Security update for flash-player SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2017:0703-1 Final 1 1 2017-03-15T14:21:27Z current 2017-03-15T14:21:27Z 2017-03-15T14:21:27Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for flash-player This update for flash-player fixes the following issues: Security update to 25.0.0.127 (bsc#1029374), fixing the following vulnerabilities advised under APSB17-07: - CVE-2017-2997: This update resolves a buffer overflow vulnerability that could lead to code execution. - CVE-2017-2998, CVE-2017-2999: This update resolves memory corruption vulnerabilities that could lead to code execution. - CVE-2017-3000: This update resolves a random number generator vulnerability used for constant blinding that could lead to information disclosure. - CVE-2017-3001, CVE-2017-3002, CVE-2017-3003: This update resolves use-after-free vulnerabilities that could lead to code execution. - Details: https://helpx.adobe.com/security/products/flash-player/apsb17-07.html The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-DESKTOP-12-SP1-2017-385,SUSE-SLE-WE-12-SP1-2017-385 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2017/suse-su-20170703-1/ Link for SUSE-SU-2017:0703-1 https://lists.suse.com/pipermail/sle-security-updates/2017-March/002698.html E-Mail link for SUSE-SU-2017:0703-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1029374 SUSE Bug 1029374 https://www.suse.com/security/cve/CVE-2017-2997/ SUSE CVE CVE-2017-2997 page https://www.suse.com/security/cve/CVE-2017-2998/ SUSE CVE CVE-2017-2998 page https://www.suse.com/security/cve/CVE-2017-2999/ SUSE CVE CVE-2017-2999 page https://www.suse.com/security/cve/CVE-2017-3000/ SUSE CVE CVE-2017-3000 page https://www.suse.com/security/cve/CVE-2017-3001/ SUSE CVE CVE-2017-3001 page https://www.suse.com/security/cve/CVE-2017-3002/ SUSE CVE CVE-2017-3002 page https://www.suse.com/security/cve/CVE-2017-3003/ SUSE CVE CVE-2017-3003 page SUSE Linux Enterprise Desktop 12 SP1 SUSE Linux Enterprise Workstation Extension 12 SP1 flash-player-25.0.0.127-162.1 flash-player-gnome-25.0.0.127-162.1 flash-player-25.0.0.127-162.1 as a component of SUSE Linux Enterprise Desktop 12 SP1 flash-player-gnome-25.0.0.127-162.1 as a component of SUSE Linux Enterprise Desktop 12 SP1 flash-player-25.0.0.127-162.1 as a component of SUSE Linux Enterprise Workstation Extension 12 SP1 flash-player-gnome-25.0.0.127-162.1 as a component of SUSE Linux Enterprise Workstation Extension 12 SP1 Adobe Flash Player versions 24.0.0.221 and earlier have an exploitable buffer overflow / underflow vulnerability in the Primetime TVSDK that supports customizing ad information. Successful exploitation could lead to arbitrary code execution. CVE-2017-2997 SUSE Linux Enterprise Desktop 12 SP1:flash-player-25.0.0.127-162.1 SUSE Linux Enterprise Desktop 12 SP1:flash-player-gnome-25.0.0.127-162.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-25.0.0.127-162.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-gnome-25.0.0.127-162.1 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20170703-1/ https://www.suse.com/security/cve/CVE-2017-2997.html CVE-2017-2997 https://bugzilla.suse.com/1029374 SUSE Bug 1029374 Adobe Flash Player versions 24.0.0.221 and earlier have an exploitable memory corruption vulnerability in the Primetime TVSDK API functionality related to timeline interactions. Successful exploitation could lead to arbitrary code execution. CVE-2017-2998 SUSE Linux Enterprise Desktop 12 SP1:flash-player-25.0.0.127-162.1 SUSE Linux Enterprise Desktop 12 SP1:flash-player-gnome-25.0.0.127-162.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-25.0.0.127-162.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-gnome-25.0.0.127-162.1 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20170703-1/ https://www.suse.com/security/cve/CVE-2017-2998.html CVE-2017-2998 https://bugzilla.suse.com/1029374 SUSE Bug 1029374 Adobe Flash Player versions 24.0.0.221 and earlier have an exploitable memory corruption vulnerability in the Primetime TVSDK functionality related to hosting playback surface. Successful exploitation could lead to arbitrary code execution. CVE-2017-2999 SUSE Linux Enterprise Desktop 12 SP1:flash-player-25.0.0.127-162.1 SUSE Linux Enterprise Desktop 12 SP1:flash-player-gnome-25.0.0.127-162.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-25.0.0.127-162.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-gnome-25.0.0.127-162.1 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20170703-1/ https://www.suse.com/security/cve/CVE-2017-2999.html CVE-2017-2999 https://bugzilla.suse.com/1029374 SUSE Bug 1029374 Adobe Flash Player versions 24.0.0.221 and earlier have a vulnerability in the random number generator used for constant blinding. Successful exploitation could lead to information disclosure. CVE-2017-3000 SUSE Linux Enterprise Desktop 12 SP1:flash-player-25.0.0.127-162.1 SUSE Linux Enterprise Desktop 12 SP1:flash-player-gnome-25.0.0.127-162.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-25.0.0.127-162.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-gnome-25.0.0.127-162.1 important 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20170703-1/ https://www.suse.com/security/cve/CVE-2017-3000.html CVE-2017-3000 https://bugzilla.suse.com/1029374 SUSE Bug 1029374 Adobe Flash Player versions 24.0.0.221 and earlier have an exploitable use after free vulnerability related to garbage collection in the ActionScript 2 VM. Successful exploitation could lead to arbitrary code execution. CVE-2017-3001 SUSE Linux Enterprise Desktop 12 SP1:flash-player-25.0.0.127-162.1 SUSE Linux Enterprise Desktop 12 SP1:flash-player-gnome-25.0.0.127-162.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-25.0.0.127-162.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-gnome-25.0.0.127-162.1 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20170703-1/ https://www.suse.com/security/cve/CVE-2017-3001.html CVE-2017-3001 https://bugzilla.suse.com/1029374 SUSE Bug 1029374 Adobe Flash Player versions 24.0.0.221 and earlier have an exploitable use after free vulnerability in the ActionScript2 TextField object related to the variable property. Successful exploitation could lead to arbitrary code execution. CVE-2017-3002 SUSE Linux Enterprise Desktop 12 SP1:flash-player-25.0.0.127-162.1 SUSE Linux Enterprise Desktop 12 SP1:flash-player-gnome-25.0.0.127-162.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-25.0.0.127-162.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-gnome-25.0.0.127-162.1 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20170703-1/ https://www.suse.com/security/cve/CVE-2017-3002.html CVE-2017-3002 https://bugzilla.suse.com/1029374 SUSE Bug 1029374 Adobe Flash Player versions 24.0.0.221 and earlier have an exploitable use after free vulnerability related to an interaction between the privacy user interface and the ActionScript 2 Camera object. Successful exploitation could lead to arbitrary code execution. CVE-2017-3003 SUSE Linux Enterprise Desktop 12 SP1:flash-player-25.0.0.127-162.1 SUSE Linux Enterprise Desktop 12 SP1:flash-player-gnome-25.0.0.127-162.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-25.0.0.127-162.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-gnome-25.0.0.127-162.1 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20170703-1/ https://www.suse.com/security/cve/CVE-2017-3003.html CVE-2017-3003 https://bugzilla.suse.com/1029374 SUSE Bug 1029374