Discover Government News

Arch Linux Security Advisory ASA-201606-15
=========================================
Severity: Critical
Date    : 2016-06-19
CVE-ID  : CVE-2016-4122 CVE-2016-4123 CVE-2016-4124 CVE-2016-4125
          CVE-2016-4127 CVE-2016-4128 CVE-2016-4129 CVE-2016-4130
          CVE-2016-4131 CVE-2016-4132 CVE-2016-4133 CVE-2016-4134
          CVE-2016-4135 CVE-2016-4136 CVE-2016-4137 CVE-2016-4138
          CVE-2016-4139 CVE-2016-4140 CVE-2016-4141 CVE-2016-4142
          CVE-2016-4143 CVE-2016-4144 CVE-2016-4145 CVE-2016-4146
          CVE-2016-4147 CVE-2016-4148 CVE-2016-4149 CVE-2016-4150
          CVE-2016-4151 CVE-2016-4152 CVE-2016-4153 CVE-2016-4154
          CVE-2016-4155 CVE-2016-4156 CVE-2016-4166 CVE-2016-4171
Package : flashplugin
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
======
The package flashplugin before version 11.2.202.626-1 is vulnerable to
multiple issues including same-origin policy bypass and arbitrary code
execution.

Resolution
=========
Upgrade to 11.2.202.626-1.

# pacman -Syu "flashplugin>=11.2.202.626-1"

The problems have been fixed upstream in version 11.2.202.626.

Workaround
=========
None.

Description
==========
- CVE-2016-4122, CVE-2016-4123, CVE-2016-4124, CVE-2016-4125,
  CVE-2016-4127, CVE-2016-4128, CVE-2016-4129, CVE-2016-4130,
  CVE-2016-4131, CVE-2016-4132, CVE-2016-4133, CVE-2016-4134,
  CVE-2016-4137, CVE-2016-4141, CVE-2016-4150, CVE-2016-4151,
  CVE-2016-4152, CVE-2016-4153, CVE-2016-4154, CVE-2016-4155,
  CVE-2016-4156, CVE-2016-4166, CVE-2016-4171 (arbitrary code execution)

Memory corruptions leading to arbitrary code execution.

- CVE-2016-4135, CVE-2016-4136, CVE-2016-4138 (arbitrary code execution)

Heap-based buffer overflows leading to arbitrary code execution.

- CVE-2016-4139 (information leak)

Vulnerability that could be exploited to bypass the same-origin policy
and lead to information disclosure.

- CVE-2016-4140 (arbitrary code execution)

Vulnerability in the directory search path used to find resources that
could lead to code execution.

- CVE-2016-4142, CVE-2016-4143, CVE-2016-4145, CVE-2016-4146,
  CVE-2016-4147, CVE-2016-4148 (arbitrary code execution)

Use-after-free vulnerabilities leading to arbitrary code execution.

- CVE-2016-4144, CVE-2016-4149 (arbitrary code execution)

Type confusion vulnerabilities leading to arbitrary code execution.

Impact
=====
A remote attacker can bypass the same-origin policy to access sensitive
information, or execute arbitrary code by using a crafted flash application.

References
=========
https://helpx.adobe.com/security/products/flash-player/apsb16-18.html
https://access.redhat.com/security/cve/CVE-2016-4122
https://access.redhat.com/security/cve/CVE-2016-4123
https://access.redhat.com/security/cve/CVE-2016-4124
https://access.redhat.com/security/cve/CVE-2016-4125
https://access.redhat.com/security/cve/CVE-2016-4127
https://access.redhat.com/security/cve/CVE-2016-4128
https://access.redhat.com/security/cve/CVE-2016-4129
https://access.redhat.com/security/cve/CVE-2016-4130
https://access.redhat.com/security/cve/CVE-2016-4131
https://access.redhat.com/security/cve/CVE-2016-4132
https://access.redhat.com/security/cve/CVE-2016-4133
https://access.redhat.com/security/cve/CVE-2016-4134
https://access.redhat.com/security/cve/CVE-2016-4135
https://access.redhat.com/security/cve/CVE-2016-4136
https://access.redhat.com/security/cve/CVE-2016-4137
https://access.redhat.com/security/cve/CVE-2016-4138
https://access.redhat.com/security/cve/CVE-2016-4139
https://access.redhat.com/security/cve/CVE-2016-4140
https://access.redhat.com/security/cve/CVE-2016-4141
https://access.redhat.com/security/cve/CVE-2016-4142
https://access.redhat.com/security/cve/CVE-2016-4143
https://access.redhat.com/security/cve/CVE-2016-4144
https://access.redhat.com/security/cve/CVE-2016-4145
https://access.redhat.com/security/cve/CVE-2016-4146
https://access.redhat.com/security/cve/CVE-2016-4147
https://access.redhat.com/security/cve/CVE-2016-4148
https://access.redhat.com/security/cve/CVE-2016-4149
https://access.redhat.com/security/cve/CVE-2016-4150
https://access.redhat.com/security/cve/CVE-2016-4151
https://access.redhat.com/security/cve/CVE-2016-4152
https://access.redhat.com/security/cve/CVE-2016-4153
https://access.redhat.com/security/cve/CVE-2016-4154
https://access.redhat.com/security/cve/CVE-2016-4155
https://access.redhat.com/security/cve/CVE-2016-4156
https://access.redhat.com/security/cve/CVE-2016-4166
https://access.redhat.com/security/cve/CVE-2016-4171

ArchLinux: 201606-15: flashplugin: multiple issues

June 19, 2016

Summary

- CVE-2016-4122, CVE-2016-4123, CVE-2016-4124, CVE-2016-4125, CVE-2016-4127, CVE-2016-4128, CVE-2016-4129, CVE-2016-4130, CVE-2016-4131, CVE-2016-4132, CVE-2016-4133, CVE-2016-4134, CVE-2016-4137, CVE-2016-4141, CVE-2016-4150, CVE-2016-4151, CVE-2016-4152, CVE-2016-4153, CVE-2016-4154, CVE-2016-4155, CVE-2016-4156, CVE-2016-4166, CVE-2016-4171 (arbitrary code execution) Memory corruptions leading to arbitrary code execution.
- CVE-2016-4135, CVE-2016-4136, CVE-2016-4138 (arbitrary code execution)
Heap-based buffer overflows leading to arbitrary code execution.
- CVE-2016-4139 (information leak)
Vulnerability that could be exploited to bypass the same-origin policy and lead to information disclosure.
- CVE-2016-4140 (arbitrary code execution)
Vulnerability in the directory search path used to find resources that could lead to code execution.
- CVE-2016-4142, CVE-2016-4143, CVE-2016-4145, CVE-2016-4146, CVE-2016-4147, CVE-2016-4148 (arbitrary code execution)
Use-after-free vulnerabilities leading to arbitrary code execution.
- CVE-2016-4144, CVE-2016-4149 (arbitrary code execution)
Type confusion vulnerabilities leading to arbitrary code execution.

Resolution

Upgrade to 11.2.202.626-1. # pacman -Syu "flashplugin>=11.2.202.626-1"
The problems have been fixed upstream in version 11.2.202.626.

References

https://helpx.adobe.com/security/products/flash-player/apsb16-18.html https://access.redhat.com/security/cve/CVE-2016-4122 https://access.redhat.com/security/cve/CVE-2016-4123 https://access.redhat.com/security/cve/CVE-2016-4124 https://access.redhat.com/security/cve/CVE-2016-4125 https://access.redhat.com/security/cve/CVE-2016-4127 https://access.redhat.com/security/cve/CVE-2016-4128 https://access.redhat.com/security/cve/CVE-2016-4129 https://access.redhat.com/security/cve/CVE-2016-4130 https://access.redhat.com/security/cve/CVE-2016-4131 https://access.redhat.com/security/cve/CVE-2016-4132 https://access.redhat.com/security/cve/CVE-2016-4133 https://access.redhat.com/security/cve/CVE-2016-4134 https://access.redhat.com/security/cve/CVE-2016-4135 https://access.redhat.com/security/cve/CVE-2016-4136 https://access.redhat.com/security/cve/CVE-2016-4137 https://access.redhat.com/security/cve/CVE-2016-4138 https://access.redhat.com/security/cve/CVE-2016-4139 https://access.redhat.com/security/cve/CVE-2016-4140 https://access.redhat.com/security/cve/CVE-2016-4141 https://access.redhat.com/security/cve/CVE-2016-4142 https://access.redhat.com/security/cve/CVE-2016-4143 https://access.redhat.com/security/cve/CVE-2016-4144 https://access.redhat.com/security/cve/CVE-2016-4145 https://access.redhat.com/security/cve/CVE-2016-4146 https://access.redhat.com/security/cve/CVE-2016-4147 https://access.redhat.com/security/cve/CVE-2016-4148 https://access.redhat.com/security/cve/CVE-2016-4149 https://access.redhat.com/security/cve/CVE-2016-4150 https://access.redhat.com/security/cve/CVE-2016-4151 https://access.redhat.com/security/cve/CVE-2016-4152 https://access.redhat.com/security/cve/CVE-2016-4153 https://access.redhat.com/security/cve/CVE-2016-4154 https://access.redhat.com/security/cve/CVE-2016-4155 https://access.redhat.com/security/cve/CVE-2016-4156 https://access.redhat.com/security/cve/CVE-2016-4166 https://access.redhat.com/security/cve/CVE-2016-4171

Severity
CVE-2016-4127 CVE-2016-4128 CVE-2016-4129 CVE-2016-4130
CVE-2016-4131 CVE-2016-4132 CVE-2016-4133 CVE-2016-4134
CVE-2016-4135 CVE-2016-4136 CVE-2016-4137 CVE-2016-4138
CVE-2016-4139 CVE-2016-4140 CVE-2016-4141 CVE-2016-4142
CVE-2016-4143 CVE-2016-4144 CVE-2016-4145 CVE-2016-4146
CVE-2016-4147 CVE-2016-4148 CVE-2016-4149 CVE-2016-4150
CVE-2016-4151 CVE-2016-4152 CVE-2016-4153 CVE-2016-4154
CVE-2016-4155 CVE-2016-4156 CVE-2016-4166 CVE-2016-4171
Package : flashplugin
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE

Workaround

None.

Related News