From $URL: An important vulnerability has been identified in Adobe Flash Player 10.3.181.16 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.3.185.22 and earlier versions for Android. This universal cross-site scripting vulnerability (CVE-2011-2107) could be used to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website. There are reports that this vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message. Adobe recommends users of Adobe Flash Player 10.3.181.16 and earlier versions for Windows, Macintosh, Linux and Solaris update to Adobe Flash Player 10.3.181.22 (10.3.181.23 for ActiveX). Adobe expects to make available an update for Flash Player 10.3.185.22 for Android during the week of June 6, 2011.
Adobe released flash player version 10.3.181.22, which should fix this issue. Wouldn't a version bump be useful?
(In reply to comment #1) > Adobe released flash player version 10.3.181.22, which should fix this issue. > Wouldn't a version bump be useful? Yes, of course, if I weren't out of the country this week. I hope just renaming the latest ebuild should work, so please give this a shot and bump this package for me if possible. I probably won't be able to get to it for another week yet.
(In reply to comment #2) > I hope just renaming the latest ebuild should work, so please give this a shot > and bump this package for me if possible. I probably won't be able to get to it > for another week yet. This worked for me (amd64 w/ hardened userland). @desktop-misc, would you mind bumping while Jim is out of pocket?
Worked for me too (amd64).
Renamed ebuild to version 10.3.181.22 and emerged on x86. Flash works in Firefox.
+*adobe-flash-10.3.181.22 (14 Jun 2011) + + 14 Jun 2011; Alex Legler <a3li@gentoo.org> +adobe-flash-10.3.181.22.ebuild: + Non-maintainer commit: Version bump for security bug 370215 +
Arches, please test and mark stable: =www-plugins/adobe-flash-10.3.181.22 Target keywords : "amd64 x86"
Unfortunately it looks like Adobe just released another update to version 10.3.181.26: http://www.adobe.com/support/security/bulletins/apsb11-18.html We may want to move directly to this version rather than bothering to test and stabilize 10.3.181.22.
FYI: Renamed ebuild to version 10.3.181.26 and emerged, again :-), on x86. Flash still works in Firefox.
Arches, target update: Arches, please test and mark stable: =www-plugins/adobe-flash-10.3.181.26 Target keywords : "amd64 x86"
*** Bug 371709 has been marked as a duplicate of this bug. ***
x86 stabl
amd64: amd64 ok
(In reply to comment #6) > + 14 Jun 2011; Alex Legler <a3li@gentoo.org> +adobe-flash-10.3.181.22.ebuild: > + Non-maintainer commit: Version bump for security bug 370215 Thanks very much, Alex! I'm back around now but I truly appreciate you (and all those users doing the testing) while I was away.
(In reply to comment #14) > (In reply to comment #6) > > + 14 Jun 2011; Alex Legler <a3li@gentoo.org> +adobe-flash-10.3.181.22.ebuild: > > + Non-maintainer commit: Version bump for security bug 370215 > > Thanks very much, Alex! > > I'm back around now but I truly appreciate you (and all those users doing the > testing) while I was away. np :) amd64: ping, please mark the ebuild stable. The current stable 10.3 distfile is no longer available from adobe. As an AT already tested it, I shall mark it stable tonight if you didn't get to it yet.
(In reply to comment #15) > As an AT already tested it, I shall mark it stable tonight if you didn't get to > it yet. Do it, works also for me ;)
+ 17 Jun 2011; Alex Legler <a3li@gentoo.org> + -adobe-flash-10.3.181.14-r1.ebuild, adobe-flash-10.3.181.26.ebuild: + amd64 stable for security bug 370215; removing vulnerable version + Added to existing GLSA request.
CVE-2011-2110 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2110): Adobe Flash Player before 10.3.181.26 on Windows, Mac OS X, Linux, and Solaris, and 10.3.185.23 and earlier on Android, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, as exploited in the wild in June 2011. CVE-2011-2107 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2107): Cross-site scripting (XSS) vulnerability in Adobe Flash Player before 10.3.181.22 on Windows, Mac OS X, Linux, and Solaris, and 10.3.185.22 and earlier on Android, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to a "universal cross-site scripting vulnerability."
This issue was resolved and addressed in GLSA 201110-11 at http://security.gentoo.org/glsa/glsa-201110-11.xml by GLSA coordinator Tim Sammut (underling).
