204344 – net-www/netscape-flash <9.0.124.0 Multiple vulnerabilities (CVE-2007-{0071,5275,6019,6243,6637}, CVE-2008-{1654,1655})

Bug 204344 - net-www/netscape-flash <9.0.124.0 Multiple vulnerabilities (CVE-2007-{0071,5275,6019,6243,6637}, CVE-2008-{1654,1655})

Summary: net-www/netscape-flash <9.0.124.0 Multiple vulnerabilities (CVE-2007-{0071,52...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High major (vote)
Assignee:	Gentoo Security

URL:	http://www.adobe.com/support/security...
Whiteboard:	A2 [glsa]
Keywords:

Duplicates (1):	217029 (view as bug list)
Depends on:
Blocks:

Reported:	2008-01-04 22:52 UTC by Robert Buchholz (RETIRED)
Modified:	2008-04-18 14:15 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Buchholz (RETIRED) gentoo-dev

2008-01-04 22:52:16 UTC

CVE-2007-6637 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6637):
  Multiple cross-site scripting (XSS) vulnerabilities in Adobe Flash Player
  allow remote attackers to inject arbitrary web script or HTML via a crafted
  SWF file, related to "pre-generated SWF files" and Adobe Dreamweaver CS3 or
  Adobe Acrobat Connect.  NOTE: the asfunction: vector is already covered by
  CVE-2007-6244.1.

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2008-01-04 22:53:19 UTC

Jim, please keep an eye on a new release.

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2008-02-26 20:50:02 UTC

Any news on this one?

Comment 3 Christian Faulhammer (RETIRED) gentoo-dev

2008-04-09 10:00:05 UTC

9.0.124 is out, http://www.adobe.com/support/security/bulletins/apsb08-11.html describes all fixed vulnerabilities.

Comment 4 Jim Ramsay (lack) (RETIRED) gentoo-dev

2008-04-09 15:52:37 UTC

Thanks for the heads-up.  Just put 9.0.124.0 in the tree.  I think we should push for stabilization soon, maybe a day or two just in case something is seriously wrong with the RPM.

Comment 5 Raúl Porcel (RETIRED) gentoo-dev

2008-04-09 15:54:29 UTC

*** Bug 217029 has been marked as a duplicate of this bug. ***

Comment 6 Jim Ramsay (lack) (RETIRED) gentoo-dev

2008-04-15 17:32:18 UTC

Okay, I haven't had any bug reports yet (and with closed-source SW like this, it's not like I would be able to do much if there *were* bugs anyway) so I decree it's time to stabilize it.

Adding x86 arch team.  As per current policy, I have stabilized on amd64 myself.

Comment 7 Markus Meier gentoo-dev

2008-04-17 01:08:34 UTC

x86 stable, last arch.

Comment 8 Matthias Geerdsen (RETIRED) gentoo-dev

2008-04-17 10:39:43 UTC

GLSA request filed

Comment 9 Robert Buchholz (RETIRED) gentoo-dev

2008-04-18 14:15:48 UTC

GLSA 200804-21