On 2011-11-04 Aboe plans to release an update for Adobe Flash Player, providing 10.1.102.64 and 9.0.289.0 to address multiple security issues allowing code execution. The flaws are described in the Adobe Security Bulletin ASPB10-26: http://www.adobe.com/support/security/bulletins/apsb10-26.html * This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-3654). * This update resolves an input validation issue vulnerability that could lead to a bypass of cross-domain policy file restrictions with certain server encodings (CVE-2010-3636). * This update resolves a memory corruption vulnerability that could lead to code execution (ActiveX only) (CVE-2010-3637). * This update resolves an information disclosure vulnerability (Macintosh platform, Safari browser-only) (CVE-2010-3638). * This update resolves a Denial of Service vulnerability. Arbitrary code execution has not been demonstrated, but may be possible (CVE-2010-3639). * This update resolves multiple memory corruption vulnerabilities that could lead to code execution: (CVE-2010-3640, CVE-2010-3641, CVE-2010-3642, CVE-2010-3643, CVE-2010-3644, CVE-2010-3645, CVE-2010-3646, CVE-2010-3647, CVE-2010-3648, CVE-2010-3649, CVE-2010-3650, CVE-2010-3652) * This update resolves a library-loading vulnerability that could lead to code execution (CVE-2010-3976).
At this time, there seems to be problems obtaining the updated packages although the advisory is now live. The Flash Player 9 download link provides the old 9.0.283.0 version as opposed to the newer 9.0.289.0. As well, the Flash Player 10 download is unversioned (flash version test using http://kb2.adobe.com/cps/155/tn_15507.html shows simply 'LNX' for the version, rather than an appropriate version string), so I am unable to determine if this is the right file. I've emailed Adobe PSIRT for confirmation of the 10.x and to inquire as to the whereabouts of the 9.x download.
(In reply to comment #1) > The Flash Player 9 download link provides the old 9.0.283.0 version as opposed > to the newer 9.0.289.0. Download link still points to old 9.0.283.0 tarball. > As well, the Flash Player 10 download is unversioned (flash version test using > http://kb2.adobe.com/cps/155/tn_15507.html shows simply 'LNX' for the version, > rather than an appropriate version string), so I am unable to determine if this > is the right file. Scrolling mouse wheel over that LNX text shows versions. about:plugins page shows plugin version too. libflashplayer.so binary can also be grepped for version string: $ strings libflashplayer.so | grep LNX LNX 10,1,102,64 (In reply to comment #0) > * This update resolves a library-loading vulnerability that could lead to code > execution (CVE-2010-3976). This may be one of the recent DLL loading issues and hence be platform-specific. APSB10-26 does not provide further details, Mitre CVE entry links: Adobe Flash Player IE version 10.1.x Insecure DLL Hijacking Vulnerability (dwmapi.dll) http://www.securityfocus.com/archive/1/513599/30/480/threaded
This issue has been addressed in following products: Extras for Red Hat Enterprise Linux 5 Via RHSA-2010:0829 https://rhn.redhat.com/errata/RHSA-2010-0829.html
This issue has been addressed in following products: Extras for RHEL 4 Via RHSA-2010:0834 https://rhn.redhat.com/errata/RHSA-2010-0834.html
This issue has been addressed in following products: Extras for Red Hat Enterprise Linux 6 Via RHSA-2010:0867 https://rhn.redhat.com/errata/RHSA-2010-0867.html