Page MenuHomeFreeBSD

Fix multiple vulns in Flash.
ClosedPublic

Authored by xmj on Sep 25 2014, 1:56 AM.

Details

Summary

As reported by Adobe, current flashplugin
linux-*-flashplugin-11.2r202.400 is vulnerable to multiple CVEs.
Update Flash to linux-*-flashplugin-11.2r202.406.

While there, set maintainer to emulation@ on www/linux-c6-flashplugin11
to match eadler@'s commit in revision r369160.

Patch to security/vuxml/vuln.xml can't be attached with arc diff it seems.
Here goes:
https://dpaste.de/sGdH/raw

Commitmessage:

www/linux-*-flashplugin11: Fix multiple security vulnerabilities

Adobe has discovered multiple security vulnerabilities in Flash
linux-*-flashplugin-11.2r202.400. Ugrade the two Linux ports to
version .406, which fixes these.

While there, assign www/linux-c6-flashplugin11 to emulation@
in order to match r369160.

PR: 		193904
Submitted by:	Jung-uk Kim 
Reviewed by:  bdrewery
Approved by:  koobs (mentor)
Test Plan

Diff Detail

Repository
rP FreeBSD ports repository
Lint
No Linters Available
Unit
No Unit Test Coverage

Event Timeline

xmj updated this revision to Diff 1755.Sep 25 2014, 1:56 AM
xmj retitled this revision from to Fix multiple vulns in Flash..
xmj updated this object.
xmj edited the test plan for this revision. (Show Details)
xmj added reviewers: koobs, swills, bdrewery.
xmj added a comment.Sep 25 2014, 2:29 AM

@bdrewery points out wildcarding packages in vuln.xml is not the way to go, and that they want to be listed explicitly like

https://dpaste.de/82Kh/raw

xmj added a comment.Sep 25 2014, 9:30 AM

After vuln.xml was amended to account for chromium and nss vulns,
new paste attached here: https://dpaste.de/zi4a/raw

koobs requested changes to this revision.Sep 25 2014, 9:30 AM
koobs edited edge metadata.

Add to commit log:

  • Security: ca44b64c-4453-11e4-9ea1-c485083ca99c
  • MFH: <branch>

Since CVE's are involved:

  • CPE_* information must be added
This revision now requires changes to proceed.Sep 25 2014, 9:30 AM
xmj updated this revision to Diff 1760.Sep 25 2014, 10:02 AM
xmj edited edge metadata.

Add CPE_VENDOR and CPE_PRODUCT as per
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0551

www/linux-*-flashplugin11: Fix multiple security vulnerabilities

Adobe has discovered multiple security vulnerabilities in Flash
linux-*-flashplugin-11.2r202.400. Ugrade the two Linux ports to
version .406, which fixes these.

While there, assign www/linux-c6-flashplugin11 to emulation@
in order to match r369160.

PR:           193904
Submitted by: Jung-uk Kim 
Approved by:  koobs (mentor)
Security:     ca44b64c-4453-11e4-9ea1-c485083ca99c
MFH:          2014Q3
koobs accepted this revision.Sep 25 2014, 10:33 AM
koobs edited edge metadata.

Looks good with the following clarification requested in commit log re maintainer change:

While here:

 - Merge in eadler@'s MAINTAINER change from r369160 [1]

[1] https://svnweb.freebsd.org/changeset/ports/369160
This revision is now accepted and ready to land.Sep 25 2014, 10:33 AM
xmj added a comment.Sep 29 2014, 11:19 AM

Landed as 369267
f10 bits MFH'd to 2014Q3 as 369304

xmj closed this revision.Sep 29 2014, 11:20 AM