Arch Linux Security Advisory ASA-201609-12 ========================================== Severity: Critical Date : 2016-09-15 CVE-ID : CVE-2016-4271 CVE-2016-4272 CVE-2016-4274 CVE-2016-4275 CVE-2016-4276 CVE-2016-4277 CVE-2016-4278 CVE-2016-4279 CVE-2016-4280 CVE-2016-4281 CVE-2016-4282 CVE-2016-4283 CVE-2016-4284 CVE-2016-4285 CVE-2016-4287 CVE-2016-6921 CVE-2016-6922 CVE-2016-6923 CVE-2016-6924 CVE-2016-6925 CVE-2016-6926 CVE-2016-6927 CVE-2016-6929 CVE-2016-6930 CVE-2016-6931 CVE-2016-6932 Package : lib32-flashplugin Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package lib32-flashplugin before version 11.2.202.635-1 is vulnerable to multiple issues including arbitrary code execution and information disclosure. Resolution ========== Upgrade to 11.2.202.635-1. # pacman -Syu "lib32-flashplugin>=11.2.202.635-1" The problems have been fixed upstream in version 11.2.202.635. Workaround ========== None. Description =========== - CVE-2016-4274, CVE-2016-4275, CVE-2016-4276, CVE-2016-4280, CVE-2016-4281, CVE-2016-4282, CVE-2016-4283, CVE-2016-4284, CVE-2016-4285, CVE-2016-6922, CVE-2016-6924 (arbitrary code execution) Multiple Memory corruption vulnerabilities that could lead to arbitrary code execution have been found. These vulnerabilities were discovered by Mateusz Jurczyk and Natalie Silvanovich of Google Project Zero, willJ of Tencent PC Manager, Yuki Chen of Qihoo 360 Vulcan Team, b0nd@garage4hackers working with Trend Micro's Zero Day Initiative, and Tao Yan (@Ga1ois) of Palo Alto Networks - CVE-2016-4272, CVE-2016-4279, CVE-2016-6921, CVE-2016-6923, CVE-2016-6925, CVE-2016-6926, CVE-2016-6927, CVE-2016-6929, CVE-2016-6930, CVE-2016-6931, CVE-2016-6932 (arbitrary code execution) Multiple use-after-free vulnerabilities that could lead to arbitrary code execution have been found. These vulnerabilities have been discovered by, Mumei working with Trend Micro's Zero Day Initiative, Yuki Chen of Qihoo 360 Vulcan Team working with the Chromium Vulnerability Rewards Program, willJ of Tencent PC Manager, JieZeng of Tencent Zhanlu Lab working with the Chromium Vulnerability Rewards Program, Nicolas Joly of Microsoft Vulnerability Research, and Yuki Chen of Qihoo 360 Vulcan Team - CVE-2016-4287 (arbitrary code execution) An integer overflow vulnerability that could lead to arbitrary code execution has been found. This vulnerability has been discovered by Yuki Chen of Qihoo 360 Vulcan Team working with the Chromium Vulnerability Rewards Program. - CVE-2016-4271, CVE-2016-4277, CVE-2016-4278 (information disclosure) A Security bypass vulnerablity that could lead to information disclosure has been found. These vulnerabilities have been found by Leone Pontorieri, Soroush Dalili and Matthew Evans from NCC Group, and Nicolas Joly of Microsoft Vulnerability Research Impact ====== A remote attacker can execute arbitrary code, bypass security checks, or disclose information on the affected host via unspecified vectors. References ========== https://helpx.adobe.com/security/products/flash-player/apsb16-29.html https://access.redhat.com/security/cve/CVE-2016-4271 https://access.redhat.com/security/cve/CVE-2016-4272 https://access.redhat.com/security/cve/CVE-2016-4274 https://access.redhat.com/security/cve/CVE-2016-4275 https://access.redhat.com/security/cve/CVE-2016-4276 https://access.redhat.com/security/cve/CVE-2016-4277 https://access.redhat.com/security/cve/CVE-2016-4278 https://access.redhat.com/security/cve/CVE-2016-4279 https://access.redhat.com/security/cve/CVE-2016-4280 https://access.redhat.com/security/cve/CVE-2016-4281 https://access.redhat.com/security/cve/CVE-2016-4282 https://access.redhat.com/security/cve/CVE-2016-4283 https://access.redhat.com/security/cve/CVE-2016-4284 https://access.redhat.com/security/cve/CVE-2016-4285 https://access.redhat.com/security/cve/CVE-2016-4287 https://access.redhat.com/security/cve/CVE-2016-6921 https://access.redhat.com/security/cve/CVE-2016-6922 https://access.redhat.com/security/cve/CVE-2016-6923 https://access.redhat.com/security/cve/CVE-2016-6924 https://access.redhat.com/security/cve/CVE-2016-6925 https://access.redhat.com/security/cve/CVE-2016-6926 https://access.redhat.com/security/cve/CVE-2016-6927 https://access.redhat.com/security/cve/CVE-2016-6929 https://access.redhat.com/security/cve/CVE-2016-6930 https://access.redhat.com/security/cve/CVE-2016-6931 https://access.redhat.com/security/cve/CVE-2016-6932