Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.2909
chromium-browser security update
12 December 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: chromium-browser
Publisher: Debian
Operating System: Debian GNU/Linux
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2016-9652 CVE-2016-9651 CVE-2016-9650
CVE-2016-5226 CVE-2016-5225 CVE-2016-5224
CVE-2016-5223 CVE-2016-5222 CVE-2016-5221
CVE-2016-5220 CVE-2016-5219 CVE-2016-5218
CVE-2016-5217 CVE-2016-5216 CVE-2016-5215
CVE-2016-5214 CVE-2016-5213 CVE-2016-5212
CVE-2016-5211 CVE-2016-5210 CVE-2016-5209
CVE-2016-5208 CVE-2016-5207 CVE-2016-5206
CVE-2016-5205 CVE-2016-5204 CVE-2016-5203
CVE-2016-5202 CVE-2016-5201 CVE-2016-5200
CVE-2016-5199 CVE-2016-5198 CVE-2016-5194
CVE-2016-5193 CVE-2016-5192 CVE-2016-5191
CVE-2016-5190 CVE-2016-5189 CVE-2016-5188
CVE-2016-5187 CVE-2016-5186 CVE-2016-5185
CVE-2016-5184 CVE-2016-5183 CVE-2016-5182
CVE-2016-5181
Reference: ASB-2016.0116
ASB-2016.0106
ESB-2016.2873
ESB-2016.2725
ESB-2016.2716
Original Bulletin:
http://www.debian.org/security/2016/dsa-3731
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3731-1 security@debian.org
https://www.debian.org/security/ Michael Gilbert
December 11, 2016 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : chromium-browser
CVE ID : CVE-2016-5181 CVE-2016-5182 CVE-2016-5183 CVE-2016-5184
CVE-2016-5185 CVE-2016-5186 CVE-2016-5187 CVE-2016-5188
CVE-2016-5189 CVE-2016-5190 CVE-2016-5191 CVE-2016-5192
CVE-2016-5193 CVE-2016-5194 CVE-2016-5198 CVE-2016-5199
CVE-2016-5200 CVE-2016-5201 CVE-2016-5202 CVE-2016-5203
CVE-2016-5204 CVE-2016-5205 CVE-2016-5206 CVE-2016-5207
CVE-2016-5208 CVE-2016-5209 CVE-2016-5210 CVE-2016-5211
CVE-2016-5212 CVE-2016-5213 CVE-2016-5214 CVE-2016-5215
CVE-2016-5216 CVE-2016-5217 CVE-2016-5218 CVE-2016-5219
CVE-2016-5220 CVE-2016-5221 CVE-2016-5222 CVE-2016-5223
CVE-2016-5224 CVE-2016-5225 CVE-2016-5226 CVE-2016-9650
CVE-2016-9651 CVE-2016-9652
Several vulnerabilities have been discovered in the chromium web browser.
CVE-2016-5181
A cross-site scripting issue was discovered.
CVE-2016-5182
Giwan Go discovered a heap overflow issue.
CVE-2016-5183
A use-after-free issue was discovered in the pdfium library.
CVE-2016-5184
Another use-after-free issue was discovered in the pdfium library.
CVE-2016-5185
cloudfuzzer discovered a use-after-free issue in Blink/Webkit.
CVE-2016-5186
Abdulrahman Alqabandi discovered an out-of-bounds read issue in the
developer tools.
CVE-2016-5187
Luan Herrera discovered a URL spoofing issue.
CVE-2016-5188
Luan Herrera discovered that some drop down menus can be used to
hide parts of the user interface.
CVE-2016-5189
xisigr discovered a URL spoofing issue.
CVE-2016-5190
Atte Kettunen discovered a use-after-free issue.
CVE-2016-5191
Gareth Hughes discovered a cross-site scripting issue.
CVE-2016-5192
haojunhou@gmail.com discovered a same-origin bypass.
CVE-2016-5193
Yuyang Zhou discovered a way to pop open a new window.
CVE-2016-5194
The chrome development team found and fixed various issues during
internal auditing.
CVE-2016-5198
Tencent Keen Security Lab discovered an out-of-bounds memory access
issue in the v8 javascript library.
CVE-2016-5199
A heap corruption issue was discovered in the ffmpeg library.
CVE-2016-5200
Choongwoo Han discovered an out-of-bounds memory access issue in
the v8 javascript library.
CVE-2016-5201
Rob Wu discovered an information leak.
CVE-2016-5202
The chrome development team found and fixed various issues during
internal auditing.
CVE-2016-5203
A use-after-free issue was discovered in the pdfium library.
CVE-2016-5204
Mariusz Mlynski discovered a cross-site scripting issue in SVG
image handling.
CVE-2016-5205
A cross-site scripting issue was discovered.
CVE-2016-5206
Rob Wu discovered a same-origin bypass in the pdfium library.
CVE-2016-5207
Mariusz Mlynski discovered a cross-site scripting issue.
CVE-2016-5208
Mariusz Mlynski discovered another cross-site scripting issue.
CVE-2016-5209
Giwan Go discovered an out-of-bounds write issue in Blink/Webkit.
CVE-2016-5210
Ke Liu discovered an out-of-bounds write in the pdfium library.
CVE-2016-5211
A use-after-free issue was discovered in the pdfium library.
CVE-2016-5212
Khalil Zhani discovered an information disclosure issue in the
developer tools.
CVE-2016-5213
Khalil Zhani discovered a use-after-free issue in the v8 javascript
library.
CVE-2016-5214
Jonathan Birch discovered a file download protection bypass.
CVE-2016-5215
Looben Yang discovered a use-after-free issue.
CVE-2016-5216
A use-after-free issue was discovered in the pdfium library.
CVE-2016-5217
Rob Wu discovered a condition where data was not validated by
the pdfium library.
CVE-2016-5218
Abdulrahman Alqabandi discovered a URL spoofing issue.
CVE-2016-5219
Rob Wu discovered a use-after-free issue in the v8 javascript
library.
CVE-2016-5220
Rob Wu discovered a way to access files on the local system.
CVE-2016-5221
Tim Becker discovered an integer overflow issue in the angle
library.
CVE-2016-5222
xisigr discovered a URL spoofing issue.
CVE-2016-5223
Hwiwon Lee discovered an integer overflow issue in the pdfium
library.
CVE-2016-5224
Roeland Krak discovered a same-origin bypass in SVG image handling.
CVE-2016-5225
Scott Helme discovered a Content Security Protection bypass.
CVE-2016-5226
Jun Kokatsu discovered a cross-scripting issue.
CVE-2016-9650
Jakub Żoczek discovered a Content Security Protection information
disclosure.
CVE-2016-9651
Guang Gong discovered a way to access private data in the v8
javascript library.
CVE-2016-9652
The chrome development team found and fixed various issues during
internal auditing.
For the stable distribution (jessie), these problems have been fixed in
version 55.0.2883.75-1~deb8u1.
For the testing distribution (stretch), these problems will be fixed soon.
For the unstable distribution (sid), these problems have been fixed in
version 55.0.2883.75-1.
We recommend that you upgrade your chromium-browser packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
iQQzBAEBCgAdFiEEluhy7ASCBulP9FUWuNayzQLW9HMFAlhNu7wACgkQuNayzQLW
9HNrER//c8ZJouglb8ND39PIIOXvIdGTHqem9H/ki59b5T7MPP+izcMTqqdRE16O
cF03Sqbal6gTLApdbJDnGnpqTXO+4dVvr/JOQnYeS7bSn3HaCFmFUzAnS6VmbD4X
Gwndz4hR/HbiXmZGL9vDoIJQYJyK5KrGH6HRugLwCHXzdH3E5/PuOROFEHbEhA2d
vM5lcYL7m1fb8YNmhoWaHGz4YlpL+OntWGl0cJrRhL7hueEYtgQi+RwZLnxPAx19
raY/+gCNTGYKWveU8Ztb/D8uUyePl3rCbtH1ZxjT+VPORvKg4ILm9e675D/ApPol
evSe3CNj3rgp8MyjT8Lp6SJhx8lXnOAU3WgUoSfTblQWhI/5gXQGdGY5aCFXbunb
BcVYQ1ZUIqus5HNHml1ILkJ9o60sLdSPxo8oK9e+CwLjvPJOmDmwXNyRMUZW4g+L
D0HUpjT9++xLjKw6b4t+pS1OtxdQdIFgSJsFpp289sJ90vunnqjmfM5+rdpfr0hA
Vo20/DJFqfgbgPEeJj/xNGHUNuwULVDQ1Jj20burmWBxsjr5iu5Q1k1qyO0rffCw
DMCPuhmY2ghZGpg2KPZv5+WSl6HK4Kazi8h7G1Uc3LwX2AUPEwp4vVUwzYs8GWHk
mq5EU/Rbq2esZe9Mlwbs0pOLJ5HsjVu4QrSW1mWxLuN83c1t/mdf9xc9LvVlWdQh
yjuchJqGKix6RSlXHKV7DrKzL/yZpTRquGdXUHhnYinNtaiRK2hC4vzPDtXDcTuR
Qv2pnS67tDZv28a2HSQdLA0uNJaOYHGlY7Cugpo6RKq0im+RZT93wjxo/f+CA38I
iDG2wh9sTpAf1P58jdHjxwp/xcotOPmxn6vgE2huoeZSnFhENOZtVnG2UCVDKSdA
2MRX/qy1lJVlAr2RgHFpTjPyzaW/8NapKLbIbgzjcyeSo9YMuJDi7VUP3VM5Ptk8
3LZU9ohfySOSr8nZQAevphiUKRz5K3k389saPSjetGOij7//kya1ub5qOLEaxH8Y
WCjHj2f/pPl3eaG3yQPo0UhMMT9cC5PCkUzzFqwxC5dzzzjdvZ7hS9RZRM/RF+ne
+9zKHiK8mMVuIY98VOxHGzAnC/Y1vkC7Wk0OSjBMweDGbw6J/+xc0ku9mS2cOXaZ
czkgVFoNcLVrXB1ynLOz3WkZOMwTC74XmRE13JVWWhUbNBdcJLTyOal9iAxNY82c
vAqvqE5lPnAJ+H3HAd6G8MLM19wCBrsRDRF1k8CzvVQDEeLmfgMgfup5OxPEiWS9
Pi03o4T3+5jCtznqGrCF0cf9fvNT2lNm0D30KkgAG/hBCZFAENXr91LHVzuOh9zM
QQqxLmkAQ3dwCYvtcepAyQ3eYtePxQ==
=p9Ee
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWE4mLYx+lLeg9Ub1AQgQbw/8DOfCNbOQJgpwdQObYs148Z8ulpFOs8d7
FeTIpkvgD1JWVlWZFLFqfCRX4Ej9NjjxaEBQdo7tLZ02SYOiDHLHdACEEicq1m7T
eXYrOBsCZ4z2kQ4pngb70j6WPcbf4vxoC2iJzJHCYMkQxZahphXdHfIW8afPqEDi
4Y/Awxe5Q4Nag6/eY5ATl8sMfQlf9wMLe/vMRW48dnL6HD6k3iqD8JV6j18HT4d1
rsttBZ60YovIEB02SYhZ1V19eXfAuo03R0B1X9FYDCSF8Ro36ptMJNDyHSWWAGW9
bJlW1x3axaV7y+J+hqBvAD75VLCnMIUPol5vZS+kmFOM9LBaY3h1SxNYd7d32SSf
nfX3jLsQ9j+hOno8MFEm1ZlE3+ZS3EFUuOkhTj+UxJayJraoLQqc9PZ6Ft/2vtQp
t8yzO4VYfjFXY5m25dlHBA4cxN41Ek4aLu9T8aBPTAJYWQZs8HFI74Y3iVKZUpO7
cnitzduZjBevbz5l0dMnBtVVFQDVjqC4Oxevdi2t9lBJeCAKJb1SZXAuFkbg7iqj
Ld5Pw0v1/aE/9mjU0iq5q+1b+SZFPbCeLg7OHcW4todstPo/sNe1c4TBO8RGacfH
4JJGug2bWB9oZw7DZYP4SGltDri4tIUoLBeXNkZYNXYENWd8usl4LgK1Bwi21vD4
99+svxyFSQU=
=FqyQ
-----END PGP SIGNATURE-----