This update addresses critical vulnerabilities in Adobe Flash Player 11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 11.1.112.61 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and 2.x. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system. This update also resolves a universal cross-site scripting vulnerability that could be used to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website. There are reports that this vulnerability (CVE-2012-0767) is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message (Internet Explorer on Windows only). Adobe recommends users of Adobe Flash Player 11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris update to Adobe Flash Player 11.1.102.62. Users of Adobe Flash Player 11.1.112.61 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.6. Users of Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.6. Reproducible: Always
Please bump: 11.1.102.62
*** Bug 404181 has been marked as a duplicate of this bug. ***
FWIW, renaming the existing ebuild (and computing its digest) appears to work perfectly.
CVE-2012-0767 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0767): Cross-site scripting (XSS) vulnerability in Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on Windows, Mac OS X, Linux, and Solaris; before 11.1.111.6 on Android 2.x and 3.x; and before 11.1.115.6 on Android 4.x allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka "Universal XSS (UXSS)," as exploited in the wild in February 2012. CVE-2012-0756 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0756): Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on Windows, Mac OS X, Linux, and Solaris; before 11.1.111.6 on Android 2.x and 3.x; and before 11.1.115.6 on Android 4.x allows attackers to bypass intended access restrictions via unspecified vectors, a different vulnerability than CVE-2012-0755. CVE-2012-0755 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0755): Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on Windows, Mac OS X, Linux, and Solaris; before 11.1.111.6 on Android 2.x and 3.x; and before 11.1.115.6 on Android 4.x allows attackers to bypass intended access restrictions via unspecified vectors, a different vulnerability than CVE-2012-0756. CVE-2012-0754 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0754): Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on Windows, Mac OS X, Linux, and Solaris; before 11.1.111.6 on Android 2.x and 3.x; and before 11.1.115.6 on Android 4.x allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors. CVE-2012-0753 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0753): Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on Windows, Mac OS X, Linux, and Solaris; before 11.1.111.6 on Android 2.x and 3.x; and before 11.1.115.6 on Android 4.x allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted MP4 data. CVE-2012-0752 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0752): Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on Windows, Mac OS X, Linux, and Solaris; before 11.1.111.6 on Android 2.x and 3.x; and before 11.1.115.6 on Android 4.x allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via leveraging an unspecified "type confusion."
11.1.102.62 added to CVS, feel free to start the stabilization process.
(In reply to comment #5) > 11.1.102.62 added to CVS, feel free to start the stabilization process. Great, thank you. Arches, please test and mark stable: =www-plugins/adobe-flash-11.1.102.62 Target keywords : "amd64 x86"
x86 stable
amd64 stable
Thanks, folks. Added to existing GLSA request.
This issue was resolved and addressed in GLSA 201204-07 at http://security.gentoo.org/glsa/glsa-201204-07.xml by GLSA coordinator Sean Amoss (ackle).
