Critical: flash-plugin security update
| Advisory: | RHSA-2007:1126-8 |
|---|---|
| Type: | Security Advisory |
| Severity: | Critical |
| Issued on: | 2007-12-18 |
| Last updated on: | 2007-12-18 |
| Affected Products: | RHEL Desktop Supplementary (v. 5 client) RHEL Supplementary (v. 5 server) RHEL Supplementary EUS (v. 5.1.z server) Red Hat Enterprise Linux Extras (v. 3) Red Hat Enterprise Linux Extras (v. 4) Red Hat Enterprise Linux Extras (v. 4.5.z) Red Hat Enterprise Linux Extras (v. 4.6.z) |
| CVEs (cve.mitre.org): |
CVE-2007-4324 CVE-2007-4768 CVE-2007-5275 CVE-2007-6242 CVE-2007-6243 CVE-2007-6244 CVE-2007-6245 CVE-2007-6246 |
Details
An updated Adobe Flash Player package that fixes a security issue is now
available for Red Hat Enterprise Linux 3 Extras, 4 Extras, and 5
Supplementary.
This update has been rated as having critical security impact by the Red
Hat Security Response Team.
The flash-plugin package contains a Firefox-compatible Adobe Flash Player
Web browser plug-in.
Several input validation flaws were found in the way Flash Player displays
certain content. It may be possible to execute arbitrary code on a victim's
machine, if the victim opens a malicious Adobe Flash file.
(CVE-2007-4768, CVE-2007-6242, CVE-2007-6246)
A flaw was found in the way Flash Player handled the asfunction: protocol.
Malformed SWF files could perform a cross-site scripting attack.
(CVE-2007-6244)
A flaw was found in the way Flash Player modified HTTP request headers.
Malicious content could allow Flash Player to conduct a HTTP response
splitting attack. (CVE-2007-6245)
A flaw was found in the way Flash Player processes certain SWF content. A
malicious SWF file could allow a remote attacker to conduct a port scanning
attack from the client's machine. (CVE-2007-4324)
A flaw was found in the way Flash Player establishes TCP sessions. A remote
attacker could use Flash Player to conduct a DNS rebinding attack.
(CVE-2007-5275)
Users of Adobe Flash Player are advised to upgrade to this updated package,
which contains version 9.0.115.0 and resolves these issues.
Solution
errata relevant to your system have been applied.
This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188
Updated packages
| RHEL Desktop Supplementary (v. 5 client) | |
| IA-32: | |
| flash-plugin-9.0.115.0-1.el5.i386.rpm File outdated by: RHSA-2013:0941 |
MD5: 3263ab995eabfca2783ec2013e9ff901 |
| x86_64: | |
| flash-plugin-9.0.115.0-1.el5.i386.rpm File outdated by: RHSA-2013:0941 |
MD5: 3263ab995eabfca2783ec2013e9ff901 |
| RHEL Supplementary (v. 5 server) | |
| IA-32: | |
| flash-plugin-9.0.115.0-1.el5.i386.rpm File outdated by: RHSA-2013:0941 |
MD5: 3263ab995eabfca2783ec2013e9ff901 |
| x86_64: | |
| flash-plugin-9.0.115.0-1.el5.i386.rpm File outdated by: RHSA-2013:0941 |
MD5: 3263ab995eabfca2783ec2013e9ff901 |
| RHEL Supplementary EUS (v. 5.1.z server) | |
| IA-32: | |
| flash-plugin-9.0.115.0-1.el5.i386.rpm File outdated by: RHSA-2008:0221 |
MD5: 3263ab995eabfca2783ec2013e9ff901 |
| x86_64: | |
| flash-plugin-9.0.115.0-1.el5.i386.rpm File outdated by: RHSA-2008:0221 |
MD5: 3263ab995eabfca2783ec2013e9ff901 |
| Red Hat Enterprise Linux Extras (v. 3) | |
| IA-32: | |
| flash-plugin-9.0.115.0-1.el3.with.oss.i386.rpm File outdated by: RHSA-2010:0706 |
MD5: 909f18bf7e3ba2bd77c486471ed0a649 |
| Red Hat Enterprise Linux Extras (v. 4) | |
| IA-32: | |
| flash-plugin-9.0.115.0-1.el4.i386.rpm File outdated by: RHSA-2011:0368 |
MD5: f0824c43f26d5b33731a54734d1334f7 |
| Red Hat Enterprise Linux Extras (v. 4.5.z) | |
| IA-32: | |
| flash-plugin-9.0.115.0-1.el4.i386.rpm | MD5: f0824c43f26d5b33731a54734d1334f7 |
| Red Hat Enterprise Linux Extras (v. 4.6.z) | |
| IA-32: | |
| flash-plugin-9.0.115.0-1.el4.i386.rpm File outdated by: RHSA-2008:0221 |
MD5: f0824c43f26d5b33731a54734d1334f7 |
| (The unlinked packages above are only available from the Red Hat Network) | |
Bugs fixed (see bugzilla for more information)
252292 - CVE-2007-4324 Flash movie can determine whether a TCP port is open
367501 - CVE-2007-5275 Flash plugin DNS rebinding
392911 - CVE-2007-4768: pcre before 7.3 incorrect unicode in char class optimization
412161 - CVE-2007-6242
414501 - CVE-2007-6244
414511 - CVE-2007-6245
414521 - CVE-2007-6246
References
https://www.redhat.com/security/data/cve/CVE-2007-4768.html
https://www.redhat.com/security/data/cve/CVE-2007-5275.html
https://www.redhat.com/security/data/cve/CVE-2007-6242.html
https://www.redhat.com/security/data/cve/CVE-2007-6243.html
https://www.redhat.com/security/data/cve/CVE-2007-6244.html
https://www.redhat.com/security/data/cve/CVE-2007-6245.html
https://www.redhat.com/security/data/cve/CVE-2007-6246.html
http://www.adobe.com/support/security/bulletins/apsb07-20.html
http://www.redhat.com/security/updates/classification/#critical
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package
The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/
