Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.1530
chromium-browser security update
28 October 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: chromium-browser
Publisher: Debian
Operating System: Debian GNU/Linux 7
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Reduced Security -- Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2013-2928 CVE-2013-2927 CVE-2013-2926
CVE-2013-2925 CVE-2013-2924 CVE-2013-2923
CVE-2013-2922 CVE-2013-2921 CVE-2013-2920
CVE-2013-2919 CVE-2013-2918 CVE-2013-2917
CVE-2013-2916 CVE-2013-2915 CVE-2013-2913
CVE-2013-2912 CVE-2013-2911 CVE-2013-2910
CVE-2013-2909 CVE-2013-2908 CVE-2013-2907
CVE-2013-2906
Reference: ASB-2013.0114
ASB-2013.0110
Original Bulletin:
http://www.debian.org/security/2013/dsa-2785
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2785-1 security@debian.org
http://www.debian.org/security/ Michael Gilbert
October 26, 2013 http://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : chromium-browser
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2013-2906 CVE-2013-2907 CVE-2013-2908 CVE-2013-2909
CVE-2013-2910 CVE-2013-2911 CVE-2013-2912 CVE-2013-2913
CVE-2013-2915 CVE-2013-2916 CVE-2013-2917 CVE-2013-2918
CVE-2013-2919 CVE-2013-2920 CVE-2013-2921 CVE-2013-2922
CVE-2013-2923 CVE-2013-2924 CVE-2013-2925 CVE-2013-2926
CVE-2013-2927 CVE-2013-2928
Several vulnerabilities have been discovered in the chromium web browser.
CVE-2013-2906
Atte Kettunen of OUSPG discovered race conditions in Web Audio.
CVE-2013-2907
Boris Zbarsky discovered an out-of-bounds read in window.prototype.
CVE-2013-2908
Chamal de Silva discovered an address bar spoofing issue.
CVE-2013-2909
Atte Kuttenen of OUSPG discovered a use-after-free issue in
inline-block.
CVE-2013-2910
Byoungyoung Lee of the Georgia Tech Information Security Center
discovered a use-after-free issue in Web Audio.
CVE-2013-2911
Atte Kettunen of OUSPG discovered a use-after-free in Blink's XSLT
handling.
CVE-2013-2912
Chamal de Silva and 41.w4r10r(at)garage4hackers.com discovered a
use-after-free issue in the Pepper Plug-in API.
CVE-2013-2913
cloudfuzzer discovered a use-after-free issue in Blink's XML
document parsing.
CVE-2013-2915
Wander Groeneveld discovered an address bar spoofing issue.
CVE-2013-2916
Masato Kinugawa discovered an address bar spoofing issue.
CVE-2013-2917
Byoungyoung Lee and Tielei Wang discovered an out-of-bounds read
issue in Web Audio.
CVE-2013-2918
Byoungyoung Lee discoverd an out-of-bounds read in Blink's DOM
implementation.
CVE-2013-2919
Adam Haile of Concrete Data discovered a memory corruption issue
in the V8 javascript library.
CVE-2013-2920
Atte Kuttunen of OUSPG discovered an out-of-bounds read in URL
host resolving.
CVE-2013-2921
Byoungyoung Lee and Tielei Wang discovered a use-after-free issue
in resource loading.
CVE-2013-2922
Jon Butler discovered a use-after-free issue in Blink's HTML
template element implementation.
CVE-2013-2924
A use-after-free issue was discovered in the International
Components for Unicode (ICU) library.
CVE-2013-2925
Atte Kettunen of OUSPG discover a use-after-free issue in Blink's
XML HTTP request implementation.
CVE-2013-2926
cloudfuzzer discovered a use-after-free issue in the list indenting
implementation.
CVE-2013-2927
cloudfuzzer discovered a use-after-free issue in the HTML form
submission implementation.
CVE-2013-2923 and CVE-2013-2928
The chrome 30 development team found various issues from internal
fuzzing, audits, and other studies.
For the stable distribution (wheezy), these problems have been fixed in
version 30.0.1599.101-1~deb7u1.
For the testing distribution (jessie), these problems will be fixed soon.
For the unstable distribution (sid), these problems have been fixed in
version 30.0.1599.101-1.
We recommend that you upgrade your chromium-browser packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
iQQcBAEBCgAGBQJSWwMrAAoJELjWss0C1vRzix8f/3u/oOLmR1/70gZliS/mbGYh
MKCxR0BgS85CENIYujIlW1k+urYEnfjZkpDqzh41ExpgCos6NcncNtoP3apz2UDX
6g/qh/cbUC7eXUfXW/Z2/XFam9RtNoa9helhpuZ5RvyZ+A836CkEzCwigFOpgOMJ
e/sPjgxwSpz3nlYR3VPG6dRMSOx0jFeickNZTHPm3DmuhmF3dvnKWKlmTvJ1LtC9
/GFHmdGckoVEVNMHD5v8FAlCwoRNAZ/WK/7h4Ro9/mc8Z9qJYB/7dUveiIAO73Qj
JiOxI1hHjcCtsm3lUBmKe5/WDcTWeLz5IRTLfOMrxp0zZfYp858y2/tDDnqeNFn2
EVaKMsOZytVpF4ercGoszruDiKdnX8Uq6Ng44SssQf37FNDUOo9nrBghLyWnl8Kz
07MxAHzz4N8uy2UyjVTmzIYSP0s9ccRH6KgPxTfbWBdyb8Q/inKEU/7/XbBHKZSm
Cqfh5jqIMcIuupg8wT20up4FvtcWSHrw2JmZxEQEsBn/wbNF+b67VNniUDFWgua7
LUmCmhJeZv+Zhjc4cHVliI5cGP03m4C/25dUplR9rofZ8VEG0vkPj6J3nyaEnCiS
NY6Z3AfmntvRS50Vbrl+6v0BLjSjXeWPt2nRneQ+bEaCM8PX7wIPYBCczVxzzZrH
6nw7ngqrOCmwiuz0+2O777wmanWCAFimpaVwGNBqNxdfcywk16unIA+YU2AbHLeq
anevGnQBbjyi9joO9gN67CCIBBVqmZ93DQHIUyjPNpuixtz9gzkunVdt9r+8OM3l
Nom/ttW6foZ9NlLbg5tbYHtTrpZ/t8ng6it4AHmGM/QqGQmXZdYanNZ03ok3IFE7
lJNKGZb/TgwQms3dd3hXheOx8D3p8MclSyo81iaF5KAhsZ6bRVHM/u8hKtFZ8FIL
nF3ppA0Y/HUZS1W9UweOJT0Vlxt8PNHn8YTHEhYUXX/HX5uDIdVVS4XSWCTxVYlu
+qYYjDs7zs53hq1n1cSuhMYrqn30h275p1e3roCCDYDwg3/qs3MQ1DiL4qsSHMyy
Sy2SL4mgX9rtIB42Ym2MWK76Q1ogrYl1B55O3rBmC5VMa0L3fZsWZv2rIzMrJclj
HPybzv7myRkhRXar/+BvlkrPLssmEK65L/Jy5m0M0gNeV0G6sebxxnaQRYtc0Yru
YNLcY+6xncuz86Gi26lYHb0slh/J7aDbPEsRLofHFYwoln7tb3M0+YU0CSqUUzu1
d51Yj2qrf/wSfM1UbNDhuWk+Kx6tKGvB3y54h+dsqOrKNqFWsApfCA0mOjzFAClr
6Dc9xnctxUgaDTg+mFx2KvyeaNp80U+QTRmGJPG200qUvG+cCYJZWv4E44jdw9E=
=n1or
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUm2pwRLndAQH1ShLAQKX5Q//U7C5IqgJC/tFhOg8dFeACxqPGMeEDDDC
1/YwjhR9cNs3obakEtID1IkOB+ue0A149QONTRAjbyMWdYDNTSjypMMApgFtndnK
jFtq8bqBDVH4qjvI814XXVc1TARQOaDCX9c2V9tsM/qhjgsKTMdZAHbBI9ZOEcRl
+n5drg4s5oPnzBLFQMR+3M+6zrPrTaqWFDzlmv1+vVakFnPoZuTB9jb6s0df9mYU
bHfsejko79aRMuKNhs6Yc7k+s4BuAZ1X5cfJmZa1zZSYRx1RpvTdcMcu8Yu3zfuk
IsvA0lXfv83TtL3dM9WEX2Hvy4gZMPPi1Ri3qQfN7Cl1TlwRqNoYDWPIgDF8s/s4
wPiC+Do3su5m+/PA+gg0mhW9IIubjTxuU2sirD97x2UdBZs8fPN6JqiWffS+cJfz
/2PtbQ2JerG2/QlxFrDUSrDx+PTg6Xa/zst4ApDJpVDL87O2U9t84kYp0Vd9wk8v
mXHTmXUxDFUYh5BB+4ALH8ds9RchERXE9UDyDZ/juUW31Mi5ihx+/ZrCLZeLq8Tm
RuPpHTqGR8kHnt+ijvfmzXiL7E+ROk2thA9Armfg+ZbR5qv/b4xrdqyBIng9rxuV
7gcID6jpg+bmyGWH70DugfJsnOVin4QF6Ian84atKK3BYfqiCJXUDl3WBenBApd0
aJtjjLHIGZM=
=amuK
-----END PGP SIGNATURE-----