Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 586044 (APSA16-03, CVE-2016-4171) - <www-plugins/adobe-flash-11.2.202.626: Critical vulnerability (CVE-2016-{4120,4171})
Summary: <www-plugins/adobe-flash-11.2.202.626: Critical vulnerability (CVE-2016-{4120...
Status: RESOLVED FIXED
Alias: APSA16-03, CVE-2016-4171
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://helpx.adobe.com/security/prod...
Whiteboard: A2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-06-15 18:14 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2016-06-22 03:55 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-06-15 18:14:47 UTC
APSA16-03: Security advisory for Adobe Flash Player

Originally posted: June 14, 2016

Summary:
A critical vulnerability (CVE-2016-4171) exists in Adobe Flash Player 21.0.0.242 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe is aware of a report that an exploit for CVE-2016-4171 exists in the wild, and is being used in limited, targeted attacks. Adobe will address this vulnerability in our monthly security update, which will be available as early as June 16. For the latest information, users may monitor the Adobe Product Security Incident Response Team blog.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2016-06-16 15:10:44 UTC
CVE-2016-4122, CVE-2016-4123, CVE-2016-4124, CVE-2016-4125, CVE-2016-4127, CVE-2016-4128, CVE-2016-4129, CVE-2016-4130, CVE-2016-4131, CVE-2016-4132, CVE-2016-4133, CVE-2016-4134, CVE-2016-4135, CVE-2016-4136, CVE-2016-4137, CVE-2016-4138, CVE-2016-4139, CVE-2016-4140, CVE-2016-4141, CVE-2016-4142, CVE-2016-4143, CVE-2016-4144, CVE-2016-4145, CVE-2016-4146, CVE-2016-4147, CVE-2016-4148, CVE-2016-4149, CVE-2016-4150, CVE-2016-4151, CVE-2016-4152, CVE-2016-4153, CVE-2016-4154, CVE-2016-4155, CVE-2016-4156, CVE-2016-4166, CVE-2016-4171
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2016-06-16 15:12:54 UTC
Arch teams, please test and mark stable:
=www-plugins/adobe-flash-11.2.202.626
Targeted stable KEYWORDS : amd64 x86
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-06-17 12:38:06 UTC
(In reply to Jeroen Roovers from comment #1)
> CVE-2016-4122, CVE-2016-4123, CVE-2016-4124, CVE-2016-4125, CVE-2016-4127,
> CVE-2016-4128, CVE-2016-4129, CVE-2016-4130, CVE-2016-4131, CVE-2016-4132,
> CVE-2016-4133, CVE-2016-4134, CVE-2016-4135, CVE-2016-4136, CVE-2016-4137,
> CVE-2016-4138, CVE-2016-4139, CVE-2016-4140, CVE-2016-4141, CVE-2016-4142,
> CVE-2016-4143, CVE-2016-4144, CVE-2016-4145, CVE-2016-4146, CVE-2016-4147,
> CVE-2016-4148, CVE-2016-4149, CVE-2016-4150, CVE-2016-4151, CVE-2016-4152,
> CVE-2016-4153, CVE-2016-4154, CVE-2016-4155, CVE-2016-4156, CVE-2016-4166,
> CVE-2016-4171

All of these, except CVE-2016-4171, apply to Microsoft IE and Edge browsers.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2016-06-17 12:40:24 UTC
CVE-2016-4171 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4171):
  Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier
  allows remote attackers to execute arbitrary code via unknown vectors, as
  exploited in the wild in June 2016.

CVE-2016-4120 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4120):
  Adobe Flash Player before 18.0.0.352 and 19.x through 21.x before 21.0.0.242
  on Windows and OS X and before 11.2.202.621 on Linux allows attackers to
  execute arbitrary code or cause a denial of service (memory corruption) via
  unspecified vectors, a different vulnerability than CVE-2016-1096,
  CVE-2016-1098, CVE-2016-1099, CVE-2016-1100, CVE-2016-1102, CVE-2016-1104,
  CVE-2016-4109, CVE-2016-4111, CVE-2016-4112, CVE-2016-4113, CVE-2016-4114,
  CVE-2016-4115, CVE-2016-4160, CVE-2016-4161, CVE-2016-4162, and
  CVE-2016-4163.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2016-06-17 23:30:29 UTC
New GLSA request filed.
Comment 6 Agostino Sarubbo gentoo-dev 2016-06-18 08:47:31 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-06-18 08:47:58 UTC
x86 stable.

Maintainer(s), please cleanup.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2016-06-18 23:51:13 UTC
This issue was resolved and addressed in
 GLSA 201606-08 at https://security.gentoo.org/glsa/201606-08
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 9 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-06-18 23:52:12 UTC
Reopening for cleanup
Comment 10 Aaron Bauman (RETIRED) gentoo-dev 2016-06-22 03:55:50 UTC
Cleanup complete.