Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.2909 chromium-browser security update 12 December 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: chromium-browser Publisher: Debian Operating System: Debian GNU/Linux Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Denial of Service -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2016-9652 CVE-2016-9651 CVE-2016-9650 CVE-2016-5226 CVE-2016-5225 CVE-2016-5224 CVE-2016-5223 CVE-2016-5222 CVE-2016-5221 CVE-2016-5220 CVE-2016-5219 CVE-2016-5218 CVE-2016-5217 CVE-2016-5216 CVE-2016-5215 CVE-2016-5214 CVE-2016-5213 CVE-2016-5212 CVE-2016-5211 CVE-2016-5210 CVE-2016-5209 CVE-2016-5208 CVE-2016-5207 CVE-2016-5206 CVE-2016-5205 CVE-2016-5204 CVE-2016-5203 CVE-2016-5202 CVE-2016-5201 CVE-2016-5200 CVE-2016-5199 CVE-2016-5198 CVE-2016-5194 CVE-2016-5193 CVE-2016-5192 CVE-2016-5191 CVE-2016-5190 CVE-2016-5189 CVE-2016-5188 CVE-2016-5187 CVE-2016-5186 CVE-2016-5185 CVE-2016-5184 CVE-2016-5183 CVE-2016-5182 CVE-2016-5181 Reference: ASB-2016.0116 ASB-2016.0106 ESB-2016.2873 ESB-2016.2725 ESB-2016.2716 Original Bulletin: http://www.debian.org/security/2016/dsa-3731 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-3731-1 security@debian.org https://www.debian.org/security/ Michael Gilbert December 11, 2016 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : chromium-browser CVE ID : CVE-2016-5181 CVE-2016-5182 CVE-2016-5183 CVE-2016-5184 CVE-2016-5185 CVE-2016-5186 CVE-2016-5187 CVE-2016-5188 CVE-2016-5189 CVE-2016-5190 CVE-2016-5191 CVE-2016-5192 CVE-2016-5193 CVE-2016-5194 CVE-2016-5198 CVE-2016-5199 CVE-2016-5200 CVE-2016-5201 CVE-2016-5202 CVE-2016-5203 CVE-2016-5204 CVE-2016-5205 CVE-2016-5206 CVE-2016-5207 CVE-2016-5208 CVE-2016-5209 CVE-2016-5210 CVE-2016-5211 CVE-2016-5212 CVE-2016-5213 CVE-2016-5214 CVE-2016-5215 CVE-2016-5216 CVE-2016-5217 CVE-2016-5218 CVE-2016-5219 CVE-2016-5220 CVE-2016-5221 CVE-2016-5222 CVE-2016-5223 CVE-2016-5224 CVE-2016-5225 CVE-2016-5226 CVE-2016-9650 CVE-2016-9651 CVE-2016-9652 Several vulnerabilities have been discovered in the chromium web browser. CVE-2016-5181 A cross-site scripting issue was discovered. CVE-2016-5182 Giwan Go discovered a heap overflow issue. CVE-2016-5183 A use-after-free issue was discovered in the pdfium library. CVE-2016-5184 Another use-after-free issue was discovered in the pdfium library. CVE-2016-5185 cloudfuzzer discovered a use-after-free issue in Blink/Webkit. CVE-2016-5186 Abdulrahman Alqabandi discovered an out-of-bounds read issue in the developer tools. CVE-2016-5187 Luan Herrera discovered a URL spoofing issue. CVE-2016-5188 Luan Herrera discovered that some drop down menus can be used to hide parts of the user interface. CVE-2016-5189 xisigr discovered a URL spoofing issue. CVE-2016-5190 Atte Kettunen discovered a use-after-free issue. CVE-2016-5191 Gareth Hughes discovered a cross-site scripting issue. CVE-2016-5192 haojunhou@gmail.com discovered a same-origin bypass. CVE-2016-5193 Yuyang Zhou discovered a way to pop open a new window. CVE-2016-5194 The chrome development team found and fixed various issues during internal auditing. CVE-2016-5198 Tencent Keen Security Lab discovered an out-of-bounds memory access issue in the v8 javascript library. CVE-2016-5199 A heap corruption issue was discovered in the ffmpeg library. CVE-2016-5200 Choongwoo Han discovered an out-of-bounds memory access issue in the v8 javascript library. CVE-2016-5201 Rob Wu discovered an information leak. CVE-2016-5202 The chrome development team found and fixed various issues during internal auditing. CVE-2016-5203 A use-after-free issue was discovered in the pdfium library. CVE-2016-5204 Mariusz Mlynski discovered a cross-site scripting issue in SVG image handling. CVE-2016-5205 A cross-site scripting issue was discovered. CVE-2016-5206 Rob Wu discovered a same-origin bypass in the pdfium library. CVE-2016-5207 Mariusz Mlynski discovered a cross-site scripting issue. CVE-2016-5208 Mariusz Mlynski discovered another cross-site scripting issue. CVE-2016-5209 Giwan Go discovered an out-of-bounds write issue in Blink/Webkit. CVE-2016-5210 Ke Liu discovered an out-of-bounds write in the pdfium library. CVE-2016-5211 A use-after-free issue was discovered in the pdfium library. CVE-2016-5212 Khalil Zhani discovered an information disclosure issue in the developer tools. CVE-2016-5213 Khalil Zhani discovered a use-after-free issue in the v8 javascript library. CVE-2016-5214 Jonathan Birch discovered a file download protection bypass. CVE-2016-5215 Looben Yang discovered a use-after-free issue. CVE-2016-5216 A use-after-free issue was discovered in the pdfium library. CVE-2016-5217 Rob Wu discovered a condition where data was not validated by the pdfium library. CVE-2016-5218 Abdulrahman Alqabandi discovered a URL spoofing issue. CVE-2016-5219 Rob Wu discovered a use-after-free issue in the v8 javascript library. CVE-2016-5220 Rob Wu discovered a way to access files on the local system. CVE-2016-5221 Tim Becker discovered an integer overflow issue in the angle library. CVE-2016-5222 xisigr discovered a URL spoofing issue. CVE-2016-5223 Hwiwon Lee discovered an integer overflow issue in the pdfium library. CVE-2016-5224 Roeland Krak discovered a same-origin bypass in SVG image handling. CVE-2016-5225 Scott Helme discovered a Content Security Protection bypass. CVE-2016-5226 Jun Kokatsu discovered a cross-scripting issue. CVE-2016-9650 Jakub Żoczek discovered a Content Security Protection information disclosure. CVE-2016-9651 Guang Gong discovered a way to access private data in the v8 javascript library. CVE-2016-9652 The chrome development team found and fixed various issues during internal auditing. For the stable distribution (jessie), these problems have been fixed in version 55.0.2883.75-1~deb8u1. For the testing distribution (stretch), these problems will be fixed soon. For the unstable distribution (sid), these problems have been fixed in version 55.0.2883.75-1. We recommend that you upgrade your chromium-browser packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQQzBAEBCgAdFiEEluhy7ASCBulP9FUWuNayzQLW9HMFAlhNu7wACgkQuNayzQLW 9HNrER//c8ZJouglb8ND39PIIOXvIdGTHqem9H/ki59b5T7MPP+izcMTqqdRE16O cF03Sqbal6gTLApdbJDnGnpqTXO+4dVvr/JOQnYeS7bSn3HaCFmFUzAnS6VmbD4X Gwndz4hR/HbiXmZGL9vDoIJQYJyK5KrGH6HRugLwCHXzdH3E5/PuOROFEHbEhA2d vM5lcYL7m1fb8YNmhoWaHGz4YlpL+OntWGl0cJrRhL7hueEYtgQi+RwZLnxPAx19 raY/+gCNTGYKWveU8Ztb/D8uUyePl3rCbtH1ZxjT+VPORvKg4ILm9e675D/ApPol evSe3CNj3rgp8MyjT8Lp6SJhx8lXnOAU3WgUoSfTblQWhI/5gXQGdGY5aCFXbunb BcVYQ1ZUIqus5HNHml1ILkJ9o60sLdSPxo8oK9e+CwLjvPJOmDmwXNyRMUZW4g+L D0HUpjT9++xLjKw6b4t+pS1OtxdQdIFgSJsFpp289sJ90vunnqjmfM5+rdpfr0hA Vo20/DJFqfgbgPEeJj/xNGHUNuwULVDQ1Jj20burmWBxsjr5iu5Q1k1qyO0rffCw DMCPuhmY2ghZGpg2KPZv5+WSl6HK4Kazi8h7G1Uc3LwX2AUPEwp4vVUwzYs8GWHk mq5EU/Rbq2esZe9Mlwbs0pOLJ5HsjVu4QrSW1mWxLuN83c1t/mdf9xc9LvVlWdQh yjuchJqGKix6RSlXHKV7DrKzL/yZpTRquGdXUHhnYinNtaiRK2hC4vzPDtXDcTuR Qv2pnS67tDZv28a2HSQdLA0uNJaOYHGlY7Cugpo6RKq0im+RZT93wjxo/f+CA38I iDG2wh9sTpAf1P58jdHjxwp/xcotOPmxn6vgE2huoeZSnFhENOZtVnG2UCVDKSdA 2MRX/qy1lJVlAr2RgHFpTjPyzaW/8NapKLbIbgzjcyeSo9YMuJDi7VUP3VM5Ptk8 3LZU9ohfySOSr8nZQAevphiUKRz5K3k389saPSjetGOij7//kya1ub5qOLEaxH8Y WCjHj2f/pPl3eaG3yQPo0UhMMT9cC5PCkUzzFqwxC5dzzzjdvZ7hS9RZRM/RF+ne +9zKHiK8mMVuIY98VOxHGzAnC/Y1vkC7Wk0OSjBMweDGbw6J/+xc0ku9mS2cOXaZ czkgVFoNcLVrXB1ynLOz3WkZOMwTC74XmRE13JVWWhUbNBdcJLTyOal9iAxNY82c vAqvqE5lPnAJ+H3HAd6G8MLM19wCBrsRDRF1k8CzvVQDEeLmfgMgfup5OxPEiWS9 Pi03o4T3+5jCtznqGrCF0cf9fvNT2lNm0D30KkgAG/hBCZFAENXr91LHVzuOh9zM QQqxLmkAQ3dwCYvtcepAyQ3eYtePxQ== =p9Ee - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWE4mLYx+lLeg9Ub1AQgQbw/8DOfCNbOQJgpwdQObYs148Z8ulpFOs8d7 FeTIpkvgD1JWVlWZFLFqfCRX4Ej9NjjxaEBQdo7tLZ02SYOiDHLHdACEEicq1m7T eXYrOBsCZ4z2kQ4pngb70j6WPcbf4vxoC2iJzJHCYMkQxZahphXdHfIW8afPqEDi 4Y/Awxe5Q4Nag6/eY5ATl8sMfQlf9wMLe/vMRW48dnL6HD6k3iqD8JV6j18HT4d1 rsttBZ60YovIEB02SYhZ1V19eXfAuo03R0B1X9FYDCSF8Ro36ptMJNDyHSWWAGW9 bJlW1x3axaV7y+J+hqBvAD75VLCnMIUPol5vZS+kmFOM9LBaY3h1SxNYd7d32SSf nfX3jLsQ9j+hOno8MFEm1ZlE3+ZS3EFUuOkhTj+UxJayJraoLQqc9PZ6Ft/2vtQp t8yzO4VYfjFXY5m25dlHBA4cxN41Ek4aLu9T8aBPTAJYWQZs8HFI74Y3iVKZUpO7 cnitzduZjBevbz5l0dMnBtVVFQDVjqC4Oxevdi2t9lBJeCAKJb1SZXAuFkbg7iqj Ld5Pw0v1/aE/9mjU0iq5q+1b+SZFPbCeLg7OHcW4todstPo/sNe1c4TBO8RGacfH 4JJGug2bWB9oZw7DZYP4SGltDri4tIUoLBeXNkZYNXYENWd8usl4LgK1Bwi21vD4 99+svxyFSQU= =FqyQ -----END PGP SIGNATURE-----