First Last Prev Next    This bug is not in your last search results.
Bug 915918 - (CVE-2015-0313) VUL-0: CVE-2015-0313: flash-player: Multiple vulnerability fixed in 11.2.202.442 (APSB15-04)
(CVE-2015-0313)
VUL-0: CVE-2015-0313: flash-player: Multiple vulnerability fixed in 11.2.202....
Status: RESOLVED FIXED
: 916374 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Critical
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/113431/
maint:running:60572:low maint:release...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-02-03 08:01 UTC by Johannes Segitz
Modified: 2015-02-09 11:55 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2015-02-03 08:01:51 UTC 
Unspecified vulnerability in Adobe Flash Player through 11.2.202.440
on Linux allows remote attackers to execute arbitrary code via unknown vectors,
as exploited in the wild in February 2015.

Currently there is no fix available.

References:
https://helpx.adobe.com/security/products/flash-player/apsa15-02.html
https://bugzilla.redhat.com/show_bug.cgi?id=1188329
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0313
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0313
Comment 1 Swamp Workflow Management 2015-02-03 23:00:54 UTC 
bugbot adjusting priority
Comment 2 Marcus Meissner 2015-02-04 14:14:20 UTC 
February 2, 2015 - removed Flash Player version 11.x from the list of affected versions.  Version 11.x and earlier do not support the functionality affected by CVE-2015-0313.   


-> Linux is not affected.

posted note to git@git.suse.de:security/cve-database.git
Comment 3 Johannes Segitz 2015-02-05 11:33:21 UTC 
Linux is not affected according to http://helpx.adobe.com/security/products/flash-player/apsa15-02.html but there is a new version available for linux
11.2.202.442

Couldn't find any information what they're fixing with it, but updating is probably still a good idea.
Comment 4 Marcus Meissner 2015-02-05 17:11:56 UTC 
https://helpx.adobe.com/security/products/flash-player/apsb15-04.html

was published now and has way more CVEs apparently also affecting Linux.

I got it now.

https://helpx.adobe.com/security/products/flash-player/apsb15-04.html
Security updates available for Adobe Flash Player

Release date: February 5, 2015

Vulnerability identifier: APSB15-04

Priority: See table below

CVE number: CVE-2015-0313, CVE-2015-0314, CVE-2015-0315, CVE-2015-0316, CVE-2015-0317, CVE-2015-0318, CVE-2015-0319, CVE-2015-0320, CVE-2015-0321, CVE-2015-0322, CVE-2015-0323, CVE-2015-0324, CVE-2015-0325, CVE-2015-0326, CVE-2015-0327, CVE-2015-0328, CVE-2015-0329, CVE-2015-0330

Platform: All Platforms
Summary

Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux.  These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system.  

Adobe is aware of reports that CVE-2015-0313 is actively being exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below.  Adobe recommends users update their product installations to the latest versions: 

    Users of the Adobe Flash Player desktop runtime for Windows and Macintosh should update to Adobe Flash Player 16.0.0.305. 

    Users of the Adobe Flash Player Extended Support Release should update to Adobe Flash Player 13.0.0.269. 

    Users of Adobe Flash Player for Linux should update to Adobe Flash Player 11.2.202.442. 

    Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, will automatically update to version 16.0.0.305.


Affected software versions

    Adobe Flash Player 16.0.0.296 and earlier versions 

    Adobe Flash Player 13.0.0.264 and earlier 13.x versions 

    Adobe Flash Player 11.2.202.440 and earlier 11.x versions

Details

Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux.  These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system.  

Adobe is aware of reports that CVE-2015-0313 is actively being exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below.  Adobe recommends users update their product installations to the latest versions: 

    Users of the Adobe Flash Player desktop runtime for Windows and Macintosh should update to Adobe Flash Player 16.0.0.305. 

    Users of the Adobe Flash Player Extended Support Release should update to Adobe Flash Player 13.0.0.269. 

    Users of Adobe Flash Player for Linux should update to Adobe Flash Player 11.2.202.442. 

    Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, will automatically update to version 16.0.0.305. 

These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2015-0313, CVE-2015-0315, CVE-2015-0320, CVE-2015-0322). 

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2015-0314, CVE-2015-0316, CVE-2015-0318, CVE-2015-0321, CVE-2015-0329, CVE-2015-0330). 

These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2015-0317, CVE-2015-0319). 

These updates resolve heap buffer overflow vulnerabilities that could lead to code execution (CVE-2015-0323, CVE-2015-0327). 

These updates resolve a buffer overflow vulnerability that could lead to code execution (CVE-2015-0324). 

These updates resolve null pointer dereference issues (CVE-2015-0325, CVE-2015-0326, CVE-2015-0328).
Comment 5 Johannes Segitz 2015-02-06 08:38:09 UTC 
*** Bug 916374 has been marked as a duplicate of this bug. ***
Comment 6 Swamp Workflow Management 2015-02-06 08:40:53 UTC 
An update workflow for this issue was started.
This issue was rated as low.
Please submit fixed packages until 2015-03-06.
https://swamp.suse.de/webswamp/wf/60571
Comment 8 Swamp Workflow Management 2015-02-06 08:48:59 UTC 
An update workflow for this issue was started.
This issue was rated as low.
Please submit fixed packages until 2015-03-06.
https://swamp.suse.de/webswamp/wf/60572
Comment 9 Bernhard Wiedemann 2015-02-06 14:00:08 UTC 
This is an autogenerated message for OBS integration:
This bug (915918) was mentioned in
https://build.opensuse.org/request/show/284489 Factory:NonFree / flash-player
Comment 10 Stanislav Brabec 2015-02-06 14:05:05 UTC 
Submitted:

Factory: OSC request id 284489
openSUSE (13.1, 13.2): OSC maintenance request id 284490
SLE11 SP1: IBS request id 50958
SLE 12: IBS maintenance request id 50962
Comment 11 Johannes Segitz 2015-02-06 14:08:42 UTC 
(In reply to Swamp Workflow Management from comment #8)
Please ignore this SWAMP and use 60571. The submit dates are also incorrect. One of our tools decided to become a bit creative.
Comment 13 Swamp Workflow Management 2015-02-07 09:05:00 UTC 
SUSE-SU-2015:0236-1: An update that fixes 18 vulnerabilities is now available.

Category: security (critical)
Bug References: 915918
CVE References: CVE-2015-0313,CVE-2015-0314,CVE-2015-0315,CVE-2015-0316,CVE-2015-0317,CVE-2015-0318,CVE-2015-0319,CVE-2015-0320,CVE-2015-0321,CVE-2015-0322,CVE-2015-0323,CVE-2015-0324,CVE-2015-0325,CVE-2015-0326,CVE-2015-0327,CVE-2015-0328,CVE-2015-0329,CVE-2015-0330
Sources used:
Comment 14 Swamp Workflow Management 2015-02-07 09:05:16 UTC 
openSUSE-SU-2015:0237-1: An update that fixes 18 vulnerabilities is now available.

Category: security (critical)
Bug References: 915918
CVE References: CVE-2015-0313,CVE-2015-0314,CVE-2015-0315,CVE-2015-0316,CVE-2015-0317,CVE-2015-0318,CVE-2015-0319,CVE-2015-0320,CVE-2015-0321,CVE-2015-0322,CVE-2015-0323,CVE-2015-0324,CVE-2015-0325,CVE-2015-0326,CVE-2015-0327,CVE-2015-0328,CVE-2015-0329,CVE-2015-0330
Sources used:
Comment 15 Swamp Workflow Management 2015-02-07 13:05:01 UTC 
openSUSE-SU-2015:0238-1: An update that fixes 18 vulnerabilities is now available.

Category: security (critical)
Bug References: 915918
CVE References: 2015-0313,2015-0314,2015-0315,2015-0316,2015-0317,2015-0318,2015-0319,2015-0320,2015-0321,2015-0322,2015-0323,2015-0324,2015-0325,2015-0326,2015-0327,2015-0328,2015-0329,2015-0330
Sources used:
Comment 16 Swamp Workflow Management 2015-02-07 18:08:02 UTC 
SUSE-SU-2015:0239-1: An update that fixes 18 vulnerabilities is now available.

Category: security (critical)
Bug References: 915918
CVE References: CVE-2015-0313,CVE-2015-0314,CVE-2015-0315,CVE-2015-0316,CVE-2015-0317,CVE-2015-0318,CVE-2015-0319,CVE-2015-0320,CVE-2015-0321,CVE-2015-0322,CVE-2015-0323,CVE-2015-0324,CVE-2015-0325,CVE-2015-0326,CVE-2015-0327,CVE-2015-0328,CVE-2015-0329,CVE-2015-0330
Sources used:
SUSE Linux Enterprise Desktop 11 SP3 (src):    flash-player-11.2.202.442-0.3.1
Comment 17 Marcus Meissner 2015-02-09 11:55:16 UTC 
released
First Last Prev Next    This bug is not in your last search results.