Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.0192 Important: chromium-browser security update 28 January 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: chromium-browser Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 6 Red Hat Enterprise Linux WS/Desktop 6 Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2014-7948 CVE-2014-7947 CVE-2014-7946 CVE-2014-7945 CVE-2014-7944 CVE-2014-7943 CVE-2014-7942 CVE-2014-7941 CVE-2014-7940 CVE-2014-7939 CVE-2014-7938 CVE-2014-7937 CVE-2014-7936 CVE-2014-7935 CVE-2014-7934 CVE-2014-7933 CVE-2014-7932 CVE-2014-7931 CVE-2014-7930 CVE-2014-7929 CVE-2014-7928 CVE-2014-7927 CVE-2014-7926 CVE-2014-7925 CVE-2014-7924 CVE-2014-7923 Reference: ASB-2015.0011 Original Bulletin: https://rhn.redhat.com/errata/RHSA-2015-0093.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: chromium-browser security update Advisory ID: RHSA-2015:0093-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0093.html Issue date: 2015-01-27 CVE Names: CVE-2014-7923 CVE-2014-7924 CVE-2014-7925 CVE-2014-7926 CVE-2014-7927 CVE-2014-7928 CVE-2014-7929 CVE-2014-7930 CVE-2014-7931 CVE-2014-7932 CVE-2014-7933 CVE-2014-7934 CVE-2014-7935 CVE-2014-7936 CVE-2014-7937 CVE-2014-7938 CVE-2014-7939 CVE-2014-7940 CVE-2014-7941 CVE-2014-7942 CVE-2014-7943 CVE-2014-7944 CVE-2014-7945 CVE-2014-7946 CVE-2014-7947 CVE-2014-7948 ===================================================================== 1. Summary: Updated chromium-browser packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: Chromium is an open-source web browser, powered by WebKit (Blink). Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Chromium to crash or, potentially, execute arbitrary code with the privileges of the user running Chromium. (CVE-2014-7923, CVE-2014-7924, CVE-2014-7925, CVE-2014-7926, CVE-2014-7927, CVE-2014-7928, CVE-2014-7929, CVE-2014-7930, CVE-2014-7931, CVE-2014-7932, CVE-2014-7933, CVE-2014-7934, CVE-2014-7935, CVE-2014-7936, CVE-2014-7937, CVE-2014-7938, CVE-2014-7939, CVE-2014-7940, CVE-2014-7941, CVE-2014-7942, CVE-2014-7943, CVE-2014-7944, CVE-2014-7945, CVE-2014-7946, CVE-2014-7947, CVE-2014-7948) All Chromium users should upgrade to these updated packages, which contain Chromium version 40.0.2214.91, which corrects these issues. After installing the update, Chromium must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1185202 - CVE-2014-7923 ICU: regexp engine memory corruption 1185203 - CVE-2014-7924 chromium-browser: use-after-free in IndexedDB 1185204 - CVE-2014-7925 chromium-browser: use-after-free in WebAudio 1185205 - CVE-2014-7926 ICU: regexp engine memory corruption 1185206 - CVE-2014-7927 chromium-browser: memory corruption in V8 1185208 - CVE-2014-7928 chromium-browser: memory corruption in V8 1185209 - CVE-2014-7929 chromium-browser: use-after-free in DOM 1185210 - CVE-2014-7930 chromium-browser: use-after-free in DOM 1185211 - CVE-2014-7931 chromium-browser: memory corruption in V8 1185212 - CVE-2014-7932 chromium-browser: use-after-free in DOM 1185213 - CVE-2014-7933 chromium-browser: use-after-free in FFmpeg 1185214 - CVE-2014-7934 chromium-browser: use-after-free in DOM 1185215 - CVE-2014-7935 chromium-browser: use-after-free in Speech 1185216 - CVE-2014-7936 chromium-browser: use-after-free in Views 1185217 - CVE-2014-7937 chromium-browser: use-after-free in FFmpeg 1185218 - CVE-2014-7938 chromium-browser: memory corruption in Fonts 1185219 - CVE-2014-7939 chromium-browser: same-origin-bypass in V8 1185220 - CVE-2014-7940 ICU: uninitialized value use in the collation component 1185221 - CVE-2014-7941 chromium-browser: out-of-bounds read in UI 1185222 - CVE-2014-7942 chromium-browser: uninitialized-value in Fonts 1185223 - CVE-2014-7943 chromium-browser: out-of-bounds read in Skia 1185224 - CVE-2014-7944 chromium-browser: out-of-bounds read in PDFium 1185225 - CVE-2014-7945 chromium-browser: out-of-bounds read in PDFium 1185226 - CVE-2014-7946 chromium-browser: out-of-bounds read in Fonts 1185229 - CVE-2014-7947 chromium-browser: out-of-bounds read in PDFium 1185230 - CVE-2014-7948 chromium-browser: caching error in AppCache 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 6): Source: chromium-browser-40.0.2214.91-1.el6_6.src.rpm i386: chromium-browser-40.0.2214.91-1.el6_6.i686.rpm chromium-browser-debuginfo-40.0.2214.91-1.el6_6.i686.rpm x86_64: chromium-browser-40.0.2214.91-1.el6_6.x86_64.rpm chromium-browser-debuginfo-40.0.2214.91-1.el6_6.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): Source: chromium-browser-40.0.2214.91-1.el6_6.src.rpm i386: chromium-browser-40.0.2214.91-1.el6_6.i686.rpm chromium-browser-debuginfo-40.0.2214.91-1.el6_6.i686.rpm x86_64: chromium-browser-40.0.2214.91-1.el6_6.x86_64.rpm chromium-browser-debuginfo-40.0.2214.91-1.el6_6.x86_64.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): Source: chromium-browser-40.0.2214.91-1.el6_6.src.rpm i386: chromium-browser-40.0.2214.91-1.el6_6.i686.rpm chromium-browser-debuginfo-40.0.2214.91-1.el6_6.i686.rpm x86_64: chromium-browser-40.0.2214.91-1.el6_6.x86_64.rpm chromium-browser-debuginfo-40.0.2214.91-1.el6_6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2014-7923 https://access.redhat.com/security/cve/CVE-2014-7924 https://access.redhat.com/security/cve/CVE-2014-7925 https://access.redhat.com/security/cve/CVE-2014-7926 https://access.redhat.com/security/cve/CVE-2014-7927 https://access.redhat.com/security/cve/CVE-2014-7928 https://access.redhat.com/security/cve/CVE-2014-7929 https://access.redhat.com/security/cve/CVE-2014-7930 https://access.redhat.com/security/cve/CVE-2014-7931 https://access.redhat.com/security/cve/CVE-2014-7932 https://access.redhat.com/security/cve/CVE-2014-7933 https://access.redhat.com/security/cve/CVE-2014-7934 https://access.redhat.com/security/cve/CVE-2014-7935 https://access.redhat.com/security/cve/CVE-2014-7936 https://access.redhat.com/security/cve/CVE-2014-7937 https://access.redhat.com/security/cve/CVE-2014-7938 https://access.redhat.com/security/cve/CVE-2014-7939 https://access.redhat.com/security/cve/CVE-2014-7940 https://access.redhat.com/security/cve/CVE-2014-7941 https://access.redhat.com/security/cve/CVE-2014-7942 https://access.redhat.com/security/cve/CVE-2014-7943 https://access.redhat.com/security/cve/CVE-2014-7944 https://access.redhat.com/security/cve/CVE-2014-7945 https://access.redhat.com/security/cve/CVE-2014-7946 https://access.redhat.com/security/cve/CVE-2014-7947 https://access.redhat.com/security/cve/CVE-2014-7948 https://access.redhat.com/security/updates/classification/#important http://googlechromereleases.blogspot.com/2015/01/stable-update.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFUx/dpXlSAg2UNWIIRAicvAJ48EWNhTADIJpssRxTnXXoorLHcPQCeOXCx tHGzcUTFc2XPKT1/opdUYIw= =QwdV - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVMhCaxLndAQH1ShLAQIKRw/+PrW52XcMycWGWIsbDL7U4+RTGiGbagWi +Cdu+PNNCwoxwPo4JlFD46wPskOev6TWY+Ysh/8+nRk7L3gXPYZWpcjOTIMs1tjP fBntgPPTsYcUW0eH7YqHA1Ke7zmgUC9L5NH4TZbpEL+oXRasQMn2tisVsZQFH+6j LvCOgC2CmYvaRdjCju0V/z4RxcRRPeo30BChn51rLpfdhdS/va4qz2TQ/beg6rL0 wZUqTc23ui91C6EXSu8hg0ShilupX8fGKo6Sg1/U5UvEa243YqOSPONxd2Q/yFGO 1XZVDyD/JpjsfYgQhuQ1+36Rs32dDdt1IwDP55iXDWaLteRjImFyfWgtN4esA7XC eWdJ8Rw2ZM1HpBLaLgXSFIm8DA4Gzy9Kko4670UJ81FcJVCetks0EsgNPi9TbTuA yjcd3kfA0QCj1f4VElZOpOO3k7pBt4I4rugj4sNvCIu2MRLTg7kjynecKdgu3WT5 7I6eR+OE/sb8MZTUZRmKfwMb11JUP0IH8DpKFtx46cM4ZCR+j5yb9JoNN8TL9PIM MjHYtEaWox3ehkWpGQAmZZXrIXj6oV0fxbE2v3SOxmQx1HXwdYDE/WYv9mhGCuy8 ovIbgRrqbzVNdK2bsImqY7unxdg5/ZbzCE97dv7QG0ApFub16wIGqa/Zz9xgWKXk RqHB/I8aE+I= =pFmL -----END PGP SIGNATURE-----