Security update for flash-player SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:0107-1 Final 1 1 2017-01-11T16:49:23Z current 2017-01-11T16:49:23Z 2017-01-11T16:49:23Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for flash-player This update to Adobe Flash 24.0.0.194 fixes the following vulnerabilities advised under APSB17-02: - security bypass vulnerability that could lead to information disclosure (CVE-2017-2938) - use-after-free vulnerabilities that could lead to code execution (CVE-2017-2932, CVE-2017-2936, CVE-2017-2937) - heap buffer overflow vulnerabilities that could lead to code execution (CVE-2017-2927, CVE-2017-2933, CVE-2017-2934, CVE-2017-2935) - memory corruption vulnerabilities that could lead to code execution (CVE-2017-2925, CVE-2017-2926, CVE-2017-2928, CVE-2017-2930, CVE-2017-2931) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00012.html E-Mail link for openSUSE-SU-2017:0107-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE 13.2 NonFree flash-player-24.0.0.194-2.124.1 flash-player-gnome-24.0.0.194-2.124.1 flash-player-kde4-24.0.0.194-2.124.1 flash-player-24.0.0.194-2.124.1 as a component of openSUSE 13.2 NonFree flash-player-gnome-24.0.0.194-2.124.1 as a component of openSUSE 13.2 NonFree flash-player-kde4-24.0.0.194-2.124.1 as a component of openSUSE 13.2 NonFree Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable memory corruption vulnerability in the JPEG XR codec. Successful exploitation could lead to arbitrary code execution. CVE-2017-2925 openSUSE 13.2 NonFree:flash-player-24.0.0.194-2.124.1 openSUSE 13.2 NonFree:flash-player-gnome-24.0.0.194-2.124.1 openSUSE 13.2 NonFree:flash-player-kde4-24.0.0.194-2.124.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00012.html https://www.suse.com/security/cve/CVE-2017-2925.html CVE-2017-2925 https://bugzilla.suse.com/1019129 SUSE Bug 1019129 Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable memory corruption vulnerability related to processing of atoms in MP4 files. Successful exploitation could lead to arbitrary code execution. CVE-2017-2926 openSUSE 13.2 NonFree:flash-player-24.0.0.194-2.124.1 openSUSE 13.2 NonFree:flash-player-gnome-24.0.0.194-2.124.1 openSUSE 13.2 NonFree:flash-player-kde4-24.0.0.194-2.124.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00012.html https://www.suse.com/security/cve/CVE-2017-2926.html CVE-2017-2926 https://bugzilla.suse.com/1019129 SUSE Bug 1019129 Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable heap overflow vulnerability when processing Adobe Texture Format files. Successful exploitation could lead to arbitrary code execution. CVE-2017-2927 openSUSE 13.2 NonFree:flash-player-24.0.0.194-2.124.1 openSUSE 13.2 NonFree:flash-player-gnome-24.0.0.194-2.124.1 openSUSE 13.2 NonFree:flash-player-kde4-24.0.0.194-2.124.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00012.html https://www.suse.com/security/cve/CVE-2017-2927.html CVE-2017-2927 https://bugzilla.suse.com/1019129 SUSE Bug 1019129 Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable memory corruption vulnerability related to setting visual mode effects. Successful exploitation could lead to arbitrary code execution. CVE-2017-2928 openSUSE 13.2 NonFree:flash-player-24.0.0.194-2.124.1 openSUSE 13.2 NonFree:flash-player-gnome-24.0.0.194-2.124.1 openSUSE 13.2 NonFree:flash-player-kde4-24.0.0.194-2.124.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00012.html https://www.suse.com/security/cve/CVE-2017-2928.html CVE-2017-2928 https://bugzilla.suse.com/1019129 SUSE Bug 1019129 Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable memory corruption vulnerability due to a concurrency error when manipulating a display list. Successful exploitation could lead to arbitrary code execution. CVE-2017-2930 openSUSE 13.2 NonFree:flash-player-24.0.0.194-2.124.1 openSUSE 13.2 NonFree:flash-player-gnome-24.0.0.194-2.124.1 openSUSE 13.2 NonFree:flash-player-kde4-24.0.0.194-2.124.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00012.html https://www.suse.com/security/cve/CVE-2017-2930.html CVE-2017-2930 https://bugzilla.suse.com/1019129 SUSE Bug 1019129 Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable memory corruption vulnerability related to the parsing of SWF metadata. Successful exploitation could lead to arbitrary code execution. CVE-2017-2931 openSUSE 13.2 NonFree:flash-player-24.0.0.194-2.124.1 openSUSE 13.2 NonFree:flash-player-gnome-24.0.0.194-2.124.1 openSUSE 13.2 NonFree:flash-player-kde4-24.0.0.194-2.124.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00012.html https://www.suse.com/security/cve/CVE-2017-2931.html CVE-2017-2931 https://bugzilla.suse.com/1019129 SUSE Bug 1019129 Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable use after free vulnerability in the ActionScript MovieClip class. Successful exploitation could lead to arbitrary code execution. CVE-2017-2932 openSUSE 13.2 NonFree:flash-player-24.0.0.194-2.124.1 openSUSE 13.2 NonFree:flash-player-gnome-24.0.0.194-2.124.1 openSUSE 13.2 NonFree:flash-player-kde4-24.0.0.194-2.124.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00012.html https://www.suse.com/security/cve/CVE-2017-2932.html CVE-2017-2932 https://bugzilla.suse.com/1019129 SUSE Bug 1019129 Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable heap overflow vulnerability related to texture compression. Successful exploitation could lead to arbitrary code execution. CVE-2017-2933 openSUSE 13.2 NonFree:flash-player-24.0.0.194-2.124.1 openSUSE 13.2 NonFree:flash-player-gnome-24.0.0.194-2.124.1 openSUSE 13.2 NonFree:flash-player-kde4-24.0.0.194-2.124.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00012.html https://www.suse.com/security/cve/CVE-2017-2933.html CVE-2017-2933 https://bugzilla.suse.com/1019129 SUSE Bug 1019129 Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable heap overflow vulnerability when parsing Adobe Texture Format files. Successful exploitation could lead to arbitrary code execution. CVE-2017-2934 openSUSE 13.2 NonFree:flash-player-24.0.0.194-2.124.1 openSUSE 13.2 NonFree:flash-player-gnome-24.0.0.194-2.124.1 openSUSE 13.2 NonFree:flash-player-kde4-24.0.0.194-2.124.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00012.html https://www.suse.com/security/cve/CVE-2017-2934.html CVE-2017-2934 https://bugzilla.suse.com/1019129 SUSE Bug 1019129 Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable heap overflow vulnerability when processing the Flash Video container file format. Successful exploitation could lead to arbitrary code execution. CVE-2017-2935 openSUSE 13.2 NonFree:flash-player-24.0.0.194-2.124.1 openSUSE 13.2 NonFree:flash-player-gnome-24.0.0.194-2.124.1 openSUSE 13.2 NonFree:flash-player-kde4-24.0.0.194-2.124.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00012.html https://www.suse.com/security/cve/CVE-2017-2935.html CVE-2017-2935 https://bugzilla.suse.com/1019129 SUSE Bug 1019129 Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable use after free vulnerability in the ActionScript FileReference class. Successful exploitation could lead to arbitrary code execution. CVE-2017-2936 openSUSE 13.2 NonFree:flash-player-24.0.0.194-2.124.1 openSUSE 13.2 NonFree:flash-player-gnome-24.0.0.194-2.124.1 openSUSE 13.2 NonFree:flash-player-kde4-24.0.0.194-2.124.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00012.html https://www.suse.com/security/cve/CVE-2017-2936.html CVE-2017-2936 https://bugzilla.suse.com/1019129 SUSE Bug 1019129 Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable use after free vulnerability in the ActionScript FileReference class, when using class inheritance. Successful exploitation could lead to arbitrary code execution. CVE-2017-2937 openSUSE 13.2 NonFree:flash-player-24.0.0.194-2.124.1 openSUSE 13.2 NonFree:flash-player-gnome-24.0.0.194-2.124.1 openSUSE 13.2 NonFree:flash-player-kde4-24.0.0.194-2.124.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00012.html https://www.suse.com/security/cve/CVE-2017-2937.html CVE-2017-2937 https://bugzilla.suse.com/1019129 SUSE Bug 1019129 Adobe Flash Player versions 24.0.0.186 and earlier have a security bypass vulnerability related to handling TCP connections. CVE-2017-2938 openSUSE 13.2 NonFree:flash-player-24.0.0.194-2.124.1 openSUSE 13.2 NonFree:flash-player-gnome-24.0.0.194-2.124.1 openSUSE 13.2 NonFree:flash-player-kde4-24.0.0.194-2.124.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00012.html https://www.suse.com/security/cve/CVE-2017-2938.html CVE-2017-2938 https://bugzilla.suse.com/1019129 SUSE Bug 1019129