lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CANTw=MPJai2Nhr2ZgLa-eEec60qty01Ct1fsSf2_vjKGqDmH4A@mail.gmail.com>
Date: Fri, 27 Jul 2018 01:15:51 -0400
From: Michael Gilbert <mgilbert@...ian.org>
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 4256-1] chromium-browser security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4256-1                   security@...ian.org
https://www.debian.org/security/                          Michael Gilbert
July 26, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : chromium-browser
CVE ID         : CVE-2018-4117 CVE-2018-6044 CVE-2018-6150 CVE-2018-6151
                 CVE-2018-6152 CVE-2018-6153 CVE-2018-6154 CVE-2018-6155
                 CVE-2018-6156 CVE-2018-6157 CVE-2018-6158 CVE-2018-6159
                 CVE-2018-6161 CVE-2018-6162 CVE-2018-6163 CVE-2018-6164
                 CVE-2018-6165 CVE-2018-6166 CVE-2018-6167 CVE-2018-6168
                 CVE-2018-6169 CVE-2018-6170 CVE-2018-6171 CVE-2018-6172
                 CVE-2018-6173 CVE-2018-6174 CVE-2018-6175 CVE-2018-6176
                 CVE-2018-6177 CVE-2018-6178 CVE-2018-6179

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2018-4117

    AhsanEjaz discovered an information leak.

CVE-2018-6044

    Rob Wu discovered a way to escalate privileges using extensions.

CVE-2018-6150

    Rob Wu discovered an information disclosure issue (this problem was
    fixed in a previous release but was mistakenly omitted from upstream's
    announcement at the time).

CVE-2018-6151

    Rob Wu discovered an issue in the developer tools (this problem  was
    fixed in a previous release but was mistakenly omitted from upstream's
    announcement at the time).

CVE-2018-6152

    Rob Wu discovered an issue in the developer tools (this problem  was
    fixed in a previous release but was mistakenly omitted from upstream's
    announcement at the time).

CVE-2018-6153

    Zhen Zhou discovered a buffer overflow issue in the skia library.

CVE-2018-6154

    Omair discovered a buffer overflow issue in the WebGL implementation.

CVE-2018-6155

    Natalie Silvanovich discovered a use-after-free issue in the WebRTC
    implementation.

CVE-2018-6156

    Natalie Silvanovich discovered a buffer overflow issue in the WebRTC
    implementation.

CVE-2018-6157

    Natalie Silvanovich discovered a type confusion issue in the WebRTC
    implementation.

CVE-2018-6158

    Zhe Jin discovered a use-after-free issue.

CVE-2018-6159

    Jun Kokatsu discovered a way to bypass the same origin policy.

CVE-2018-6161

    Jun Kokatsu discovered a way to bypass the same origin policy.

CVE-2018-6162

    Omair discovered a buffer overflow issue in the WebGL implementation.

CVE-2018-6163

    Khalil Zhani discovered a URL spoofing issue.

CVE-2018-6164

    Jun Kokatsu discovered a way to bypass the same origin policy.

CVE-2018-6165

    evil1m0 discovered a URL spoofing issue.

CVE-2018-6166

    Lynas Zhang discovered a URL spoofing issue.

CVE-2018-6167

    Lynas Zhang discovered a URL spoofing issue.

CVE-2018-6168

    Gunes Acar and Danny Y. Huang discovered a way to bypass the Cross
    Origin Resource Sharing policy.

CVE-2018-6169

    Sam P discovered a way to bypass permissions when installing
    extensions.

CVE-2018-6170

    A type confusion issue was discovered in the pdfium library.

CVE-2018-6171

    A use-after-free issue was discovered in the WebBluetooth
    implementation.

CVE-2018-6172

    Khalil Zhani discovered a URL spoofing issue.

CVE-2018-6173

    Khalil Zhani discovered a URL spoofing issue.

CVE-2018-6174

    Mark Brand discovered an integer overflow issue in the swiftshader
    library.

CVE-2018-6175

    Khalil Zhani discovered a URL spoofing issue.

CVE-2018-6176

    Jann Horn discovered a way to escalate privileges using extensions.

CVE-2018-6177

    Ron Masas discovered an information leak.

CVE-2018-6178

    Khalil Zhani discovered a user interface spoofing issue.

CVE-2018-6179

    It was discovered that information about files local to the system
    could be leaked to extensions.

This version also fixes a regression introduced in the previous security
update that could prevent decoding of particular audio/video codecs.

For the stable distribution (stretch), these problems have been fixed in
version 68.0.3440.75-1~deb9u1.

We recommend that you upgrade your chromium-browser packages.

For the detailed security status of chromium-browser please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium-browser

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@...ts.debian.org
-----BEGIN PGP SIGNATURE-----

iQQzBAEBCgAdFiEEluhy7ASCBulP9FUWuNayzQLW9HMFAltaqvAACgkQuNayzQLW
9HN1Tx//TF/lR0JT7+g9ZV4C8b9QUjd8RziW1x3Dr1c6FdO01qRzRTmuolgGkd16
irPIel0bnvM7Q707UaX3YlfP9teWThneAXl69wPxg4l/cD6KQy6TYyxY3VzvUiYO
7q1cEixQDqnB2w7sdT2vpg0xc9a8NR5Bgraf+GPUm72R7HHlRHL9G0hVYozjERz/
s09oGrou9neITKMEu7KBPONpWXR8UTJuaCDRW39TeafRVJHDhXUg4wZQihStBMN3
vSNOIhS4TbpFCZqpJRijGh2W2wIz72zq9Fk+FgwDF9cm2Z6aeh/HwGUNFo9IGfc1
e6FnCDTVp3SxJmYdKZSmnqM87+uKBx135G7Y3nVFXZbsUlGuifa4YGNQkkSgr0Be
K2B2dkPDwrFJpJuO2E43q66su2/bAoD/pUC/51Rb+WQBMBfmjZ3vQN9cUybH6Ove
VLRRkv9ADFpHgZ2JcRdKcVFMQRoBZ9gPr7oWeC/f4CjYSJl0ZCrq+0zCO0LUl0/H
QE2Wf0kDDJggsftQfwLwi2LokXNB7VtO3y57RsGB5Mrx/vfy8lB/7p5WAW9c0OJq
C/XUmowWn7PP0s5RyWU0m0w5ioIgDVy+OH5pNsO68L1RZUwaFwRvmaiEbipBr00a
CO7XCQkokcaHm4iXx2aPIwj9ndbtYOu7ve/6BxZhbCgzeVlJiUCcLARHNpagyBOv
WQ43ymkLPYc/RurSQbrn/JVEoCXRpOvTUrPPt7S2shBJfsU9kN5k34s8oN7ytFll
cU6DwGY7n4EDd3sbB3oRwSdu8WGEKK6hDqTo9dPEy8x6owiyUqLFs1+aBjUeoQxQ
80PM0g2Qqdqk/aYgJU243UH3Wx63cCubowDkRnXxGlIxbTl1Wfi5GlmXIrKXQBl9
os4xcpEXTYkghQHzAwi6++cbVLTS4/MNV2S9SfriTEr39jPt0hscFhldg9cnJcGC
nHBt6QDrr/GzObSxhxOl82viimrmt6N8AZpfu6xGtf+XIwk/Kz8wI15MJN5TOnR7
l+2U0I3vzW4BBTR9qfFpaXr4WCelsVstJMmdMspTQLeea83rCdX2IzH7mIgg3pRl
6tWqesRJGUa/JgsTMMz26o9GM+hlpSsm1qsFuGLI3pOC+nBZYaFlQAORx+kgOdvf
hnXPVcYLQBNkFForr92CikMziCYlxPUiUSNDRNRAJ7ksDxsknkuaLx1tV/WY6tvv
ELlY4nH9DD7fqhtecCCvsor9A3F+pswb661m0uYyTlmOx4b2SJizybgud+SZ09O1
v5XJQX795NDf0Mvsn0hM/judmojCRfw8M6tkhUfIP6YIlKYJ7TWhRBBNudyMSbjZ
3/DBJTGBplvJm/5iIODSqHWu1ZQS7A==
=tUJt
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ