| Summary: | <www-plugins/adobe-flash-11.2.202.394 - multiple vulnerabilities (CVE-2014-{0537,0539,4671}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | major | CC: | desktop-misc, jer |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://helpx.adobe.com/security/products/flash-player/apsb14-17.html | ||
| Whiteboard: | A2 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
Arch teams, please test and mark stable: =www-plugins/adobe-flash-11.2.202.394 Targeted stable KEYWORDS : amd64 x86 amd64 stable x86 stable Cleanup, please! glsa request filed Cleanup done by Jer. This issue was resolved and addressed in GLSA 201407-02 at http://security.gentoo.org/glsa/glsa-201407-02.xml by GLSA coordinator Mikle Kolyada (Zlogene). CVE-2014-4671 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4671): Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 do not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API. CVE-2014-0539 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0539): Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via unspecified vectors, a different vulnerability than CVE-2014-0537. CVE-2014-0537 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0537): Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via unspecified vectors, a different vulnerability than CVE-2014-0539. |
From ${URL} : Security updates available for Adobe Flash Player Release date: July 8, 2014 Vulnerability identifier: APSB14-17 Priority: See table below CVE number: CVE-2014-0537, CVE-2014-0539, CVE-2014-4671 Platform: All Platforms Summary: Adobe has released security updates for Adobe Flash Player 14.0.0.125 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.378 and earlier versions for Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe recommends users update their product installations to the latest versions: Users of Adobe Flash Player 11.2.202.378 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.394. Affected software versions: Adobe Flash Player 11.2.202.378 and earlier versions for Linux @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.