Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 307749

Summary: <www-plugins/adobe-flash-10.0.45.2: Multiple Vulnerabilities (CVE-2010-{0186,0187})
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: alx333, desktop-misc, gentoo, kfm, lack
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.adobe.com/support/security/bulletins/apsb10-06.html
Whiteboard: A3 [glsa wait]
Package list:
Runtime testing required: ---

Description Alex Legler (RETIRED) archtester gentoo-dev Security 2010-03-04 11:34:33 UTC 
CVE-2010-0186 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0186):
  Cross-domain vulnerability in Adobe Flash Player before 10.0.45.2,
  Adobe AIR before 1.5.3.9130, and Adobe Reader and Acrobat 8.x before
  8.2.1 and 9.x before 9.3.1 allows remote attackers to bypass intended
  sandbox restrictions and make cross-domain requests via unspecified
  vectors.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-03-04 11:38:57 UTC 
CVE-2010-0187 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0187):
  Adobe Flash Player before 10.0.45.2 and Adobe AIR before 1.5.3.9130
  allow remote attackers to cause a denial of service (application
  crash) via a modified SWF file.
Comment 2 Jim Ramsay (lack) (RETIRED) gentoo-dev 2010-03-04 13:02:04 UTC 
Yes, please go ahead and request stability for 10.0.45.2 at your leisure.
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-03-04 13:04:37 UTC 
Arches, please test and mark stable:
=www-plugins/adobe-flash-10.0.45.2
Target keywords : "amd64 x86"
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2010-03-04 13:42:09 UTC 
x86 stable
Comment 5 Pacho Ramos gentoo-dev 2010-03-04 14:12:23 UTC 
amd64 stable
Comment 6 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-03-04 14:21:53 UTC 
lack: Please remove old versions.

GLSA vote: NO and with that overriding A3. The information on the 0186 issue is very vague, 0187 is a client crash.
Comment 7 Jim Ramsay (lack) (RETIRED) gentoo-dev 2010-03-04 19:37:19 UTC 
Old version 10.0.42.34 is removed.
Comment 8 allein 2010-06-05 09:12:38 UTC 
Adobe Flash Player 10.0.45.2, 9.0.262, and earlier also vulnerable
(http://www.adobe.com/support/security/advisories/apsa10-01.html)
Comment 9 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-06-05 13:59:04 UTC 
(In reply to comment #8)
> Adobe Flash Player 10.0.45.2, 9.0.262, and earlier also vulnerable
> (http://www.adobe.com/support/security/advisories/apsa10-01.html)
> 

Thanks, filed bug 322855 and bug 322857 for tracking.
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2011-01-21 17:20:09 UTC 
This is GLSA 201101-09; thank you.