Bug 649938 (CVE-2010-3636, CVE-2010-3639, CVE-2010-3640, CVE-2010-3641, CVE-2010-3642, CVE-2010-3643, CVE-2010-3644, CVE-2010-3645, CVE-2010-3646, CVE-2010-3647, CVE-2010-3648, CVE-2010-3649, CVE-2010-3650, CVE-2010-3652)
Summary: | flash-plugin: security bulletin APSB10-26 | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | urgent | Docs Contact: | |
Priority: | urgent | ||
Version: | unspecified | CC: | jrb, security-response-team, stransky |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.adobe.com/support/security/bulletins/apsb10-26.html | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-09-25 16:08:23 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 649111, 649113, 649115 | ||
Bug Blocks: |
Description
Vincent Danen
2010-11-04 20:42:14 UTC
At this time, there seems to be problems obtaining the updated packages although the advisory is now live. The Flash Player 9 download link provides the old 9.0.283.0 version as opposed to the newer 9.0.289.0. As well, the Flash Player 10 download is unversioned (flash version test using http://kb2.adobe.com/cps/155/tn_15507.html shows simply 'LNX' for the version, rather than an appropriate version string), so I am unable to determine if this is the right file. I've emailed Adobe PSIRT for confirmation of the 10.x and to inquire as to the whereabouts of the 9.x download. (In reply to comment #1) > The Flash Player 9 download link provides the old 9.0.283.0 version as opposed > to the newer 9.0.289.0. Download link still points to old 9.0.283.0 tarball. > As well, the Flash Player 10 download is unversioned (flash version test using > http://kb2.adobe.com/cps/155/tn_15507.html shows simply 'LNX' for the version, > rather than an appropriate version string), so I am unable to determine if this > is the right file. Scrolling mouse wheel over that LNX text shows versions. about:plugins page shows plugin version too. libflashplayer.so binary can also be grepped for version string: $ strings libflashplayer.so | grep LNX LNX 10,1,102,64 (In reply to comment #0) > * This update resolves a library-loading vulnerability that could lead to code > execution (CVE-2010-3976). This may be one of the recent DLL loading issues and hence be platform-specific. APSB10-26 does not provide further details, Mitre CVE entry links: Adobe Flash Player IE version 10.1.x Insecure DLL Hijacking Vulnerability (dwmapi.dll) http://www.securityfocus.com/archive/1/513599/30/480/threaded This issue has been addressed in following products: Extras for Red Hat Enterprise Linux 5 Via RHSA-2010:0829 https://rhn.redhat.com/errata/RHSA-2010-0829.html This issue has been addressed in following products: Extras for RHEL 4 Via RHSA-2010:0834 https://rhn.redhat.com/errata/RHSA-2010-0834.html This issue has been addressed in following products: Extras for Red Hat Enterprise Linux 6 Via RHSA-2010:0867 https://rhn.redhat.com/errata/RHSA-2010-0867.html |