| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 1 Nov 2011 11:01:43 +0100
From: Alex Legler <a3li@...too.org>
To: gentoo-announce@...ts.gentoo.org
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk,
security-alerts@...uxsecurity.com
Subject: [ GLSA 201111-01 ] Chromium, V8: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201111-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: Chromium, V8: Multiple vulnerabilities
Date: November 01, 2011
Bugs: #351525, #353626, #354121, #356933, #357963, #358581,
#360399, #363629, #365125, #366335, #367013, #368649,
#370481, #373451, #373469, #377475, #377629, #380311,
#380897, #381713, #383251, #385649, #388461
ID: 201111-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been reported in Chromium and V8, some of
which may allow execution of arbitrary code and local root privilege
escalation.
Background
==========
Chromium is an open-source web browser project. V8 is Google's open
source JavaScript engine.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-client/chromium < 15.0.874.102 >= 15.0.874.102
2 dev-lang/v8 < 3.5.10.22 >= 3.5.10.22
-------------------------------------------------------------------
2 affected packages
-------------------------------------------------------------------
Description
===========
Multiple vulnerabilities have been discovered in Chromium and V8.
Please review the CVE identifiers and release notes referenced below
for details.
Impact
======
A local attacker could gain root privileges (CVE-2011-1444, fixed in
chromium-11.0.696.57).
A context-dependent attacker could entice a user to open a specially
crafted web site or JavaScript program using Chromium or V8, possibly
resulting in the execution of arbitrary code with the privileges of the
process, or a Denial of Service condition. The attacker also could
obtain cookies and other sensitive information, conduct
man-in-the-middle attacks, perform address bar spoofing, bypass the
same origin policy, perform Cross-Site Scripting attacks, or bypass
pop-up blocks.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Chromium users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-client/chromium-15.0.874.102"
All V8 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/v8-3.5.10.22"
References
==========
[ 1 ] CVE-2011-2345
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2345
[ 2 ] CVE-2011-2346
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2346
[ 3 ] CVE-2011-2347
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2347
[ 4 ] CVE-2011-2348
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2348
[ 5 ] CVE-2011-2349
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2349
[ 6 ] CVE-2011-2350
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2350
[ 7 ] CVE-2011-2351
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2351
[ 8 ] CVE-2011-2834
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2834
[ 9 ] CVE-2011-2835
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2835
[ 10 ] CVE-2011-2837
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2837
[ 11 ] CVE-2011-2838
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2838
[ 12 ] CVE-2011-2839
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2839
[ 13 ] CVE-2011-2840
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2840
[ 14 ] CVE-2011-2841
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2841
[ 15 ] CVE-2011-2843
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2843
[ 16 ] CVE-2011-2844
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2844
[ 17 ] CVE-2011-2845
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2845
[ 18 ] CVE-2011-2846
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2846
[ 19 ] CVE-2011-2847
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2847
[ 20 ] CVE-2011-2848
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2848
[ 21 ] CVE-2011-2849
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2849
[ 22 ] CVE-2011-2850
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2850
[ 23 ] CVE-2011-2851
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2851
[ 24 ] CVE-2011-2852
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2852
[ 25 ] CVE-2011-2853
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2853
[ 26 ] CVE-2011-2854
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2854
[ 27 ] CVE-2011-2855
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2855
[ 28 ] CVE-2011-2856
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2856
[ 29 ] CVE-2011-2857
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2857
[ 30 ] CVE-2011-2858
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2858
[ 31 ] CVE-2011-2859
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2859
[ 32 ] CVE-2011-2860
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2860
[ 33 ] CVE-2011-2861
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2861
[ 34 ] CVE-2011-2862
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2862
[ 35 ] CVE-2011-2864
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2864
[ 36 ] CVE-2011-2874
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2874
[ 37 ] CVE-2011-3234
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3234
[ 38 ] CVE-2011-3873
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3873
[ 39 ] CVE-2011-3875
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3875
[ 40 ] CVE-2011-3876
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3876
[ 41 ] CVE-2011-3877
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3877
[ 42 ] CVE-2011-3878
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3878
[ 43 ] CVE-2011-3879
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3879
[ 44 ] CVE-2011-3880
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3880
[ 45 ] CVE-2011-3881
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3881
[ 46 ] CVE-2011-3882
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3882
[ 47 ] CVE-2011-3883
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3883
[ 48 ] CVE-2011-3884
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3884
[ 49 ] CVE-2011-3885
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3885
[ 50 ] CVE-2011-3886
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3886
[ 51 ] CVE-2011-3887
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3887
[ 52 ] CVE-2011-3888
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3888
[ 53 ] CVE-2011-3889
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3889
[ 54 ] CVE-2011-3890
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3890
[ 55 ] CVE-2011-3891
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3891
[ 56 ] Release Notes 10.0.648.127
http://googlechromereleases.blogspot.com/2011/03/chrome-stable-release.html
[ 57 ] Release Notes 10.0.648.133
http://googlechromereleases.blogspot.com/2011/03/stable-and-beta-channel-updates.html
[ 58 ] Release Notes 10.0.648.205
http://googlechromereleases.blogspot.com/2011/04/stable-channel-update.html
[ 59 ] Release Notes 11.0.696.57
http://googlechromereleases.blogspot.com/2011/04/chrome-stable-update.html
[ 60 ] Release Notes 11.0.696.65
http://googlechromereleases.blogspot.com/2011/05/beta-and-stable-channel-update.html
[ 61 ] Release Notes 11.0.696.68
http://googlechromereleases.blogspot.com/2011/05/stable-channel-update.html
[ 62 ] Release Notes 11.0.696.71
http://googlechromereleases.blogspot.com/2011/05/stable-channel-update_24.html
[ 63 ] Release Notes 12.0.742.112
http://googlechromereleases.blogspot.com/2011/06/stable-channel-update_28.html
[ 64 ] Release Notes 12.0.742.91
http://googlechromereleases.blogspot.com/2011/06/chrome-stable-release.html
[ 65 ] Release Notes 13.0.782.107
http://googlechromereleases.blogspot.com/2011/08/stable-channel-update.html
[ 66 ] Release Notes 13.0.782.215
http://googlechromereleases.blogspot.com/2011/08/stable-channel-update_22.html
[ 67 ] Release Notes 13.0.782.220
http://googlechromereleases.blogspot.com/2011/09/stable-channel-update.html
[ 68 ] Release Notes 14.0.835.163
http://googlechromereleases.blogspot.com/2011/09/stable-channel-update_16.html
[ 69 ] Release Notes 14.0.835.202
http://googlechromereleases.blogspot.com/2011/10/stable-channel-update.html
[ 70 ] Release Notes 15.0.874.102
http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html
[ 71 ] Release Notes 8.0.552.237
http://googlechromereleases.blogspot.com/2011/01/chrome-stable-release.html
[ 72 ] Release Notes 9.0.597.107
http://googlechromereleases.blogspot.com/2011/02/stable-channel-update_28.html
[ 73 ] Release Notes 9.0.597.84
http://googlechromereleases.blogspot.com/2011/02/stable-channel-update.html
[ 74 ] Release Notes 9.0.597.94
http://googlechromereleases.blogspot.com/2011/02/stable-channel-update_08.html
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201111-01.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@...too.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
Download attachment "signature.asc " of type "application/pgp-signature" (837 bytes)
Powered by blists - more mailing lists