Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.0794
chromium-browser security update
11 June 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: chromium-browser
Publisher: Debian
Operating System: Debian GNU/Linux
Linux variants
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2013-2865 CVE-2013-2863 CVE-2013-2862
CVE-2013-2861 CVE-2013-2860 CVE-2013-2859
CVE-2013-2858 CVE-2013-2857 CVE-2013-2856
CVE-2013-2855
Reference: ASB-2013.0071
Original Bulletin:
http://www.debian.org/security/2013/dsa-2706
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running chromium-browser check for an updated version of the
software for their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2706-1 security@debian.org
http://www.debian.org/security/ Giuseppe Iuculano
June 10, 2013 http://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : chromium-browser
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2013-2855 CVE-2013-2856 CVE-2013-2857 CVE-2013-2858
CVE-2013-2859 CVE-2013-2860 CVE-2013-2861 CVE-2013-2862
CVE-2013-2863 CVE-2013-2865
Several vulnerabilities have been discovered in the chromium web
browser.
CVE-2013-2855
The Developer Tools API in Chromium before 27.0.1453.110 allows
remote attackers to cause a denial of service (memory corruption) or
possibly have unspecified other impact via unknown vectors.
CVE-2013-2856
Use-after-free vulnerability in Chromium before 27.0.1453.110
allows remote attackers to cause a denial of service or possibly
have unspecified other impact via vectors related to the handling of
input.
CVE-2013-2857
Use-after-free vulnerability in Chromium before 27.0.1453.110
allows remote attackers to cause a denial of service or possibly
have unspecified other impact via vectors related to the handling of
images.
CVE-2013-2858
Use-after-free vulnerability in the HTML5 Audio implementation in
Chromium before 27.0.1453.110 allows remote attackers to cause
a denial of service or possibly have unspecified other impact via
unknown vectors.
CVE-2013-2859
Chromium before 27.0.1453.110 allows remote attackers to bypass
the Same Origin Policy and trigger namespace pollution via
unspecified vectors.
CVE-2013-2860
Use-after-free vulnerability in Chromium before 27.0.1453.110
allows remote attackers to cause a denial of service or possibly
have unspecified other impact via vectors involving access to a
database API by a worker process.
CVE-2013-2861
Use-after-free vulnerability in the SVG implementation in Chromium
before 27.0.1453.110 allows remote attackers to cause a
denial of service or possibly have unspecified other impact via
unknown vectors.
CVE-2013-2862
Skia, as used in Chromium before 27.0.1453.110, does not
properly handle GPU acceleration, which allows remote attackers to
cause a denial of service (memory corruption) or possibly have
unspecified other impact via unknown vectors.
CVE-2013-2863
Chromium before 27.0.1453.110 does not properly handle SSL
sockets, which allows remote attackers to execute arbitrary code or
cause a denial of service (memory corruption) via unspecified
vectors.
CVE-2013-2865
Multiple unspecified vulnerabilities in Chromium before
27.0.1453.110 allow attackers to cause a denial of service or
possibly have other impact via unknown vectors.
For the stable distribution (wheezy), these problems have been fixed in
version 27.0.1453.110-1~deb7u1.
For the testing distribution (jessie), these problems have been fixed in
version 27.0.1453.110-1.
For the unstable distribution (sid), these problems have been fixed in
version 27.0.1453.110-1.
We recommend that you upgrade your chromium-browser packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlG2EQUACgkQNxpp46476aoVswCfTT3tgaA0Wpkmb/8x+jvc43GK
o3gAn3plraTpR6vKqtXrVTLN9m6irBL+
=PLYK
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUbZ57O4yVqjM2NGpAQLwcg/9GzvYSPtpOTcb81/Ic3567rdHo03EAnPA
I0BwZPjRp/Vr89rZ+vlNiaumMXwNOP8n7skvbD/q8NW5Bp6r3My+eZyQQlcIsHqw
lbT78P0jem0XAghQ+HIi/kZEcKPiutMB/jg2PqeUKCGwVM2vgL2X6AVVAFSYfPcV
p3RKGWFsHwdxqkou1vKJPbFo36xTVPnFDFJOgdJRvaeapLDcZMPx9trQA0+AzjYa
uhgBihntWFy843TjgVxoGr+4oZEslGdYxHTn4ri9gHNcc+06fm6OGL1rVVembAMj
Dy+E60D5wncFX0i5u9HlTXsOI6BenBfa+clveO3jKRmIZAdes571xsBgT5MCBaeq
K1pIPbh4Ieh2Q0wdYVpXUWmihJ+59GOg8ir4SKNSXP3WT6TqOpAAn97LTd7ynWzG
vGiVziNaA9/OhL6kMl3XXRIOKl68zUlJkbdZ87k0pOpdujOxYmB+n1ADkTdqW6K6
vp07RV8n3dZGo3fkbLFMnv9VRdvkV1cDDJqBe7vB+qPVTPNNIDTM7czjQPSv5noc
n9OeRxe3Em1c1QT+vCLHCdKP9R/qsmy2tp5Glp0IERp7FgM1ohLJ1rMws50TlDTN
KshWwUzEdoAIXtuVd9xHBi/EHgmsxQJ40m/l60+f7xJVno7tiVIat/F+Rx4Y22mT
i45h1csklc4=
=2GJA
-----END PGP SIGNATURE-----