Arch Linux Security Advisory ASA-201501-8 ========================================= Severity: Critical Date : 2014-01-15 CVE-ID : CVE-2015-0301 CVE-2015-0302 CVE-2015-0303 CVE-2015-0304 CVE-2015-0305 CVE-2015-0306 CVE-2015-0307 CVE-2015-0308 CVE-2015-0309 Package : flashplugin Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package flashplugin before version 11.2.202.429-1 is vulnerable to multiple issues, including but not limited to remote code execution. Resolution ========== Upgrade to 11.2.202.429-1. # pacman -Syu "flashplugin>=11.2.202.429-1" The problem has been fixed upstream in version 11.2.202.429. Workaround ========== If an upgrade is not possible, you may want to disable the flashplugin on your system. Description =========== - CVE-2015-0301 Improper file validation issue. - CVE-2015-0302 (information disclosure) Information disclosure vulnerability that could be exploited to capture keystrokes on the affected system. - CVE-2015-0303, CVE-2015-0306 (arbitrary code execution) Memory corruption vulnerabilities that could lead to code execution. - CVE-2015-0304, CVE-2015-0309 (arbitrary code execution) Heap-based buffer overflow vulnerabilities that could lead to code execution - CVE-2015-0305 (arbitrary code execution) Type confusion vulnerability that could lead to code execution. - CVE-2015-0307 (information disclosure) Out-of-bounds read vulnerability that could be exploited to leak memory addresses. - CVE-2015-0308 (arbitrary code execution) Use-after-free vulnerability that could lead to code execution. Impact ====== An attacker able to supply a malicious flash application may be able to capture keystrokes or execute arbitrary code on the affected system. References ========== https://helpx.adobe.com/security/products/flash-player/apsb15-01.html https://bugs.archlinux.org/task/43455 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0301 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0302 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0303 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0304 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0305 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0306 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0307 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0308 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0309