Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.0381
chromium-browser security update
24 March 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: chromium-browser
Publisher: Debian
Operating System: Debian GNU/Linux 7
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Unauthorised Access -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2014-1715 CVE-2014-1713 CVE-2014-1705
CVE-2014-1704 CVE-2014-1703 CVE-2014-1702
CVE-2014-1701 CVE-2014-1700 CVE-2013-6668
CVE-2013-6667 CVE-2013-6666 CVE-2013-6665
CVE-2013-6664 CVE-2013-6663 CVE-2013-6661
CVE-2013-6660 CVE-2013-6659 CVE-2013-6658
CVE-2013-6657 CVE-2013-6656 CVE-2013-6655
CVE-2013-6654 CVE-2013-6653
Reference: ASB-2014.0029
ASB-2014.0025
ASB-2014.0023
ASB-2014.0018
Original Bulletin:
http://www.debian.org/security/2014/dsa-2883
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2883-1 security@debian.org
http://www.debian.org/security/ Michael Gilbert
March 23, 2014 http://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : chromium-browser
CVE ID : CVE-2013-6653 CVE-2013-6654 CVE-2013-6655 CVE-2013-6656
CVE-2013-6657 CVE-2013-6658 CVE-2013-6659 CVE-2013-6660
CVE-2013-6661 CVE-2013-6663 CVE-2013-6664 CVE-2013-6665
CVE-2013-6666 CVE-2013-6667 CVE-2013-6668 CVE-2014-1700
CVE-2014-1701 CVE-2014-1702 CVE-2014-1703 CVE-2014-1704
CVE-2014-1705 CVE-2014-1713 CVE-2014-1715
Several vulnerabilities have been discovered in the chromium web browser.
CVE-2013-6653
Khalil Zhani discovered a use-after-free issue in chromium's web
contents color chooser.
CVE-2013-6654
TheShow3511 discovered an issue in SVG handling.
CVE-2013-6655
cloudfuzzer discovered a use-after-free issue in dom event handling.
CVE-2013-6656
NeexEmil discovered an information leak in the XSS auditor.
CVE-2013-6657
NeexEmil discovered a way to bypass the Same Origin policy in the
XSS auditor.
CVE-2013-6658
cloudfuzzer discovered multiple use-after-free issues surrounding
the updateWidgetPositions function.
CVE-2013-6659
Antoine Delignat-Lavaud and Karthikeyan Bhargavan discovered that
it was possible to trigger an unexpected certificate chain during
TLS renegotiation.
CVE-2013-6660
bishopjeffreys discovered an information leak in the drag and drop
implementation.
CVE-2013-6661
The Google Chrome team discovered and fixed multiple issues in
version 33.0.1750.117.
CVE-2013-6663
Atte Kettunen discovered a use-after-free issue in SVG handling.
CVE-2013-6664
Khalil Zhani discovered a use-after-free issue in the speech
recognition feature.
CVE-2013-6665
cloudfuzzer discovered a buffer overflow issue in the software
renderer.
CVE-2013-6666
netfuzzer discovered a restriction bypass in the Pepper Flash
plugin.
CVE-2013-6667
The Google Chrome team discovered and fixed multiple issues in
version 33.0.1750.146.
CVE-2013-6668
Multiple vulnerabilities were fixed in version 3.24.35.10 of
the V8 javascript library.
CVE-2014-1700
Chamal de Silva discovered a use-after-free issue in speech
synthesis.
CVE-2014-1701
aidanhs discovered a cross-site scripting issue in event handling.
CVE-2014-1702
Colin Payne discovered a use-after-free issue in the web database
implementation.
CVE-2014-1703
VUPEN discovered a use-after-free issue in web sockets that
could lead to a sandbox escape.
CVE-2014-1704
Multiple vulnerabilities were fixed in version 3.23.17.18 of
the V8 javascript library.
CVE-2014-1705
A memory corruption issue was discovered in the V8 javascript
library.
CVE-2014-1713
A use-after-free issue was discovered in the AttributeSetter
function.
CVE-2014-1715
A directory traversal issue was found and fixed.
For the stable distribution (wheezy), these problems have been fixed in
version 33.0.1750.152-1~deb7u1.
For the testing distribution (jessie), these problems will be fixed soon.
For the unstable distribution (sid), these problems have been fixed in
version 33.0.1750.152-1.
We recommend that you upgrade your chromium-browser packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQQcBAEBCgAGBQJTL4L5AAoJELjWss0C1vRzmmkf/3IwJbpRQ+HKdWFLjEqap7hN
o5p82LhmXthyNNBTfOoylxN03hBPfwvNC6zYZ9wMp0qBJJKvPVvswg3FdpvHMiUS
4N96l0rDyf8HRrd7goQnsagn2RrqDROHHEFsFdwuiC6pB3rLEKN8lPAmpo6VZHkH
LQ5zO0uI/fi3q8Ad2VCeG8O6kdcHUmmvFuB49Sl3YFKpfIVLv5XVaMJBlKSbt62T
pbs4/iB4gYTwSeFuN20z17mAchFj31hxuT/UlCD6tn0cIkN9DpL2TDkxG3boVLne
FgDkgSIqV8Zy2mCK3fz7M4INHlyeIh/xiBK+k+VECaVlznUqctCTlQFXXotf19ch
V19rjXMyXMIwe8nVR0C7PoQT225aH9QYBem/S2v6D0hQjpLcDIoZbHvB9zw/7g/o
Y8wUhiBsgLTOqy3tsKt1aVGGbElMjBCTqAJ+/SzJZNtZEwNXGkTz2k3EwdarHsaG
ea2f1xhiJJaVdXXALGjQwWoKWFEN56WhX749DsFC1jD3F2CTHSI9BN38voMUm1wq
RcoXfc56OR9S+7f+5rDQQ3c2zeDCFgo7Ue3E4/9ZP2IvBdc8qhsZCViZVCE1nCz4
e/NzbauOyLOI1IB4IJkctiRyszvGD30TZYSx8JX6YY6T58HH7HbgLSEEGaLj/dcG
Fx4GQHnufVaBPrbpdrXQRqcUwJh2rJO7DM0BsxVKbgNCKQNI65FTNpWn/P7rJ/72
i7VsTUzDT3pcScJ1oqM+egvpEqKnbsPO97+iuzeD5UhJK3s5H23ErGHzwV2ZcHnD
cdc6VwHHCo0gJQ+EA9D/W8/S9MdJscetOb4AzafGUnCq5kGjcs5wFnNh2CWgxNHc
/JJA027nMSRwUnW4kkcJAMiOfTPmNLN0QDy1wok6fJUuOtCP6/I5ptR87gDyX3FW
0JBxbZ6sZigXsIcMNaGJoPxd454dCAFAlLbehm+7i7d9U9Yb3c5o2F81WT4Qx0bu
XdKw5xhFz9OL5TA66GQ2Cr5aaKfrHqW1SzeiOeDJPqJ0ZbPHlIY0c+XJRRKepV22
lBbZzHVMOzv0jkhQjZV4ulf9Rv7xlcSmq2JF7TdjejoS7YrbU8+qg9h9LZ38XDtI
Ar/w05YNpZRVtT4XP2v7eYw/vJ7c+6dLwqSqGFVe4VOjkazbM15tB6QoDVjmr1y+
Ti/cfFsQAH45joi3v7HXWTXu4NVPN1oQypur/MBO1EvtigbBwxmRdn95mx6zotfY
voLocT7KLWwPTklh5wtUZ6/DGWv0dXcb7tcbNeEo4e9lhrAP0694huGkJprW5Z09
yItPaD9PNnHySK3FWvz91MpIVqAIlU+7HFuvs7N7Y/RTsQx9bFEjUrn1epeGNL0=
=tb+u
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUy+TFRLndAQH1ShLAQJMJRAAgbtppbQmnBL/9eYyiuDDsgsCou9ssuqh
S6Z9fUWiRwoSOJuO++y/8fRKl4YmGSfnxE6dx5t737P9d7iamBYha4zeerK7AMY4
WvbUWxYD/lmkvaxlUXCbqzm1fA37+FUmyt799GxkUn0/P0xT+P9oBbO3FNzYj+bd
70DrOfti/MqTVztSfA+b429I2ByhMe4Et/kpgfuvhetfemSf3ukfe0lOXFJgcRtp
gkYDCxtmNTD5gY7aYWQGRqlpi/a1KyLgrY+2MJL6ZoMJy5lXAtAe1Z6JECRDgrTq
4C1GKTutyBG0RyBF9No3kYMquGy+17cXozueWLLQhW6Ic3HtJ6aLLY2AMSW4+QEq
rBQ1Pqocpz8PTnXcbJ36ARxOW00oWFGJidZK7EXjSA57UAM8Hot1qJD7LwU2+qcg
nXwGBt2HMVBh1suzZbYES80zRZmh21j6EzxyPGFtBPj/THSFnP4i9ga8q7h4g/7b
YnziEA9WC78kSVYFEvv5QVUgW/8h92x3A+b3Hie/2jAJb0sKAkqvQOeAib7iidJS
GVW8j7376nA5GNIMY9HOfKklnO5FHn6C548DFFJI2PtqSiQYOUnAbU6q+U+6a3WL
q1LQczcrB3PKRKl5XXdfquOlQhNrln5xo+Qsn41zYn0Au0aLcaTNqUu3uwQRTff6
jVBwiFS3KfE=
=G97t
-----END PGP SIGNATURE-----