Bug 1007098 - (CVE-2016-7855) VUL-0: CVE-2016-7855: flash-player: use-after-free vulnerability (APSB16-36)
(CVE-2016-7855)
VUL-0: CVE-2016-7855: flash-player: use-after-free vulnerability (APSB16-36)
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/174151/
CVSSv2:SUSE:CVE-2016-7855:6.8:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-10-26 18:30 UTC by Andreas Stieger
Modified: 2016-11-09 13:26 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Andreas Stieger 2016-10-26 18:31:58 UTC
These updates resolve a use-after-free vulnerability that could lead to code execution (CVE-2016-7855). 

Exploit seen in the wild against Windows.
Comment 2 Stanislav Brabec 2016-10-26 19:51:19 UTC
I will update.

update.sh stopped to work, the download URL changes nearly every day. More complicated parsing is required.
Comment 3 Bernhard Wiedemann 2016-10-26 20:00:36 UTC
This is an autogenerated message for OBS integration:
This bug (1007098) was mentioned in
https://build.opensuse.org/request/show/437466 13.2:NonFree / flash-player
Comment 5 Stanislav Brabec 2016-10-26 20:06:32 UTC
Well, you are already done.


update.sh fix manual:

Go to https://get.adobe.com/cz/flashplayer/otherversions/

Select 32bit Linux NPAPI, look at download button URL. Pick new stype number and add it to update.sh.
Comment 6 Andreas Stieger 2016-10-27 15:42:06 UTC
done
Comment 7 Swamp Workflow Management 2016-10-27 16:07:04 UTC
SUSE-SU-2016:2662-1: An update that fixes one vulnerability is now available.

Category: security (critical)
Bug References: 1007098
CVE References: CVE-2016-7855
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    flash-player-11.2.202.643-146.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    flash-player-11.2.202.643-146.1
Comment 8 Swamp Workflow Management 2016-10-27 19:06:25 UTC
openSUSE-SU-2016:2663-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1007098
CVE References: CVE-2016-7855
Sources used:
openSUSE 13.2 NonFree (src):    flash-player-11.2.202.643-2.115.1
Comment 9 Swamp Workflow Management 2016-10-27 23:06:54 UTC
openSUSE-SU-2016:2665-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1007098
CVE References: CVE-2016-7855
Sources used:
openSUSE 13.1 NonFree (src):    flash-player-11.2.202.643-177.1