Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.1373 chromium-browser security update 25 May 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: chromium-browser Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Denial of Service -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Unauthorised Access -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2015-1265 CVE-2015-1264 CVE-2015-1263 CVE-2015-1262 CVE-2015-1261 CVE-2015-1260 CVE-2015-1259 CVE-2015-1258 CVE-2015-1257 CVE-2015-1256 CVE-2015-1255 CVE-2015-1254 CVE-2015-1253 CVE-2015-1252 CVE-2015-1251 Reference: ASB-2015.0052 Original Bulletin: http://www.debian.org/security/2015/dsa-3267 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-3267-1 security@debian.org http://www.debian.org/security/ Michael Gilbert May 22, 2015 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : chromium-browser CVE ID : CVE-2015-1251 CVE-2015-1252 CVE-2015-1253 CVE-2015-1254 CVE-2015-1255 CVE-2015-1256 CVE-2015-1257 CVE-2015-1258 CVE-2015-1259 CVE-2015-1260 CVE-2015-1261 CVE-2015-1262 CVE-2015-1263 CVE-2015-1264 CVE-2015-1265 Several vulnerabilities were discovered in the chromium web browser. CVE-2015-1251 SkyLined discovered a use-after-free issue in speech recognition. CVE-2015-1252 An out-of-bounds write issue was discovered that could be used to escape from the sandbox. CVE-2015-1253 A cross-origin bypass issue was discovered in the DOM parser. CVE-2015-1254 A cross-origin bypass issue was discovered in the DOM editing feature. CVE-2015-1255 Khalil Zhani discovered a use-after-free issue in WebAudio. CVE-2015-1256 Atte Kettunen discovered a use-after-free issue in the SVG implementation. CVE-2015-1257 miaubiz discovered an overflow issue in the SVG implementation. CVE-2015-1258 cloudfuzzer discovered an invalid size parameter used in the libvpx library. CVE-2015-1259 Atte Kettunen discovered an uninitialized memory issue in the pdfium library. CVE-2015-1260 Khalil Zhani discovered multiple use-after-free issues in chromium's interface to the WebRTC library. CVE-2015-1261 Juho Nurminen discovered a URL bar spoofing issue. CVE-2015-1262 miaubiz discovered the use of an uninitialized class member in font handling. CVE-2015-1263 Mike Ruddy discovered that downloading the spellcheck dictionary was not done over HTTPS. CVE-2015-1264 K0r3Ph1L discovered a cross-site scripting issue that could be triggered by bookmarking a site. CVE-2015-1265 The chrome 43 development team found and fixed various issues during internal auditing. Also multiple issues were fixed in the libv8 library, version 4.3.61.21. For the stable distribution (jessie), these problems have been fixed in version 43.0.2357.65-1~deb8u1. For the testing distribution (stretch), these problems will be fixed soon. For the unstable distribution (sid), these problems have been fixed in version 43.0.2357.65-1. We recommend that you upgrade your chromium-browser packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQQcBAEBCgAGBQJVXrgRAAoJELjWss0C1vRzS5Mf/iSPN/47Wt02hBpAGEMEjirv 4Ee3gJ/Sb/z8EtE7GsZOxci1AsJQYZusm5T6rcwl3Bu3Rnsjj7swZg7cMJBb73+L hfwl8xY47cjudXFc/V2wJWghjBozIrsaINSVgpEA6AiGl/5S4f941Hgz/Nik8sfg 0r9hH2jU5o3BfYKViAZhjkOjxmXTlO9zPeFD4bA/FCo0YNyN9dIIJYbeBdvG+z5H pOCs3L6QnDyVqu/Zcpi7BtqilDvseV9QGagqg0WpbYimnqvjeeWQAlsKE9+NhwDY DQ+NufPSPpL3hu+xxPm1kLLndiKRGb5S253Rl+8kWgeKa+UgvdWKePdtQYaidjSK uVF+8s5en36D0Mr/OOC3a0ZImMsinky+6mg4AjWuZwo+AirZ+DQVTkxMRS9T6l9k FR3h//VYnqBihbuYrJnRunFjo1RFzLM2P7NiMBAJOhAuVAK4OSpN0pWb/KJN23Ch Q1C9vdq413VCtgsUuMYc2pqoc/XDBK5CNjtgtm+e9ZdPOKg7A7POuvw7QIv+g3me iRmkc1evjwa9/nkFzgF7HpcoHv25YdrktsF5IfVOXEZL+AkIhViIDe/rIkuxDvz1 uGQFLh+NRWnAeXM89NNrFJ7wmpJoG/PbNWZ44HYa0nQoVz/ygaw827U88FxgoZsD PVvRVC9cV2S2OpOU1gMg8O5mbQi/g2HQVOEdM/rjoot8W2/K7zfmYVFghFAoNBp5 kAfj3j9c3yHKZ18wFqF+yvcmWBBWGIQvd62s23hKVb7PW09ShArvYp+U7bMwcVfB V5q9hboqgGVjcyd32BIT1ZW3zSyZ9Jaamw3nLVc2ro8jlnb3UqOK2Kkzb87tBfWU /ga1nLgy6bg9H3au21/6f+ReP2X96Y4KA2sb3gqhI2FVtJ864anbJM4KcOR3nsV6 m1QqfkksTx8EUlca/k65zDHt7bveQValM437V/OspnqSMt/dquDKJxiRY9Kb/wWZ Ao3QzrLb349xEvxq1vqz1DEiZ2a+w9xA9FPaBXXMinX+93kK5ZJZbIlcn0FQbMgx 7MIWSBI0EutMfoMhexB+7BEdVBRvr0QppxMFJYlJwl+o5nY7aANtboEoU/tqOiaO /+gQL8evd5Fh6IaC1WMWwXcpypPqaDWzXF1ExkGRpwWO6Dm67k97k79r1ntzVs7o uDz+/V0cKTm2mL0FxK7+DEyxsxb3SgKD6Fymd3tiknD/hXOsKZkoCKMh5XLzWWBP PU0DRS/WysA+bGIvqR29GWHADQUvj1A6DjkMIinkitGdaOysn8RlENFZX39XQ94r EjpXvjyw9rkRZtwMeGDTcUJxoeWNCyRBjJMcEuSeCKmOratYaOMgVpvQeGR4Xno= =GyQo - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVWJxQBLndAQH1ShLAQLvag/+NZbtoh9tiU7gphtbXj5dI2OoDjlBM4sB i/JEFnW3Z37RKI8SGUDKpOyziWASuIFVP+oltIhgnrOHEThNUp97PLVOQ5sTCkCu JnU4U0MqzeMsZ+ZOMNwRrHjztoSFuTqnjPvmuHOnZoMpkvytFtahahqplQhgJhEr ZgKxY3eYS7zW9Mh45cfxVXuKzhUM9fwkXyWJCSB5EkOMJ/mSf6aVIQ0AGPJGUBF3 9VHkHV52iuveg+wJojOomw5hQ4rOxms59mpkLUIQygXiyJucPGI8IvRW/+WBblTe WgLXkL9MXgPpnh1rFWukjnsUrZdIXPYpFzEzxxLcfdoHeN2zzVZNlzLaF4qP1vRo kQjXZpzqCZIDC13fdH+J0X9zmfOLuFrF2h3hyQ4nkGMG2E+nb6VXXZWP35h1iUuG TOvLe7/7iV5lAJ9Cap2BgW8dm9fOEYl1GQLrimzBtQxXi5Jdgyh7vBqLrhcqn0MB DtGNIvRKsWuV5cNAXM6mxytHMXbf62lK5MzL/lroF72pHkKUvunZ8WZAG50fY7IX j6m6foXpZwr/F/VT4WHFpwSsf6Qf89TdNqV1/FqU4ranwoWJxpxlhNbPlAzRRBkj HOt1JFyLTA/iQVSD1hUJzGK7/dLyiJzThDB78RAA0YjeB+Gsmah2f7FoP1b+3etc hdiasTFJY30= =HRAO -----END PGP SIGNATURE-----