Security update for flash-player SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:3160-1 Final 1 1 2016-12-15T08:22:32Z current 2016-12-15T08:22:32Z 2016-12-15T08:22:32Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for flash-player This update for flash-player fixes the following issues: - Security update to 24.0.0.186 (bsc#1015379) APSB16-39: * These updates resolve use-after-free vulnerabilities that could have lead to code execution (CVE-2016-7872, CVE-2016-7877, CVE-2016-7878, CVE-2016-7879, CVE-2016-7880, CVE-2016-7881, CVE-2016-7892). * These updates resolve buffer overflow vulnerabilities that could have lead to code execution (CVE-2016-7867, CVE-2016-7868, CVE-2016-7869, CVE-2016-7870). * These updates resolve memory corruption vulnerabilities that could have lead to code execution (CVE-2016-7871, CVE-2016-7873, CVE-2016-7874, CVE-2016-7875, CVE-2016-7876). * These updates resolve a security bypass vulnerability (CVE-2016-7890). - Update EULA to version 24.0. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-updates/2016-12/msg00112.html E-Mail link for openSUSE-SU-2016:3160-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE 13.2 NonFree flash-player-24.0.0.186-2.121.1 flash-player-gnome-24.0.0.186-2.121.1 flash-player-kde4-24.0.0.186-2.121.1 flash-player-24.0.0.186-2.121.1 as a component of openSUSE 13.2 NonFree flash-player-gnome-24.0.0.186-2.121.1 as a component of openSUSE 13.2 NonFree flash-player-kde4-24.0.0.186-2.121.1 as a component of openSUSE 13.2 NonFree Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable buffer overflow / underflow vulnerability in the RegExp class related to bookmarking in searches. Successful exploitation could lead to arbitrary code execution. CVE-2016-7867 openSUSE 13.2 NonFree:flash-player-24.0.0.186-2.121.1 openSUSE 13.2 NonFree:flash-player-gnome-24.0.0.186-2.121.1 openSUSE 13.2 NonFree:flash-player-kde4-24.0.0.186-2.121.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-12/msg00112.html https://www.suse.com/security/cve/CVE-2016-7867.html CVE-2016-7867 https://bugzilla.suse.com/1015379 SUSE Bug 1015379 Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable buffer overflow / underflow vulnerability in the RegExp class related to alternation functionality. Successful exploitation could lead to arbitrary code execution. CVE-2016-7868 openSUSE 13.2 NonFree:flash-player-24.0.0.186-2.121.1 openSUSE 13.2 NonFree:flash-player-gnome-24.0.0.186-2.121.1 openSUSE 13.2 NonFree:flash-player-kde4-24.0.0.186-2.121.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-12/msg00112.html https://www.suse.com/security/cve/CVE-2016-7868.html CVE-2016-7868 https://bugzilla.suse.com/1015379 SUSE Bug 1015379 Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable buffer overflow / underflow vulnerability in the RegExp class related to backtrack search functionality. Successful exploitation could lead to arbitrary code execution. CVE-2016-7869 openSUSE 13.2 NonFree:flash-player-24.0.0.186-2.121.1 openSUSE 13.2 NonFree:flash-player-gnome-24.0.0.186-2.121.1 openSUSE 13.2 NonFree:flash-player-kde4-24.0.0.186-2.121.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-12/msg00112.html https://www.suse.com/security/cve/CVE-2016-7869.html CVE-2016-7869 https://bugzilla.suse.com/1015379 SUSE Bug 1015379 Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable buffer overflow / underflow vulnerability in the RegExp class for specific search strategies. Successful exploitation could lead to arbitrary code execution. CVE-2016-7870 openSUSE 13.2 NonFree:flash-player-24.0.0.186-2.121.1 openSUSE 13.2 NonFree:flash-player-gnome-24.0.0.186-2.121.1 openSUSE 13.2 NonFree:flash-player-kde4-24.0.0.186-2.121.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-12/msg00112.html https://www.suse.com/security/cve/CVE-2016-7870.html CVE-2016-7870 https://bugzilla.suse.com/1015379 SUSE Bug 1015379 Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable memory corruption vulnerability in the Worker class. Successful exploitation could lead to arbitrary code execution. CVE-2016-7871 openSUSE 13.2 NonFree:flash-player-24.0.0.186-2.121.1 openSUSE 13.2 NonFree:flash-player-gnome-24.0.0.186-2.121.1 openSUSE 13.2 NonFree:flash-player-kde4-24.0.0.186-2.121.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-12/msg00112.html https://www.suse.com/security/cve/CVE-2016-7871.html CVE-2016-7871 https://bugzilla.suse.com/1015379 SUSE Bug 1015379 Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable use after free vulnerability in the MovieClip class related to objects at multiple presentation levels. Successful exploitation could lead to arbitrary code execution. CVE-2016-7872 openSUSE 13.2 NonFree:flash-player-24.0.0.186-2.121.1 openSUSE 13.2 NonFree:flash-player-gnome-24.0.0.186-2.121.1 openSUSE 13.2 NonFree:flash-player-kde4-24.0.0.186-2.121.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-12/msg00112.html https://www.suse.com/security/cve/CVE-2016-7872.html CVE-2016-7872 https://bugzilla.suse.com/1015379 SUSE Bug 1015379 Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable memory corruption vulnerability in the PSDK class related to ad policy functionality method. Successful exploitation could lead to arbitrary code execution. CVE-2016-7873 openSUSE 13.2 NonFree:flash-player-24.0.0.186-2.121.1 openSUSE 13.2 NonFree:flash-player-gnome-24.0.0.186-2.121.1 openSUSE 13.2 NonFree:flash-player-kde4-24.0.0.186-2.121.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-12/msg00112.html https://www.suse.com/security/cve/CVE-2016-7873.html CVE-2016-7873 https://bugzilla.suse.com/1015379 SUSE Bug 1015379 Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable memory corruption vulnerability in the NetConnection class when handling the proxy types. Successful exploitation could lead to arbitrary code execution. CVE-2016-7874 openSUSE 13.2 NonFree:flash-player-24.0.0.186-2.121.1 openSUSE 13.2 NonFree:flash-player-gnome-24.0.0.186-2.121.1 openSUSE 13.2 NonFree:flash-player-kde4-24.0.0.186-2.121.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-12/msg00112.html https://www.suse.com/security/cve/CVE-2016-7874.html CVE-2016-7874 https://bugzilla.suse.com/1015379 SUSE Bug 1015379 Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable integer overflow vulnerability in the BitmapData class. Successful exploitation could lead to arbitrary code execution. CVE-2016-7875 openSUSE 13.2 NonFree:flash-player-24.0.0.186-2.121.1 openSUSE 13.2 NonFree:flash-player-gnome-24.0.0.186-2.121.1 openSUSE 13.2 NonFree:flash-player-kde4-24.0.0.186-2.121.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-12/msg00112.html https://www.suse.com/security/cve/CVE-2016-7875.html CVE-2016-7875 https://bugzilla.suse.com/1015379 SUSE Bug 1015379 Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable memory corruption vulnerability in the Clipboard class related to data handling functionality. Successful exploitation could lead to arbitrary code execution. CVE-2016-7876 openSUSE 13.2 NonFree:flash-player-24.0.0.186-2.121.1 openSUSE 13.2 NonFree:flash-player-gnome-24.0.0.186-2.121.1 openSUSE 13.2 NonFree:flash-player-kde4-24.0.0.186-2.121.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-12/msg00112.html https://www.suse.com/security/cve/CVE-2016-7876.html CVE-2016-7876 https://bugzilla.suse.com/1015379 SUSE Bug 1015379 Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable use after free vulnerability in the Action Message Format serialization (AFM0). Successful exploitation could lead to arbitrary code execution. CVE-2016-7877 openSUSE 13.2 NonFree:flash-player-24.0.0.186-2.121.1 openSUSE 13.2 NonFree:flash-player-gnome-24.0.0.186-2.121.1 openSUSE 13.2 NonFree:flash-player-kde4-24.0.0.186-2.121.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-12/msg00112.html https://www.suse.com/security/cve/CVE-2016-7877.html CVE-2016-7877 https://bugzilla.suse.com/1015379 SUSE Bug 1015379 Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable use after free vulnerability in the PSDK's MediaPlayer class. Successful exploitation could lead to arbitrary code execution. CVE-2016-7878 openSUSE 13.2 NonFree:flash-player-24.0.0.186-2.121.1 openSUSE 13.2 NonFree:flash-player-gnome-24.0.0.186-2.121.1 openSUSE 13.2 NonFree:flash-player-kde4-24.0.0.186-2.121.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-12/msg00112.html https://www.suse.com/security/cve/CVE-2016-7878.html CVE-2016-7878 https://bugzilla.suse.com/1015379 SUSE Bug 1015379 Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable use after free vulnerability in the NetConnection class when handling an attached script object. Successful exploitation could lead to arbitrary code execution. CVE-2016-7879 openSUSE 13.2 NonFree:flash-player-24.0.0.186-2.121.1 openSUSE 13.2 NonFree:flash-player-gnome-24.0.0.186-2.121.1 openSUSE 13.2 NonFree:flash-player-kde4-24.0.0.186-2.121.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-12/msg00112.html https://www.suse.com/security/cve/CVE-2016-7879.html CVE-2016-7879 https://bugzilla.suse.com/1015379 SUSE Bug 1015379 Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable use after free vulnerability when setting the length property of an array object. Successful exploitation could lead to arbitrary code execution. CVE-2016-7880 openSUSE 13.2 NonFree:flash-player-24.0.0.186-2.121.1 openSUSE 13.2 NonFree:flash-player-gnome-24.0.0.186-2.121.1 openSUSE 13.2 NonFree:flash-player-kde4-24.0.0.186-2.121.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-12/msg00112.html https://www.suse.com/security/cve/CVE-2016-7880.html CVE-2016-7880 https://bugzilla.suse.com/1015379 SUSE Bug 1015379 Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable use after free vulnerability in the MovieClip class when handling conversion to an object. Successful exploitation could lead to arbitrary code execution. CVE-2016-7881 openSUSE 13.2 NonFree:flash-player-24.0.0.186-2.121.1 openSUSE 13.2 NonFree:flash-player-gnome-24.0.0.186-2.121.1 openSUSE 13.2 NonFree:flash-player-kde4-24.0.0.186-2.121.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-12/msg00112.html https://www.suse.com/security/cve/CVE-2016-7881.html CVE-2016-7881 https://bugzilla.suse.com/1015379 SUSE Bug 1015379 Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have security bypass vulnerability in the implementation of the same origin policy. CVE-2016-7890 openSUSE 13.2 NonFree:flash-player-24.0.0.186-2.121.1 openSUSE 13.2 NonFree:flash-player-gnome-24.0.0.186-2.121.1 openSUSE 13.2 NonFree:flash-player-kde4-24.0.0.186-2.121.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-12/msg00112.html https://www.suse.com/security/cve/CVE-2016-7890.html CVE-2016-7890 https://bugzilla.suse.com/1015379 SUSE Bug 1015379 Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable use after free vulnerability in the TextField class. Successful exploitation could lead to arbitrary code execution. CVE-2016-7892 openSUSE 13.2 NonFree:flash-player-24.0.0.186-2.121.1 openSUSE 13.2 NonFree:flash-player-gnome-24.0.0.186-2.121.1 openSUSE 13.2 NonFree:flash-player-kde4-24.0.0.186-2.121.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-12/msg00112.html https://www.suse.com/security/cve/CVE-2016-7892.html CVE-2016-7892 https://bugzilla.suse.com/1015379 SUSE Bug 1015379