From upstream advisory at $URL: Summary Adobe released security updates for Adobe Flash Player 11.2.202.235 and earlier versions for Windows, Macintosh and Linux, Adobe Flash Player 11.1.115.8 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.9 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system. Adobe recommends users update their product installations to the latest versions: Users of Adobe Flash Player 11.2.202.235 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 11.3.300.257. Users of Adobe Flash Player 11.2.202.235 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.236.
11.2.202.236 added to CVS.
Thanks, Tim. Arches, please test and mark stable: =www-plugins/adobe-flash-11.2.202.236 Target keywords : "amd64 x86"
x86 stable
amd64 stable
Thanks, folks. Added to existing GLSA request.
CVE-2012-2040 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2040): Untrusted search path vulnerability in the installer in Adobe Flash Player before 10.3.183.20 and 11.x before 11.3.300.257 on Windows and Mac OS X; before 10.3.183.20 and 11.x before 11.2.202.236 on Linux; before 11.1.111.10 on Android 2.x and 3.x; and before 11.1.115.9 on Android 4.x, and Adobe AIR before 3.3.0.3610, allows local users to gain privileges via a Trojan horse executable file in an unspecified directory. CVE-2012-2039 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2039): Adobe Flash Player before 10.3.183.20 and 11.x before 11.3.300.257 on Windows and Mac OS X; before 10.3.183.20 and 11.x before 11.2.202.236 on Linux; before 11.1.111.10 on Android 2.x and 3.x; and before 11.1.115.9 on Android 4.x, and Adobe AIR before 3.3.0.3610, allows attackers to execute arbitrary code or cause a denial of service (NULL pointer dereference) via unspecified vectors. CVE-2012-2038 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2038): Adobe Flash Player before 10.3.183.20 and 11.x before 11.3.300.257 on Windows and Mac OS X; before 10.3.183.20 and 11.x before 11.2.202.236 on Linux; before 11.1.111.10 on Android 2.x and 3.x; and before 11.1.115.9 on Android 4.x, and Adobe AIR before 3.3.0.3610, allows attackers to bypass intended access restrictions and obtain sensitive information via unspecified vectors. CVE-2012-2037 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2037): Adobe Flash Player before 10.3.183.20 and 11.x before 11.3.300.257 on Windows and Mac OS X; before 10.3.183.20 and 11.x before 11.2.202.236 on Linux; before 11.1.111.10 on Android 2.x and 3.x; and before 11.1.115.9 on Android 4.x, and Adobe AIR before 3.3.0.3610, allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2012-2034. CVE-2012-2036 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2036): Integer overflow in Adobe Flash Player before 10.3.183.20 and 11.x before 11.3.300.257 on Windows and Mac OS X; before 10.3.183.20 and 11.x before 11.2.202.236 on Linux; before 11.1.111.10 on Android 2.x and 3.x; and before 11.1.115.9 on Android 4.x, and Adobe AIR before 3.3.0.3610, allows attackers to execute arbitrary code via unspecified vectors. CVE-2012-2035 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2035): Stack-based buffer overflow in Adobe Flash Player before 10.3.183.20 and 11.x before 11.3.300.257 on Windows and Mac OS X; before 10.3.183.20 and 11.x before 11.2.202.236 on Linux; before 11.1.111.10 on Android 2.x and 3.x; and before 11.1.115.9 on Android 4.x, and Adobe AIR before 3.3.0.3610, allows attackers to execute arbitrary code via unspecified vectors. CVE-2012-2034 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2034): Adobe Flash Player before 10.3.183.20 and 11.x before 11.3.300.257 on Windows and Mac OS X; before 10.3.183.20 and 11.x before 11.2.202.236 on Linux; before 11.1.111.10 on Android 2.x and 3.x; and before 11.1.115.9 on Android 4.x, and Adobe AIR before 3.3.0.3610, allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2012-2037.
This issue was resolved and addressed in GLSA 201206-21 at http://security.gentoo.org/glsa/glsa-201206-21.xml by GLSA coordinator Sean Amoss (ackle).