049,CVE-2015-8050,CVE-2015-8055,CVE-2015-8056,CVE-2015-8057,CVE-2015-8058,CVE-2015-8059,CVE-2015-8060,CVE-2015-8061,CVE-2015-8062,CVE-2015-8063,CVE-2015-8064,CVE-2015-8065,CVE-2015-8066,CVE-2015-8067,CVE-2015-8068,CVE-2015-8069,CVE-2015-8070,CVE-2015-8071,CVE-2015-8401,CVE-2015-8402,CVE-2015-8403,CVE-2015-8404,CVE-2015-8405,CVE-2015-8406,CVE-2015-8407,CVE-2015-8408,CVE-2015-8409,CVE-2015-8410,CVE-2015-8411,CVE-2015-8412,CVE-2015-8413,CVE-2015-8414,CVE-2015-8415,CVE-2015-8416,CVE-2015-8417,CVE-2015-8418,CVE-2015-8419,CVE-2015-8420,CVE-2015-8421,CVE-2015-8422,CVE-2015-8423,CVE-2015-8424,CVE-2015-8425,CVE-2015-8426,CVE-2015-8427,CVE-2015-8428,CVE-2015-8429,CVE-2015-8430,CVE-2015-8431,CVE-2015-8432,CVE-2015-8433,CVE-2015-8434,CVE-2015-8435,CVE-2015-8436,CVE-2015-8437,CVE-2015-8438,CVE-2015-8439,CVE-2015-8440,CVE-2015-8441,CVE-2015-8442,CVE-2015-8443,CVE-2015-8444,CVE-2015-8445,CVE-2015-8446,CVE-2015-8447,CVE-2015-8448,CVE-2015-8449,CVE-2015-8450,CVE-2015-8451,CVE-2015-8452,CVE-2015-8453,CVE-2015-8454,CVE-2015-8455
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    flash-player-11.2.202.554-114.1
SUSE Linux Enterprise Workstation Extension 12 (src):    flash-player-11.2.202.554-114.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    flash-player-11.2.202.554-114.1
SUSE Linux Enterprise Desktop 12 (src):    flash-player-11.2.202.554-114.1