Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.0591
chromium-browser security update
7 March 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: chromium-browser
Publisher: Debian
Operating System: Debian GNU/Linux 8
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Read-only Data Access -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2016-1642 CVE-2016-1641 CVE-2016-1640
CVE-2016-1639 CVE-2016-1638 CVE-2016-1637
CVE-2016-1636 CVE-2016-1635 CVE-2016-1634
CVE-2016-1633 CVE-2016-1632 CVE-2016-1631
CVE-2016-1630 CVE-2015-8126
Reference: ASB-2016.0018
ASB-2016.0004
ESB-2016.0585
Original Bulletin:
http://www.debian.org/security/2016/dsa-3507
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3507-1 security@debian.org
https://www.debian.org/security/ Michael Gilbert
March 05, 2016 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : chromium-browser
CVE ID : CVE-2015-8126 CVE-2016-1630 CVE-2016-1631 CVE-2016-1632
CVE-2016-1633 CVE-2016-1634 CVE-2016-1635 CVE-2016-1636
CVE-2016-1637 CVE-2016-1638 CVE-2016-1639 CVE-2016-1640
CVE-2016-1641 CVE-2016-1642
Several vulnerabilities have been discovered in the chromium web browser.
CVE-2015-8126
Joerg Bornemann discovered multiple buffer overflow issues in the
libpng library.
CVE-2016-1630
Mariusz Mlynski discovered a way to bypass the Same Origin Policy
in Blink/Webkit.
CVE-2016-1631
Mariusz Mlynski discovered a way to bypass the Same Origin Policy
in the Pepper Plugin API.
CVE-2016-1632
A bad cast was discovered.
CVE-2016-1633
cloudfuzzer discovered a use-after-free issue in Blink/Webkit.
CVE-2016-1634
cloudfuzzer discovered a use-after-free issue in Blink/Webkit.
CVE-2016-1635
Rob Wu discovered a use-after-free issue in Blink/Webkit.
CVE-2016-1636
A way to bypass SubResource Integrity validation was discovered.
CVE-2016-1637
Keve Nagy discovered an information leak in the skia library.
CVE-2016-1638
Rob Wu discovered a WebAPI bypass issue.
CVE-2016-1639
Khalil Zhani discovered a use-after-free issue in the WebRTC
implementation.
CVE-2016-1640
Luan Herrera discovered an issue with the Extensions user interface.
CVE-2016-1641
Atte Kettunen discovered a use-after-free issue in the handling of
favorite icons.
CVE-2016-1642
The chrome 49 development team found and fixed various issues
during internal auditing. Also multiple issues were fixed in
the v8 javascript library, version 4.9.385.26.
For the stable distribution (jessie), these problems have been fixed in
version 49.0.2623.75-1~deb8u1.
For the testing distribution (stretch), these problems will be fixed soon.
For the unstable distribution (sid), these problems have been fixed in
version 49.0.2623.75-1.
We recommend that you upgrade your chromium-browser packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQQcBAEBCgAGBQJW202dAAoJELjWss0C1vRz9jwgAL0TiUnwvdutW66wNE/T+jYW
W6yyrzLOJkoocT1wpp0opB75noRxqx6KDrGOcKByyK7vrM2y/amsId6NyvD8mRm5
RTfEa/4d00Y61W7xDXeyvOazTyCW3+LCZK6Lg1XYvXleYdun4vNWIxsEcBdqezD6
0oLrwHv+TuWCqdQxB3ZccXBVOOP8RVZIcq/BCAL6pP9VqwtR+jR4aYLsQ8RPn8M+
wR+QO6Ab+Dzja/+l3NE4+q1Oy9uyfr49Afhfvc2bGlTiUgCPMZiACEZVoH4CzQi6
Da1cB5vckoQhqixf/+HSp8ohQ6jOTemDfwpbXnyqKtpdoeCfbuOwGipZHFb/mxCb
APCWZwcfVIvNzCZr4Vq33VpWHS53AE5yMiWTKqOqQsSNfvEwP1QB+8ixDFqgIxlf
BbfuzyfeBkh6ylGpd4Lvsav6BK66pRvNr+liFbqyacm4z98oN0K+Soyi1FxJTBDA
ipb28crv+LkNSX4yX3aFptPedLaYyqtR25MYKtjw4Ro6Q0aw0jdQfABzol9vyJiM
/SaS4rSJ1zGV7e2nk9nYrDPDzsL9nzar92/qvRIVSXJJ0gGIvG5En8iPg6OLOZPz
rLyECn30QtT35bKfy5+/VXc6rArb2IEcR4irKMSp3zon8WkX5amVPE05RKDzPX8p
16Kh1lmHRk0ng3FJtHtbZHe/T3W8FwPUWUhr47Rl2vlqFDlZM8zAgZ0DOlbzmwQJ
2Wjuy9dycoKqQIhE2opgKQf1+Q6rJHEB7FGz3oG6VOic7vCvf3lms3kBH4brOGwV
xukXWds7xYQA54ItqzSnUzkgJfxBxVrm1++CLM70R6HNkDtdUrHwKLjzWqlwzTfd
S0VpePjPVpEHqnT4mEs9bP8hqPno3upzwm0+rDTLocAECtAH+2y+B3UnYxIvSMcW
oeSqjEuJKrKGcuhvUp/grnG/f1J2o+d0/10nkDV+XjHDzsH69qTT/Szs4cCS1r+L
1Ig/p0FwXSUMyO4V+nKv6SBG053OGWJWK24EuSIMcae5ZwPAZzni0dl1K1lEo8jf
Z/tRBJNci0nvKKSHj5NURt9go87zrDB6oDCnk1hHYKCNIH2m9pKBvA8B6hC+KxVu
gBjDEDEkdqyWTJqdQBN37729LMTh35N7p3qL/ddObTvzmuywsbEyufOCdV+TbgXy
OYYbIumES6M3wryst/SzU/xUHZHT6FT1BLx39Sjyhq8UEnErQ5hPeMhUsFlj8gEI
MIm3FbPIVfYuU0W+yl5gaLxLMELWwcdqyzSkZD0WyWXXoAUsC1iVIh1y8/uQlJxf
v2eW0faGXHuifgjGOV2vqBMA9rkAmP6uNrgVbcdsgUqWxcatEduTXOAZy68zocI=
=TLjN
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVtzOZn6ZAP0PgtI9AQJdxg/+Py+CZNKxmXokwNlN8u/OOJrBVz4ut551
PJKUWqtgkedQR0ZMBmT0Vo7uyo9e3GafBYeFT1UGzv+3x+kO1d+///KIrqXFsZYv
AgdEHnVssib6Ui0XVNP8UjvG7aNe9LbI18lJU1sqQ/ssBEw1aJi6zv6FNZjhqsQ4
UAKO2NydA2YnpdI/8LBs1erbfzXEVGUaTOjkkNosvtZfpXU5yN0lwtHASN+C2a+8
cmvze8rmzyWqCiyBXOhjmwpazODqopTsDiqgOPBwhhAuz+c2xMiN5CcHJtenBXBr
STL4i7xTTo6jcefU0/3gFXEX4cupqMPSnxeqxF10TdCKAG2TwU+1DieBqUDLXF12
M4FgDJzUTK7hGFooCBZJO+z7aUIMwT6uOLXYE4gohSaXmYlP1cR9oeI9MvKT7bXz
ztfHvkoWItDj8TDQVQLJ1y3vZP7u3PPFcdU7Kab08iyBue3nqcUeBHuUrZJTRj/X
GpTE1uPz+A+bcUqWCFUHtBJFeWUNFlhwOZw46GMZQKBqYvr4VgFa0UH5n+rvC6q7
B8636rDicexqNciCVFzfCCJBOOHfS/FBWkW5if2QURI3gbjOh/GA8U0Migdd1Rp8
Vmv4K/8T23yL/JbwInr26+1PwSwxvop+rVnc1ujgMpphHr+GX2FvewNzAVuWmhwo
6HufJoQTs7I=
=Z8K2
-----END PGP SIGNATURE-----