Bug 466154 (CVE-2008-4401)

Summary: CVE-2008-4401 flash-plugin: upload/download user interaction
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: kreilly, wtogami
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4401
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-12-19 19:32:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 466158, 466159, 466160    
Bug Blocks:    

Description Josh Bressers 2008-10-08 18:54:33 UTC
Previosuly ActionScript could initiate uploads and downloads without user
interaction.  Flash Player 10 beta changes this behavior.
FileReference.browse and FileReference.download calls now can only be
initiated via user interaction, such as click the mouse or pressing keys on
the keyboard.

For more information please see:
http://www.adobe.com/devnet/flashplayer/articles/fplayer10_security_changes.html#head3

Comment 2 Tomas Hoger 2008-10-16 07:46:12 UTC
Public now via:

http://www.adobe.com/support/security/bulletins/apsb08-18.html

Comment 3 Red Hat Product Security 2008-12-19 19:32:55 UTC
This issue was addressed in:

Red Hat Enterprise Linux Extras:
  http://rhn.redhat.com/errata/RHSA-2008-0945.html
  http://rhn.redhat.com/errata/RHSA-2008-0980.html