Arch Linux Security Advisory ASA-201411-11 ========================================== Severity: Critical Date : 2014-11-13 CVE-ID : CVE-2014-0573, CVE-2014-0574, CVE-2014-0576, CVE-2014-0577, CVE-2014-0581, CVE-2014-0582, CVE-2014-0583, CVE-2014-0584, CVE-2014-0585, CVE-2014-0586, CVE-2014-0588, CVE-2014-0589, CVE-2014-0590, CVE-2014-8437, CVE-2014-8438, CVE-2014-8440, CVE-2014-8441, CVE-2014-8442 Package : flashplugin Type : remote code execution Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package flashplugin before version 11.2.202.418-1 is vulnerable to multiple flaws, allowing arbitrary remote code execution. Resolution ========== Upgrade to 11.2.202.418-1. # pacman -Syu "flashplugin>=11.2.202.418-1" The problem has been fixed upstream in version 11.2.202.418. Workaround ========== Disable or remove the flash plugin. Description =========== These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2014-0576, CVE-2014-0581, CVE-2014-8440, CVE-2014-8441). These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2014-0573, CVE-2014-0588, CVE-2014-8438). These updates resolve a double free vulnerability that could lead to code execution (CVE-2014-0574). These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2014-0577, CVE-2014-0584, CVE-2014-0585, CVE-2014-0586, CVE-2014-0590). These updates resolve heap buffer overflow vulnerabilities that could lead to code execution (CVE-2014-0582, CVE-2014-0589). These updates resolve an information disclosure vulnerability that could be exploited to disclose session tokens (CVE-2014-8437). These updates resolve a heap buffer overflow vulnerability that could be exploited to perform privilege escalation from low to medium integrity level (CVE-2014-0583). These updates resolve a permission issue that could be exploited to perform privilege escalation from low to medium integrity level (CVE-2014-8442). Impact ====== A remote attacker in position of a man-in-the-middle or a malicious website can remotely execute arbitrary code with the privileges of the current user. References ========== https://helpx.adobe.com/security/products/flash-player/apsb14-24.html https://bugs.archlinux.org/task/42769 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0573 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0574 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0576 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0577 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0581 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0582 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0583 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0584 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0585 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0586 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0588 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0589 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0590 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8437 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8438 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8440 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8441 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8442