Bug 1004019 - VUL-0: flash-player: 11.2.202.637 version
VUL-0: flash-player: 11.2.202.637 version
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:RedHat:CVE-2016-6984:6.8:(AV:N...
:
Depends on: 1003993
Blocks:
  Show dependency treegraph
 
Reported: 2016-10-11 08:17 UTC by Marcus Meissner
Modified: 2016-10-13 14:23 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-10-11 08:17:37 UTC
I just got from adobe yum repository, 11.2.202.637.

no psirt announcement yet
Comment 2 Marcus Meissner 2016-10-11 16:50:25 UTC
https://helpx.adobe.com/security/products/flash-player/apsb16-32.html


Security updates available for Adobe Flash Player

Release date: October 11, 2016

Vulnerability identifier: APSB16-32

Priority: See table below

CVE number: CVE-2016-4273, CVE-2016-4286, CVE-2016-6981, CVE-2016-6982, CVE-2016-6983, CVE-2016-6984, CVE-2016-6985, CVE-2016-6986, CVE-2016-6987, CVE-2016-6989, CVE-2016-6990, CVE-2016-6992

Platform: Windows, Macintosh, Linux and ChromeOS
Summary

Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and ChromeOS.  These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.  

...


Vulnerability Details

    These updates resolve a type confusion vulnerability that could lead to code execution (CVE-2016-6992). 
    These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-6981, CVE-2016-6987). 
    These updates resolve a security bypass vulnerability (CVE-2016-4286). 
    These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-4273, CVE-2016-6982, CVE-2016-6983, CVE-2016-6984, CVE-2016-6985, CVE-2016-6986, CVE-2016-6989, CVE-2016-6990).

Acknowledgments
Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:

    Tao Yan (@Ga1ois) of Palo Alto Networks (CVE-2016-6982, CVE-2016-6983, CVE-2016-6984, CVE-2016-6985) 
    b0nd@Garage4Hackers working with Trend Micro's Zero Day Initiative (CVE-2016-6986) 
    willJ of Tencent PC Manager (CVE-2016-6989) 
    JieZeng of Tencent Zhanlu Lab working with the Chromium Vulnerability Rewards Program (CVE-2016-6992) 
    Jie Zeng of Tencent Zhanlu Lab (CVE-2016-6990) 
    bo13oy of CloverSec Labs working with the Chromium Vulnerability Rewards Program (CVE-2016-6981) 
    Akitsu Madoka working with Trend Micro's Zero Day Initiative (CVE-2016-6987) 
    Francis Provencher from COSIG (CVE-2016-4273) 
    Jordy Kersten (CVE-2016-4286)
Comment 4 Stanislav Brabec 2016-10-11 18:00:48 UTC
They changed download URL again.
Comment 5 Stanislav Brabec 2016-10-11 18:26:00 UTC
Submitted:

openSUSE:Maintenance: request 434375
SUSE:SLE-12:Update: request 122652
Comment 6 Bernhard Wiedemann 2016-10-11 20:01:07 UTC
This is an autogenerated message for OBS integration:
This bug (1004019) was mentioned in
https://build.opensuse.org/request/show/434378 13.1:NonFree / flash-player
Comment 7 Swamp Workflow Management 2016-10-11 22:01:22 UTC
bugbot adjusting priority
Comment 8 Swamp Workflow Management 2016-10-12 15:09:22 UTC
SUSE-SU-2016:2512-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 1003993,1004019
CVE References: CVE-2016-4273,CVE-2016-4286,CVE-2016-6981,CVE-2016-6982,CVE-2016-6983,CVE-2016-6984,CVE-2016-6985,CVE-2016-6986,CVE-2016-6987,CVE-2016-6989,CVE-2016-6990,CVE-2016-6992
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    flash-player-11.2.202.637-143.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    flash-player-11.2.202.637-143.1
Comment 9 Andreas Stieger 2016-10-12 15:22:43 UTC
releasing for 13.2, closing
Comment 10 Swamp Workflow Management 2016-10-12 19:08:28 UTC
openSUSE-SU-2016:2517-1: An update that fixes 12 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1003993,1004019
CVE References: CVE-2016-4273,CVE-2016-4286,CVE-2016-6981,CVE-2016-6982,CVE-2016-6983,CVE-2016-6984,CVE-2016-6985,CVE-2016-6986,CVE-2016-6987,CVE-2016-6989,CVE-2016-6990,CVE-2016-6992
Sources used:
openSUSE 13.1 NonFree (src):    flash-player-11.2.202.637-174.1
Comment 11 Swamp Workflow Management 2016-10-12 19:08:54 UTC
openSUSE-SU-2016:2519-1: An update that fixes 12 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1003993,1004019
CVE References: CVE-2016-4273,CVE-2016-4286,CVE-2016-6981,CVE-2016-6982,CVE-2016-6983,CVE-2016-6984,CVE-2016-6985,CVE-2016-6986,CVE-2016-6987,CVE-2016-6989,CVE-2016-6990,CVE-2016-6992
Sources used:
openSUSE 13.2 NonFree (src):    flash-player-11.2.202.637-2.112.1
Comment 12 Stanislav Brabec 2016-10-13 14:23:17 UTC
The download URL changed again today.

2717 in the update.sh URL needs to change to 2719. If it happens again, we will probably need to parse https://get.adobe.com/flashplayer/otherversions/ to get secondary URL.