Page MenuHomeFreeBSD

Fix multiple vulns in Flash.
ClosedPublic

Authored by xmj on Sep 25 2014, 1:56 AM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Nov 22, 11:02 PM
Unknown Object (File)
Sat, Nov 9, 2:43 PM
Unknown Object (File)
Oct 2 2024, 1:24 PM
Unknown Object (File)
Sep 22 2024, 7:36 PM
Unknown Object (File)
Sep 6 2024, 4:23 AM
Unknown Object (File)
Sep 6 2024, 4:23 AM
Unknown Object (File)
Sep 6 2024, 4:23 AM
Unknown Object (File)
Sep 6 2024, 4:14 AM
Subscribers
None

Details

Summary

As reported by Adobe, current flashplugin
linux-*-flashplugin-11.2r202.400 is vulnerable to multiple CVEs.
Update Flash to linux-*-flashplugin-11.2r202.406.

While there, set maintainer to emulation@ on www/linux-c6-flashplugin11
to match eadler@'s commit in revision r369160.

Patch to security/vuxml/vuln.xml can't be attached with arc diff it seems.
Here goes:
https://dpaste.de/sGdH/raw

Commitmessage:

www/linux-*-flashplugin11: Fix multiple security vulnerabilities

Adobe has discovered multiple security vulnerabilities in Flash
linux-*-flashplugin-11.2r202.400. Ugrade the two Linux ports to
version .406, which fixes these.

While there, assign www/linux-c6-flashplugin11 to emulation@
in order to match r369160.

PR: 		193904
Submitted by:	Jung-uk Kim 
Reviewed by:  bdrewery
Approved by:  koobs (mentor)
Test Plan

Diff Detail

Repository
rP FreeBSD ports repository
Lint
No Lint Coverage
Unit
No Test Coverage

Event Timeline

xmj retitled this revision from to Fix multiple vulns in Flash..
xmj updated this object.
xmj edited the test plan for this revision. (Show Details)
xmj added reviewers: koobs, swills, bdrewery.

@bdrewery points out wildcarding packages in vuln.xml is not the way to go, and that they want to be listed explicitly like

https://dpaste.de/82Kh/raw

After vuln.xml was amended to account for chromium and nss vulns,
new paste attached here: https://dpaste.de/zi4a/raw

koobs requested changes to this revision.Sep 25 2014, 9:30 AM
koobs edited edge metadata.

Add to commit log:

  • Security: ca44b64c-4453-11e4-9ea1-c485083ca99c
  • MFH: <branch>

Since CVE's are involved:

  • CPE_* information must be added
This revision now requires changes to proceed.Sep 25 2014, 9:30 AM
xmj edited edge metadata.

Add CPE_VENDOR and CPE_PRODUCT as per
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0551

www/linux-*-flashplugin11: Fix multiple security vulnerabilities

Adobe has discovered multiple security vulnerabilities in Flash
linux-*-flashplugin-11.2r202.400. Ugrade the two Linux ports to
version .406, which fixes these.

While there, assign www/linux-c6-flashplugin11 to emulation@
in order to match r369160.

PR:           193904
Submitted by: Jung-uk Kim 
Approved by:  koobs (mentor)
Security:     ca44b64c-4453-11e4-9ea1-c485083ca99c
MFH:          2014Q3
koobs edited edge metadata.

Looks good with the following clarification requested in commit log re maintainer change:

While here:

 - Merge in eadler@'s MAINTAINER change from r369160 [1]

[1] https://svnweb.freebsd.org/changeset/ports/369160
This revision is now accepted and ready to land.Sep 25 2014, 10:33 AM

Landed as 369267
f10 bits MFH'd to 2014Q3 as 369304