Date: Thu, 17 Nov 2011 11:56:32 +0100
From: Matthias Weckbecker <mweckbecker@suse.de>
To: opensuse-security-announce@opensuse.org
Subject: [security-announce] SUSE Security Announcement: flash-player security update (SUSE-SA:2011:043)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
� � � � � � � � � � � � SUSE Security Announcement
� � � � Package: � � � � � � � �flash-player
� � � � Announcement ID: � � � �SUSE-SA:2011:043
� � � � Date: � � � � � � � � � Tue, 15 Nov 2011 11:00:00 +0000
� � � � Affected Products: � � �openSUSE 11.3
� � � � � � � � � � � � � � � � openSUSE 11.4
� � � � � � � � � � � � � � � � SUSE Linux Enterprise Desktop 11 SP1
� � � � � � � � � � � � � � � � SUSE Linux Enterprise Desktop 10 SP4
� � � � Vulnerability Type: � � remote code execution
� � � � CVSS v2 Base Score: � � 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
� � � � SUSE Default Package: � yes
� � � � Cross-References: � � � CVE-2011-2445, CVE-2011-2450, CVE-2011-2451, CVE-2011-2452,
� � � � � � � � � � � � � � � � CVE-2011-2453, CVE-2011-2454, CVE-2011-2455, CVE-2011-2456,
� � � � � � � � � � � � � � � � CVE-2011-2457, CVE-2011-2458, CVE-2011-2459, CVE-2011-2460
� � Content of This Advisory:
� � � � 1) Security Vulnerability Resolved:
� � � � � � �flash-player update fixes potential code execution
� � � � � �Problem Description
� � � � 2) Solution or Work-Around
� � � � 3) Special Instructions and Notes
� � � � 4) Package Location and Checksums
� � � � 5) Pending Vulnerabilities, Solutions, and Work-Arounds:
� � � � � � none
� � � � 6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
� �flash-player was updated to version 11.1.102.55 to fix multiple security vulnerabilities
that could be exploited by attackers to execute arbitrary code or to cause a denial of
service via�specially crafted flash content.
2) Solution or Work-Around
� �There is no known workaround, please install the update packages.
3) Special Instructions and Notes
� �Please update.
4) Package Location and Checksums
� �The preferred method for installing security updates is to use the YaST
� �"Online Update" module or the "zypper" commandline tool. The package and
� �patch management stack will detect which updates are required and
� �automatically perform the necessary steps to verify and install them.
� �Alternatively, download the update packages for your distribution manually
� �and verify their integrity by the methods listed in Section 6 of this
� �announcement. Then install the packages using the command
� � �rpm -Fhv <file.rpm>
� �to apply the update, replacing <file.rpm> with the filename of the
� �downloaded RPM package.
� �
� �x86 Platform:
� �
� �openSUSE 11.4:
� �http://download.opensuse.org/update/11.4/rpm/i586/flash-player-11.1.102.55-0.4.1.i586.rpm
� �
� �openSUSE 11.3:
� �http://download.opensuse.org/update/11.3/rpm/i586/flash-player-10.3.183.10-0.2.1.i586.rpm
� �
� �x86-64 Platform:
� �
� �openSUSE 11.4:
� �http://download.opensuse.org/update/11.4/rpm/x86_64/flash-player-11.1.102.55-0.4.1.x86_64.rpm
� �
� �Sources:
� �
� �openSUSE 11.4:
� �http://download.opensuse.org/update/11.4/rpm/src/flash-player-11.1.102.55-0.4.1.nosrc.rpm
� �
� �openSUSE 11.3:
� �http://download.opensuse.org/update/11.3/rpm/src/flash-player-10.3.183.10-0.2.1.nosrc.rpm
� �
� �Our maintenance customers are notified individually. The packages are
� �offered for installation from the maintenance web:
� �
� �SUSE Linux Enterprise Desktop 10 SP4
� � �http://download.novell.com/patch/finder/?keywords=b3a0a701db9d82c8a67829192d261f23
� �
� �SUSE Linux Enterprise Desktop 11 SP1
� � �http://download.novell.com/patch/finder/?keywords=7672429bea5968bf9bb609fe9aee6ff2
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
� �none
______________________________________________________________________________
6) Authenticity Verification and Additional Information
� - Announcement authenticity verification:
� � SUSE security announcements are published via mailing lists and on Web
� � sites. The authenticity and integrity of a SUSE security announcement is
� � guaranteed by a cryptographic signature in each announcement. All SUSE
� � security announcements are published with a valid signature.
� � To verify the signature of the announcement, save it as text into a file
� � and run the command
� � � gpg --verify <file>
� � replacing <file> with the name of the file where you saved the
� � announcement. The output for a valid signature looks like:
� � � gpg: Signature made <DATE> using RSA key ID 3D25D3D9
� � � gpg: Good signature from "SuSE Security Team <security@suse.de>"
� � where <DATE> is replaced by the date the document was signed.
� � If the security team's key is not contained in your key ring, you can
� � import it from the first installation CD. To import the key, use the
� � command
� � � gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
� - Package authenticity verification:
� � SUSE update packages are available on many mirror FTP servers all over the
� � world. While this service is considered valuable and important to the free
� � and open source software community, the authenticity and the integrity of
� � a package needs to be verified to ensure that it has not been tampered
� � with.
� � The internal rpm package signatures provide an easy way to verify the
� � authenticity of an RPM package. Use the command
� � �rpm -v --checksig <file.rpm>
� � to verify the signature of the package, replacing <file.rpm> with the
� � filename of the RPM package downloaded. The package is unmodified if it
� � contains a valid signature from build@suse.de with the key ID 9C800ACA.
� � This key is automatically imported into the RPM database (on
� � RPMv4-based distributions) and the gpg key ring of 'root' during
� � installation. You can also find it on the first installation CD and at
� � the end of this announcement.
� - SUSE runs two security mailing lists to which any interested party may
� � subscribe:
� � opensuse-security@opensuse.org
� � � � - � General Linux and SUSE security discussion.
� � � � � � All SUSE security announcements are sent to this list.
� � � � � � To subscribe, send an e-mail to
� � � � � � � � <opensuse-security+subscribe@opensuse.org>.
� � opensuse-security-announce@opensuse.org
� � � � - � SUSE's announce-only mailing list.
� � � � � � Only SUSE's security announcements are sent to this list.
� � � � � � To subscribe, send an e-mail to
� � � � � � � � <opensuse-security-announce+subscribe@opensuse.org>.
� � =====================================================================
� � SUSE's security contact is <security@suse.com> or <security@suse.de>.
� � The <security@suse.de> public key is listed below.
� � =====================================================================
______________________________________________________________________________
� � The information in this advisory may be distributed or reproduced,
� � provided that the advisory is not modified in any way. In particular, the
� � clear text signature should show proof of the authenticity of the text.
� � SUSE Linux Products GmbH provides no warranties of any kind whatsoever
� � with respect to the information contained in this security advisory.
Type Bits/KeyID � � Date � � � User ID
pub �2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
pub �1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2 (GNU/Linux)
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS
FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW
tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It
Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF
AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+
3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk
YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP
+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR
8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U
8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S
cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh
ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB
UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo
AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n
KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi
BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro
nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg
KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx
yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn
B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV
wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh
UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF
5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3
D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu
zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd
9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi
a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13
CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp
271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE
t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG
B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw
rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt
IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL
rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H
RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa
g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA
CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO
=ypVs
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
iQEVAwUBTsTanHey5gA9JdPZAQLO3wf+NYwTuiBjwz8ka5FgawHqGmIl9lEXPemw
642yXgLySORgAIU3cFXuhobqYluZam4/P9idz9vkdnuJxz2JxXpuyFiizMRcIO8P
E7Y2Kaw27vYgwa5eBw5Z1gXFox+N0mApzUlQWIz8E1Sh4H0qjCu75YR8FEQXR9C8
kaYnmD9nVmT4Pzs15YLmAyowSz/cWJo9uNVq29fDC1U7JNFcuJiqRjJTyLc2AhIq
XBZy7XPNdwrm0U0uCdz0WNXwZPobCK6B/x9PZ+w6j+9kwQO6OjkTWPe0Sapqy0qx
AsKWrdLQj9LgYSSjOmVB+L8RZHLCzeCfJWrKy6HNhYeeaZ+5u9gOVQ==
=C7ic
-----END PGP SIGNATURE-----