Bugzilla – Bug 905032
VUL-0: flash-player: CVE-2014-0573 + 17 more: flash-plugin: Various vulnerabilities
Last modified: 2015-04-16 11:05:24 UTC
These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2014-0576, CVE-2014-0581, CVE-2014-8440, CVE-2014-8441). These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2014-0573, CVE-2014-0588, CVE-2014-8438). These updates resolve a double free vulnerability that could lead to code execution (CVE-2014-0574). These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2014-0577, CVE-2014-0584, CVE-2014-0585, CVE-2014-0586, CVE-2014-0590). These updates resolve heap buffer overflow vulnerabilities that could lead to code execution (CVE-2014-0582, CVE-2014-0589). These updates resolve an information disclosure vulnerability that could be exploited to disclose session tokens (CVE-2014-8437). These updates resolve a heap buffer overflow vulnerability that could be exploited to perform privilege escalation from low to medium integrity level (CVE-2014-0583). These updates resolve a permission issue that could be exploited to perform privilege escalation from low to medium integrity level (CVE-2014-8442). References: https://bugzilla.redhat.com/show_bug.cgi?id=1162913 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0582 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0584 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0581 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0585 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0586 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0588 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0589 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0590 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8437 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8438 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8440 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8441 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0576 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0583 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8442 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0573 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0574 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0577 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8440 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8441 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0582 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0581 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0585 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0583 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0586 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0576 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0588 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0577 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0589 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0573 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0590 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0574 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8437 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8442 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8438 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0584 http://helpx.adobe.com/security/products/flash-player/apsb14-24.html
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2014-11-19. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/59626
Fixes submitted: openSUSE 12.3, 13.1: OBS openSUSE:Maintenance request 261293 openSUSE:13.2:NonFree:Update: OBS openSUSE:Maintenance request 261294 (mbranch did not check 13.2) openSUSE:Factory:NonFree: OBS submit request 261297 SLE11: IBS submit request 46199 SLE12: IBS SUSE:Maintenance request 46198
This is an autogenerated message for OBS integration: This bug (905032) was mentioned in https://build.opensuse.org/request/show/261294 13.2:NonFree / flash-player.openSUSE_13.2_NonFree https://build.opensuse.org/request/show/261297 Factory:NonFree / flash-player
SUSE-SU-2014:1442-1: An update that fixes 18 vulnerabilities is now available. Category: security (important) Bug References: 905032 CVE References: CVE-2014-0573,CVE-2014-0574,CVE-2014-0576,CVE-2014-0577,CVE-2014-0581,CVE-2014-0582,CVE-2014-0583,CVE-2014-0584,CVE-2014-0585,CVE-2014-0586,CVE-2014-0588,CVE-2014-0589,CVE-2014-0590,CVE-2014-8437,CVE-2014-8438,CVE-2014-8440,CVE-2014-8441,CVE-2014-8442 Sources used: SUSE Linux Enterprise Desktop 11 SP3 (src): flash-player-11.2.202.418-0.3.1
openSUSE-SU-2014:1444-1: An update that fixes 18 vulnerabilities is now available. Category: security (important) Bug References: 905032 CVE References: CVE-2014-0573,CVE-2014-0574,CVE-2014-0576,CVE-2014-0577,CVE-2014-0581,CVE-2014-0582,CVE-2014-0583,CVE-2014-0584,CVE-2014-0585,CVE-2014-0586,CVE-2014-0588,CVE-2014-0589,CVE-2014-0590,CVE-2014-8437,CVE-2014-8438,CVE-2014-8440,CVE-2014-8441,CVE-2014-8442 Sources used:
Johannes Segitz: There is no real conflict. My request is done on top of the previous submit: ------------------------------------------------------------------- Wed Nov 12 15:34:07 UTC 2014 - sbrabec@suse.com - Security update to 11.2.202.418 (bnc#905032): * APSB14-24, CVE-2014-0573, CVE-2014-0574, CVE-2014-0576, CVE-2014-0577, CVE-2014-0581, CVE-2014-0582, CVE-2014-0583, CVE-2014-0584, CVE-2014-0585, CVE-2014-0586, CVE-2014-0588, CVE-2014-0589, CVE-2014-0590, CVE-2014-8437, CVE-2014-8438, CVE-2014-8440, CVE-2014-8441, CVE-2014-8442 ------------------------------------------------------------------- Wed Oct 15 14:08:40 UTC 2014 - sbrabec@suse.com - Security update to 11.2.202.411 (bnc#901334): * APSB14-22, CVE-2014-0569 (ZDI-14-365), CVE-2014-0564, CVE-2014-0558 I think it is just a techical conflict: Submitted before the previous one was accepted. I am submitting exactly the same again, just OSC info is "rebased" against the latest version. There are only three real changes in the update: - version number in spec - changes file - new tarballs https://build.suse.de/request/show/46401
(In reply to Stanislav Brabec from comment #8) Define real/technical conflict ... ;) Anyway, that's what we needed, thank you.
OK. Real conflict: Update was not prepared on top of previous update. Technical conflict: Update was prepared on top of previous update, but OBS thinks, that it was not prepared on top of previous update. I guess that it can even be considered as a minor bug of OBS: I did a maintenance branch, and it provided correct files to me. These files (exactly as they were) were propagated to another repository. OBS complained not because there are some different files and conflicts, but just because the same files are now in a different repository. While fixing it, I seen for the first time "osc ci" command, that successfully committed and no files were changed.
SUSE-SU-2014:1465-1: An update that fixes 18 vulnerabilities is now available. Category: security (moderate) Bug References: 905032 CVE References: CVE-2014-0573,CVE-2014-0574,CVE-2014-0576,CVE-2014-0577,CVE-2014-0581,CVE-2014-0582,CVE-2014-0583,CVE-2014-0584,CVE-2014-0585,CVE-2014-0586,CVE-2014-0588,CVE-2014-0589,CVE-2014-0590,CVE-2014-8437,CVE-2014-8438,CVE-2014-8440,CVE-2014-8441,CVE-2014-8442 Sources used:
This is an autogenerated message for OBS integration: This bug (905032) was mentioned in https://build.opensuse.org/request/show/263245 13.2:NonFree / flash-player
Released for all producs.
openSUSE-SU-2015:0725-1: An update that fixes 45 vulnerabilities is now available. Category: security (important) Bug References: 856386,901334,905032,907257,909219,913057,914333,914463,922033,927089 CVE References: CVE-2014-0558,CVE-2014-0564,CVE-2014-0569,CVE-2014-0573,CVE-2014-0574,CVE-2014-0576,CVE-2014-0577,CVE-2014-0581,CVE-2014-0582,CVE-2014-0583,CVE-2014-0584,CVE-2014-0585,CVE-2014-0586,CVE-2014-0588,CVE-2014-0589,CVE-2014-0590,CVE-2014-8437,CVE-2014-8438,CVE-2014-8440,CVE-2014-8441,CVE-2014-8442,CVE-2015-0331,CVE-2015-0332,CVE-2015-0346,CVE-2015-0347,CVE-2015-0348,CVE-2015-0349,CVE-2015-0350,CVE-2015-0351,CVE-2015-0352,CVE-2015-0353,CVE-2015-0354,CVE-2015-0355,CVE-2015-0356,CVE-2015-0357,CVE-2015-0358,CVE-2015-0359,CVE-2015-0360,CVE-2015-3038,CVE-2015-3039,CVE-2015-3040,CVE-2015-3041,CVE-2015-3042,CVE-2015-3043,CVE-2015-3044 Sources used: