=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN447
_____________________________________________________________________

DATE                      : 10/11/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Adobe Flash Media Server.

======================================================================
http://www.adobe.com/support/security/bulletins/apsb10-27.html
______________________________________________________________________

Security update available for Adobe Flash Media Server

Release date: November 9, 2010

Vulnerability identifier: APSB10-27

CVE number: CVE-2010-3633, CVE-2010-3634, CVE-2010-3635

Platform: Windows, Linux

Summary

Critical vulnerabilities have been identified in Adobe Flash Media Server (FMS)
4.0 and earlier versions, Adobe Flash Media Server (FMS) 3.5.3 and earlier
versions, and Adobe Flash Media Server (FMS) 3.0.6 and earlier versions for
Windows and Linux. One of the vulnerabilities could allow an attacker, who
successfully exploits the vulnerability, to run malicious code on the affected
system. Adobe has provided an update to address the reported vulnerabilities
and recommends that users update their installations to Flash Media Server
4.0.1, 3.5.5 or 3.0.7 respectively using the instructions provided below.

Affected software versions

    * Flash Media Server 4.0 and earlier versions for Windows and Linux
    * Flash Media Server 3.5.4 and earlier versions for Windows and Linux
    * Flash Media Server 3.0.6 and earlier versions for Windows and Linux

Solution

Adobe recommends Flash Media Server (FMS) users install Flash Media Server
version 4.0.1, Flash Media Server version 3.5.5 or Flash Media Server version
3.0.7 available here: http://www.adobe.com/support/flashmediaserver/downloads_updaters.html.

Severity rating

Adobe categorizes this as a critical update and recommends that users apply the
latest update for their product installations..

Details

Critical vulnerabilities have been identified in Adobe Flash Media Server (FMS)
4.0 and earlier versions, Adobe Flash Media Server (FMS) 3.5.4 and earlier
versions, and Adobe Flash Media Server (FMS) 3.0.5 and earlier versions for
Windows and Linux. One of the vulnerabilities could allow an attacker, who
successfully exploits the vulnerability, to run malicious code on the affected
system. Adobe has provided an update to address the reported vulnerabilities.
It is recommended that users update their installations using the instructions
provided above.

This update resolves a memory leak issue that could lead to a denial of service
vulnerability (CVE-2010-3633).

This update resolves a Flash Media Server edge process issue which can lead to
a denial of service vulnerability (CVE-2010-3634).

This update resolves a segmentation fault vulnerability that could lead to code
execution (CVE-2010-3635).

Acknowledgments

Adobe would like to thank the following individuals and organizations for
reporting the relevant issues and for working with Adobe to help protect our
customers:

    * Yoshitaka Inoue of NTT Smart Connect (CVE-2010-3633)
    * Amazon Web Services (CVE-2010-3635)

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================