Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 516750 (CVE-2014-0537) - <www-plugins/adobe-flash-11.2.202.394 - multiple vulnerabilities (CVE-2014-{0537,0539,4671})
Summary: <www-plugins/adobe-flash-11.2.202.394 - multiple vulnerabilities (CVE-2014-{0...
Status: RESOLVED FIXED
Alias: CVE-2014-0537
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://helpx.adobe.com/security/produ...
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-07-09 09:45 UTC by Agostino Sarubbo
Modified: 2014-08-10 20:43 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-07-09 09:45:57 UTC
From ${URL} :

Security updates available for Adobe Flash Player
Release date: July 8, 2014

Vulnerability identifier: APSB14-17

Priority: See table below

CVE number: CVE-2014-0537, CVE-2014-0539, CVE-2014-4671

Platform: All Platforms

Summary:
Adobe has released security updates for Adobe Flash Player 14.0.0.125 and earlier versions for 
Windows and Macintosh and Adobe Flash Player 11.2.202.378 and earlier versions for Linux. These 
updates address vulnerabilities that could potentially allow an attacker to take control of the 
affected system. Adobe recommends users update their product installations to the latest versions:

Users of Adobe Flash Player 11.2.202.378 and earlier versions for Linux should update to Adobe 
Flash Player 11.2.202.394.


Affected software versions:

Adobe Flash Player 11.2.202.378 and earlier versions for Linux


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Jeroen Roovers gentoo-dev 2014-07-09 11:54:24 UTC
Arch teams, please test and mark stable:
=www-plugins/adobe-flash-11.2.202.394
Targeted stable KEYWORDS : amd64 x86
Comment 2 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-07-09 12:40:59 UTC
amd64 stable
Comment 3 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-07-09 12:41:54 UTC
x86 stable

Cleanup, please!

glsa request filed
Comment 4 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-07-09 13:07:15 UTC
Cleanup done by Jer.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2014-07-09 15:23:24 UTC
This issue was resolved and addressed in
 GLSA 201407-02 at http://security.gentoo.org/glsa/glsa-201407-02.xml
by GLSA coordinator Mikle Kolyada (Zlogene).
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2014-08-10 20:43:19 UTC
CVE-2014-4671 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4671):
  Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows
  and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on
  Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler
  before 14.0.0.137 do not properly restrict the SWF file format, which allows
  remote attackers to conduct cross-site request forgery (CSRF) attacks
  against JSONP endpoints, and obtain sensitive information, via a crafted
  OBJECT element with SWF content satisfying the character-set requirements of
  a callback API.

CVE-2014-0539 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0539):
  Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows
  and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on
  Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler
  before 14.0.0.137 allow attackers to bypass intended access restrictions via
  unspecified vectors, a different vulnerability than CVE-2014-0537.

CVE-2014-0537 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0537):
  Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows
  and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on
  Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler
  before 14.0.0.137 allow attackers to bypass intended access restrictions via
  unspecified vectors, a different vulnerability than CVE-2014-0539.