Bug 808973 - VUL-0: flash-player: security release 11.2.202.275 (APSB13-09)
VUL-0: flash-player: security release 11.2.202.275 (APSB13-09)
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Critical
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:sle11-sp2:51625
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-03-12 17:04 UTC by Marcus Meissner
Modified: 2013-03-14 22:04 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-03-12 17:04:31 UTC
is public, via adobe psirt blog

http://www.adobe.com/support/security/bulletins/apsb13-09.html

Release date: March 12, 2013

Vulnerability identifier: APSB13-09

Priority: See Table Below

CVE number: CVE-2013-0646, CVE-2013-0650, CVE-2013-1371, CVE-2013-1375

Platform: All Platforms
Summary

Adobe has released security updates for Adobe Flash Player 11.6.602.171 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.273 and earlier versions for Linux, Adobe Flash Player 11.1.115.47 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.43 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe recommends users update their product installations to the latest versions:
...

Users of Adobe Flash Player 11.2.202.273 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.275.

...

Details

Adobe has released security updates for Adobe Flash Player 11.6.602.171 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.273 and earlier versions for Linux, Adobe Flash Player 11.1.115.47 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.43 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe recommends users update their product installations to the latest versions:

    Users of Adobe Flash Player 11.6.602.171 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 11.6.602.180.
    Users of Adobe Flash Player 11.2.202.273 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.275.
    Adobe Flash Player 11.6.602.171 installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.6.602.180 for Windows, Macintosh and Linux.
    Adobe Flash Player 11.6.602.171 installed with Internet Explorer 10 for Windows 8 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 11.6.602.180 for Windows.
    Users of Adobe Flash Player 11.1.115.47 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.48.
    Users of Adobe Flash Player 11.1.111.43 and earlier versions for Android 3.x and 2.x should update to Flash Player 11.1.111.44.
    Users of Adobe AIR 3.6.0.597 and earlier versions for Windows, Macintosh and Android should update to Adobe AIR 3.6.0.6090.
    Users of the Adobe AIR 3.6.0.597 SDK and earlier versions should update to the Adobe AIR 3.6.0.6090 SDK.
    Users of the Adobe AIR 3.6.0.599 SDK & Compiler and earlier versions should update to the Adobe AIR 3.6.0.6090 SDK & Compiler.

These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2013-0646).

These updates resolve a use-after-free vulnerability that could be exploited to execute arbitrary code (CVE-2013-0650).

These updates resolve a memory corruption vulnerability that could lead to code execution (CVE-2013-1371).

These updates resolve a heap buffer overflow vulnerability that could lead to code execution (CVE-2013-1375).
Comment 1 Swamp Workflow Management 2013-03-12 17:05:12 UTC
The SWAMPID for this issue is 51622.
This issue was rated as critical.
Please submit fixed packages until 2013-03-14.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 2 Stanislav Brabec 2013-03-12 18:14:22 UTC
Update finished.

Requests:
SUSE:SLE-10-SP3:Update:Test: IBS request id 24886
SUSE:SLE-11-SP1:Update:Test: IBS request id 24885
openSUSE (openSUSE:12.1:Update, openSUSE:12.2:NonFree:Update, openSUSE:12.3:NonFree:Update): OBS maintenance request id 158725
openSUSE:Factory:NonFree: OBS request id 158727
Comment 4 Bernhard Wiedemann 2013-03-12 19:00:14 UTC
This is an autogenerated message for OBS integration:
This bug (808973) was mentioned in
https://build.opensuse.org/request/show/158727 Factory / flash-player
Comment 5 Swamp Workflow Management 2013-03-12 23:00:34 UTC
bugbot adjusting priority
Comment 6 Swamp Workflow Management 2013-03-14 12:59:28 UTC
Update released for: flash-player
Products:
SLE-DESKTOP 10-SP4 (i386, x86_64)
Comment 7 Swamp Workflow Management 2013-03-14 13:04:14 UTC
Update released for: flash-player, flash-player-gnome, flash-player-kde4
Products:
SLE-DESKTOP 11-SP2 (i386, x86_64)
Comment 8 Swamp Workflow Management 2013-03-14 16:05:19 UTC
openSUSE-SU-2013:0459-1: An update that fixes four vulnerabilities is now available.

Category: security (critical)
Bug References: 808973
CVE References: CVE-2013-0646,CVE-2013-0650,CVE-2013-1371,CVE-2013-1375
Sources used:
Comment 9 Marcus Meissner 2013-03-14 16:05:49 UTC
released
Comment 10 Bernhard Wiedemann 2013-03-14 18:00:07 UTC
This is an autogenerated message for OBS integration:
This bug (808973) was mentioned in
https://build.opensuse.org/request/show/159438 Evergreen:11.2 / flash-player
Comment 11 Bernhard Wiedemann 2013-03-14 20:00:07 UTC
This is an autogenerated message for OBS integration:
This bug (808973) was mentioned in
https://build.opensuse.org/request/show/159453 Evergreen:11.2 / flash-player
Comment 12 Swamp Workflow Management 2013-03-14 22:04:40 UTC
openSUSE-SU-2013:0464-1: An update that fixes four vulnerabilities is now available.

Category: security (critical)
Bug References: 808973
CVE References: CVE-2013-0646,CVE-2013-0650,CVE-2013-1371,CVE-2013-1375
Sources used: