Security update for flash-player SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2017:0108-1 Final 1 1 2017-01-11T16:33:32Z current 2017-01-11T16:33:32Z 2017-01-11T16:33:32Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for flash-player This update to Adobe Flash 24.0.0.194 fixes the following vulnerabilities advised under APSB17-02: - security bypass vulnerability that could lead to information disclosure (CVE-2017-2938) - use-after-free vulnerabilities that could lead to code execution (CVE-2017-2932, CVE-2017-2936, CVE-2017-2937) - heap buffer overflow vulnerabilities that could lead to code execution (CVE-2017-2927, CVE-2017-2933, CVE-2017-2934, CVE-2017-2935) - memory corruption vulnerabilities that could lead to code execution (CVE-2017-2925, CVE-2017-2926, CVE-2017-2928, CVE-2017-2930, CVE-2017-2931) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-DESKTOP-12-SP1-2017-51,SUSE-SLE-WE-12-SP1-2017-51 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2017/suse-su-20170108-1/ Link for SUSE-SU-2017:0108-1 https://lists.opensuse.org/opensuse-security-announce/2017-01/msg00013.html E-Mail link for SUSE-SU-2017:0108-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1019129 SUSE Bug 1019129 https://www.suse.com/security/cve/CVE-2017-2925/ SUSE CVE CVE-2017-2925 page https://www.suse.com/security/cve/CVE-2017-2926/ SUSE CVE CVE-2017-2926 page https://www.suse.com/security/cve/CVE-2017-2927/ SUSE CVE CVE-2017-2927 page https://www.suse.com/security/cve/CVE-2017-2928/ SUSE CVE CVE-2017-2928 page https://www.suse.com/security/cve/CVE-2017-2930/ SUSE CVE CVE-2017-2930 page https://www.suse.com/security/cve/CVE-2017-2931/ SUSE CVE CVE-2017-2931 page https://www.suse.com/security/cve/CVE-2017-2932/ SUSE CVE CVE-2017-2932 page https://www.suse.com/security/cve/CVE-2017-2933/ SUSE CVE CVE-2017-2933 page https://www.suse.com/security/cve/CVE-2017-2934/ SUSE CVE CVE-2017-2934 page https://www.suse.com/security/cve/CVE-2017-2935/ SUSE CVE CVE-2017-2935 page https://www.suse.com/security/cve/CVE-2017-2936/ SUSE CVE CVE-2017-2936 page https://www.suse.com/security/cve/CVE-2017-2937/ SUSE CVE CVE-2017-2937 page https://www.suse.com/security/cve/CVE-2017-2938/ SUSE CVE CVE-2017-2938 page SUSE Linux Enterprise Desktop 12 SP1 SUSE Linux Enterprise Workstation Extension 12 SP1 flash-player-24.0.0.194-155.1 flash-player-gnome-24.0.0.194-155.1 flash-player-24.0.0.194-155.1 as a component of SUSE Linux Enterprise Desktop 12 SP1 flash-player-gnome-24.0.0.194-155.1 as a component of SUSE Linux Enterprise Desktop 12 SP1 flash-player-24.0.0.194-155.1 as a component of SUSE Linux Enterprise Workstation Extension 12 SP1 flash-player-gnome-24.0.0.194-155.1 as a component of SUSE Linux Enterprise Workstation Extension 12 SP1 Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable memory corruption vulnerability in the JPEG XR codec. Successful exploitation could lead to arbitrary code execution. CVE-2017-2925 SUSE Linux Enterprise Desktop 12 SP1:flash-player-24.0.0.194-155.1 SUSE Linux Enterprise Desktop 12 SP1:flash-player-gnome-24.0.0.194-155.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-24.0.0.194-155.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-gnome-24.0.0.194-155.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20170108-1/ https://www.suse.com/security/cve/CVE-2017-2925.html CVE-2017-2925 https://bugzilla.suse.com/1019129 SUSE Bug 1019129 Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable memory corruption vulnerability related to processing of atoms in MP4 files. Successful exploitation could lead to arbitrary code execution. CVE-2017-2926 SUSE Linux Enterprise Desktop 12 SP1:flash-player-24.0.0.194-155.1 SUSE Linux Enterprise Desktop 12 SP1:flash-player-gnome-24.0.0.194-155.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-24.0.0.194-155.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-gnome-24.0.0.194-155.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20170108-1/ https://www.suse.com/security/cve/CVE-2017-2926.html CVE-2017-2926 https://bugzilla.suse.com/1019129 SUSE Bug 1019129 Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable heap overflow vulnerability when processing Adobe Texture Format files. Successful exploitation could lead to arbitrary code execution. CVE-2017-2927 SUSE Linux Enterprise Desktop 12 SP1:flash-player-24.0.0.194-155.1 SUSE Linux Enterprise Desktop 12 SP1:flash-player-gnome-24.0.0.194-155.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-24.0.0.194-155.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-gnome-24.0.0.194-155.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20170108-1/ https://www.suse.com/security/cve/CVE-2017-2927.html CVE-2017-2927 https://bugzilla.suse.com/1019129 SUSE Bug 1019129 Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable memory corruption vulnerability related to setting visual mode effects. Successful exploitation could lead to arbitrary code execution. CVE-2017-2928 SUSE Linux Enterprise Desktop 12 SP1:flash-player-24.0.0.194-155.1 SUSE Linux Enterprise Desktop 12 SP1:flash-player-gnome-24.0.0.194-155.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-24.0.0.194-155.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-gnome-24.0.0.194-155.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20170108-1/ https://www.suse.com/security/cve/CVE-2017-2928.html CVE-2017-2928 https://bugzilla.suse.com/1019129 SUSE Bug 1019129 Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable memory corruption vulnerability due to a concurrency error when manipulating a display list. Successful exploitation could lead to arbitrary code execution. CVE-2017-2930 SUSE Linux Enterprise Desktop 12 SP1:flash-player-24.0.0.194-155.1 SUSE Linux Enterprise Desktop 12 SP1:flash-player-gnome-24.0.0.194-155.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-24.0.0.194-155.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-gnome-24.0.0.194-155.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20170108-1/ https://www.suse.com/security/cve/CVE-2017-2930.html CVE-2017-2930 https://bugzilla.suse.com/1019129 SUSE Bug 1019129 Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable memory corruption vulnerability related to the parsing of SWF metadata. Successful exploitation could lead to arbitrary code execution. CVE-2017-2931 SUSE Linux Enterprise Desktop 12 SP1:flash-player-24.0.0.194-155.1 SUSE Linux Enterprise Desktop 12 SP1:flash-player-gnome-24.0.0.194-155.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-24.0.0.194-155.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-gnome-24.0.0.194-155.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20170108-1/ https://www.suse.com/security/cve/CVE-2017-2931.html CVE-2017-2931 https://bugzilla.suse.com/1019129 SUSE Bug 1019129 Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable use after free vulnerability in the ActionScript MovieClip class. Successful exploitation could lead to arbitrary code execution. CVE-2017-2932 SUSE Linux Enterprise Desktop 12 SP1:flash-player-24.0.0.194-155.1 SUSE Linux Enterprise Desktop 12 SP1:flash-player-gnome-24.0.0.194-155.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-24.0.0.194-155.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-gnome-24.0.0.194-155.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20170108-1/ https://www.suse.com/security/cve/CVE-2017-2932.html CVE-2017-2932 https://bugzilla.suse.com/1019129 SUSE Bug 1019129 Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable heap overflow vulnerability related to texture compression. Successful exploitation could lead to arbitrary code execution. CVE-2017-2933 SUSE Linux Enterprise Desktop 12 SP1:flash-player-24.0.0.194-155.1 SUSE Linux Enterprise Desktop 12 SP1:flash-player-gnome-24.0.0.194-155.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-24.0.0.194-155.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-gnome-24.0.0.194-155.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20170108-1/ https://www.suse.com/security/cve/CVE-2017-2933.html CVE-2017-2933 https://bugzilla.suse.com/1019129 SUSE Bug 1019129 Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable heap overflow vulnerability when parsing Adobe Texture Format files. Successful exploitation could lead to arbitrary code execution. CVE-2017-2934 SUSE Linux Enterprise Desktop 12 SP1:flash-player-24.0.0.194-155.1 SUSE Linux Enterprise Desktop 12 SP1:flash-player-gnome-24.0.0.194-155.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-24.0.0.194-155.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-gnome-24.0.0.194-155.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20170108-1/ https://www.suse.com/security/cve/CVE-2017-2934.html CVE-2017-2934 https://bugzilla.suse.com/1019129 SUSE Bug 1019129 Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable heap overflow vulnerability when processing the Flash Video container file format. Successful exploitation could lead to arbitrary code execution. CVE-2017-2935 SUSE Linux Enterprise Desktop 12 SP1:flash-player-24.0.0.194-155.1 SUSE Linux Enterprise Desktop 12 SP1:flash-player-gnome-24.0.0.194-155.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-24.0.0.194-155.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-gnome-24.0.0.194-155.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20170108-1/ https://www.suse.com/security/cve/CVE-2017-2935.html CVE-2017-2935 https://bugzilla.suse.com/1019129 SUSE Bug 1019129 Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable use after free vulnerability in the ActionScript FileReference class. Successful exploitation could lead to arbitrary code execution. CVE-2017-2936 SUSE Linux Enterprise Desktop 12 SP1:flash-player-24.0.0.194-155.1 SUSE Linux Enterprise Desktop 12 SP1:flash-player-gnome-24.0.0.194-155.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-24.0.0.194-155.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-gnome-24.0.0.194-155.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20170108-1/ https://www.suse.com/security/cve/CVE-2017-2936.html CVE-2017-2936 https://bugzilla.suse.com/1019129 SUSE Bug 1019129 Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable use after free vulnerability in the ActionScript FileReference class, when using class inheritance. Successful exploitation could lead to arbitrary code execution. CVE-2017-2937 SUSE Linux Enterprise Desktop 12 SP1:flash-player-24.0.0.194-155.1 SUSE Linux Enterprise Desktop 12 SP1:flash-player-gnome-24.0.0.194-155.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-24.0.0.194-155.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-gnome-24.0.0.194-155.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20170108-1/ https://www.suse.com/security/cve/CVE-2017-2937.html CVE-2017-2937 https://bugzilla.suse.com/1019129 SUSE Bug 1019129 Adobe Flash Player versions 24.0.0.186 and earlier have a security bypass vulnerability related to handling TCP connections. CVE-2017-2938 SUSE Linux Enterprise Desktop 12 SP1:flash-player-24.0.0.194-155.1 SUSE Linux Enterprise Desktop 12 SP1:flash-player-gnome-24.0.0.194-155.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-24.0.0.194-155.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-gnome-24.0.0.194-155.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20170108-1/ https://www.suse.com/security/cve/CVE-2017-2938.html CVE-2017-2938 https://bugzilla.suse.com/1019129 SUSE Bug 1019129