Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 307749 - <www-plugins/adobe-flash-10.0.45.2: Multiple Vulnerabilities (CVE-2010-{0186,0187})
Summary: <www-plugins/adobe-flash-10.0.45.2: Multiple Vulnerabilities (CVE-2010-{0186,...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.adobe.com/support/security...
Whiteboard: A3 [glsa wait]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-03-04 11:34 UTC by Alex Legler (RETIRED)
Modified: 2015-01-10 16:30 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2010-03-04 11:34:33 UTC 
CVE-2010-0186 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0186):
  Cross-domain vulnerability in Adobe Flash Player before 10.0.45.2,
  Adobe AIR before 1.5.3.9130, and Adobe Reader and Acrobat 8.x before
  8.2.1 and 9.x before 9.3.1 allows remote attackers to bypass intended
  sandbox restrictions and make cross-domain requests via unspecified
  vectors.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-03-04 11:38:57 UTC 
CVE-2010-0187 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0187):
  Adobe Flash Player before 10.0.45.2 and Adobe AIR before 1.5.3.9130
  allow remote attackers to cause a denial of service (application
  crash) via a modified SWF file.
Comment 2 Jim Ramsay (lack) (RETIRED) gentoo-dev 2010-03-04 13:02:04 UTC 
Yes, please go ahead and request stability for 10.0.45.2 at your leisure.
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-03-04 13:04:37 UTC 
Arches, please test and mark stable:
=www-plugins/adobe-flash-10.0.45.2
Target keywords : "amd64 x86"
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2010-03-04 13:42:09 UTC 
x86 stable
Comment 5 Pacho Ramos gentoo-dev 2010-03-04 14:12:23 UTC 
amd64 stable
Comment 6 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-03-04 14:21:53 UTC 
lack: Please remove old versions.

GLSA vote: NO and with that overriding A3. The information on the 0186 issue is very vague, 0187 is a client crash.
Comment 7 Jim Ramsay (lack) (RETIRED) gentoo-dev 2010-03-04 19:37:19 UTC 
Old version 10.0.42.34 is removed.
Comment 8 allein 2010-06-05 09:12:38 UTC 
Adobe Flash Player 10.0.45.2, 9.0.262, and earlier also vulnerable
(http://www.adobe.com/support/security/advisories/apsa10-01.html)
Comment 9 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-06-05 13:59:04 UTC 
(In reply to comment #8)
> Adobe Flash Player 10.0.45.2, 9.0.262, and earlier also vulnerable
> (http://www.adobe.com/support/security/advisories/apsa10-01.html)
> 

Thanks, filed bug 322855 and bug 322857 for tracking.
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2011-01-21 17:20:09 UTC 
This is GLSA 201101-09; thank you.