Arch Linux Security Advisory ASA-201412-13 ========================================== Severity: Critical Date : 2014-12-12 CVE-ID : CVE-2014-0580 CVE-2014-0587 CVE-2014-8443 CVE-2014-9163 CVE-2014-9164 CVE-2014-9162 Package : flashplugin Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package flashplugin before version 11.2.202.425-1 is vulnerable to multiple issues including but not limited to arbitrary code execution, information disclosure and policy bypass. Resolution ========== Upgrade to 11.2.202.425-1. # pacman -Syu "flashplugin>=11.2.202.425-1" The problems have been fixed upstream in version 11.2.202.425. Workaround ========== None. Description =========== - CVE-2014-0580 (policy bypass) A flaw allows remote attackers to bypass the same origin policy via unspecified vectors. - CVE-2014-0587 (arbitrary code execution) A flaw allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors. - CVE-2014-8443 (arbitrary code execution) A flaw allows attackers to execute arbitrary code via a use-after-free vulnerability. - CVE-2014-9163 (arbitrary code execution) A flaw allows attackers to execute arbitrary code via a stack-based buffer overflow vulnerability. - CVE-2014-9164 (arbitrary code execution) A flaw allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors. - CVE-2014-9162 (information disclosure) A flaw allows attackers to obtain sensitive information via unspecified vectors. Impact ====== A remote attacker is able to execute arbitrary code, bypass the same origin policy, obtain sensitive information or crash the plugin via various unspecified vectors. References ========== https://helpx.adobe.com/security/products/flash-player/apsb14-27.html https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0580 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0587 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8443 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9162 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9163 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9164