Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.1940 chromium-browser security update 7 August 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: chromium-browser Publisher: Debian Operating System: Debian GNU/Linux 9 Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2017-7000 CVE-2017-5110 CVE-2017-5109 CVE-2017-5108 CVE-2017-5107 CVE-2017-5106 CVE-2017-5105 CVE-2017-5104 CVE-2017-5103 CVE-2017-5102 CVE-2017-5101 CVE-2017-5100 CVE-2017-5099 CVE-2017-5098 CVE-2017-5097 CVE-2017-5095 CVE-2017-5094 CVE-2017-5093 CVE-2017-5092 CVE-2017-5091 CVE-2017-5089 CVE-2017-5088 CVE-2017-5087 Reference: ASB-2017.0124 ASB-2017.0092 ESB-2017.1862 ESB-2017.1522 Original Bulletin: http://www.debian.org/security/2017/dsa-3926 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-3926-1 security@debian.org https://www.debian.org/security/ Michael Gilbert August 04, 2017 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : chromium-browser CVE ID : CVE-2017-5087 CVE-2017-5088 CVE-2017-5089 CVE-2017-5091 CVE-2017-5092 CVE-2017-5093 CVE-2017-5094 CVE-2017-5095 CVE-2017-5097 CVE-2017-5098 CVE-2017-5099 CVE-2017-5100 CVE-2017-5101 CVE-2017-5102 CVE-2017-5103 CVE-2017-5104 CVE-2017-5105 CVE-2017-5106 CVE-2017-5107 CVE-2017-5108 CVE-2017-5109 CVE-2017-5110 CVE-2017-7000 Several vulnerabilities have been discovered in the chromium web browser. CVE-2017-5087 Ned Williamson discovered a way to escape the sandbox. CVE-2017-5088 Xiling Gong discovered an out-of-bounds read issue in the v8 javascript library. CVE-2017-5089 Michal Bentkowski discovered a spoofing issue. CVE-2017-5091 Ned Williamson discovered a use-after-free issue in IndexedDB. CVE-2017-5092 Yu Zhou discovered a use-after-free issue in PPAPI. CVE-2017-5093 Luan Herrera discovered a user interface spoofing issue. CVE-2017-5094 A type confusion issue was discovered in extensions. CVE-2017-5095 An out-of-bounds write issue was discovered in the pdfium library. CVE-2017-5097 An out-of-bounds read issue was discovered in the skia library. CVE-2017-5098 Jihoon Kim discover a use-after-free issue in the v8 javascript library. CVE-2017-5099 Yuan Deng discovered an out-of-bounds write issue in PPAPI. CVE-2017-5100 A use-after-free issue was discovered in Chrome Apps. CVE-2017-5101 Luan Herrera discovered a URL spoofing issue. CVE-2017-5102 An uninitialized variable was discovered in the skia library. CVE-2017-5103 Another uninitialized variable was discovered in the skia library. CVE-2017-5104 Khalil Zhani discovered a user interface spoofing issue. CVE-2017-5105 Rayyan Bijoora discovered a URL spoofing issue. CVE-2017-5106 Jack Zac discovered a URL spoofing issue. CVE-2017-5107 David Kohlbrenner discovered an information leak in SVG file handling. CVE-2017-5108 Guang Gong discovered a type confusion issue in the pdfium library. CVE-2017-5109 Jose Maria Acuna Morgado discovered a user interface spoofing issue. CVE-2017-5110 xisigr discovered a way to spoof the payments dialog. CVE-2017-7000 Chaitin Security Research Lab discovered an information disclosure issue in the sqlite library. For the stable distribution (stretch), these problems have been fixed in version 60.0.3112.78-1~deb9u1. For the unstable distribution (sid), these problems have been fixed in version 60.0.3112.78-1 or earlier versions. We recommend that you upgrade your chromium-browser packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlmE3e1fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RoZg//cZyW1q1xGWs77tpnC2aP2BTG3IB0cMP3zwpWnLmfrSvkf8f2uE5xU7uZ M9ZXfsOXoex4C9TvWkV8DlLI8oS2kbrmYHqcdc66Qfwn0yZDHtLVKZuphWeNZL4A ccccGZQCVj6M5b7t1aXny3Fks7ozHUKJLymBMjjMdQ8OSlLnLILKeTV/TVnRRZ7H 2MOs9i4Oh5Ul77Ny0Nc2x9JNKk5a7jMMZ77c9gNnwdT/KRiFS4sCVTtNHSND7D4g mM6W3UJIl6AbIzMVyAuA8OJ/voB1RNOvgCFFnuavLFq5knEt0efWSz3F7lhPrnMF N2+Z+fzXqO4yiwtynG1TLvUopRBBUAyrTCU9cu2ENxFd3aRIxEvkjrpYY41In7vN Oyp8+SPKWANb7PPh0KgAp+RSSq1hbRPGvsebBpSzPv5A4gJTAbse0fpZsLCMKJFu fOfDDFRupzsPMBNxbVD8UfrJwVWdARtoaOm4q6gJKhnHbUwwkAWYnwtLmoTIxAmI oQuoOQ5Sf3Sob8i2mM9Qk0KchacfaQBYrMMlTf0Lfq3z1jkK/LS/naX301BJY9H2 k2U7/m5q/asgc8A66lpKKib/KdGRMy0mg8BSupUoaS4Eyn+VrjgDYNsaxN+v3mTq dKodrbkl0gRhB2OZuO1M08fxsfZiJ3WGY4qZPuFmc3acT6tlCYg= =eGg4 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWYfLDox+lLeg9Ub1AQg2Fw/+K3zdSMYO3nYXKDz0yUoa31k3pR/mQFlY eU9PPSuar5f6ULA4V8zy4z1uGrXY7O8qGgX+dQa2hcxUJbf6weJSTeTHA/zBSjVV kBkeOUE1G9CATCeeQvfItQmxJTXBw88FsUaL8Dv46p+dTWzKnlKw5Ha51Wv1j68v BlM6MPEB0J67pV5W/cPI8O5G+/X59cJjzXdZHKCbEVGcATn0/sNyK8pPbkc4Vuie 3vDS0oJFdH9zh/I/FJnzk7gIMnGHpHunN30hbj8jNZZqFTfG4v4VVLR+ZsxEnzou V2USxx1qZLX/yHSnthtfezshTrspiApoGWgbd+LFxydxV9K+O0wnIA031tDrffMG j3ReI27pchVytxTQcPdZ/3KntoQSQytQgKQoVjYn+U63SxvqAhPp2XPZL3vZoVn5 iem3GZXOFoLV14paDfkFKfTpV7ifqPkF+G0/nccBwBy7XPMjqnHdubBE/VDD97/z JlLDmwATLYwKth6x6nQnXI0w00V7tCcTfEsS4YC5GZnMsw1NUofqDmCHggiOAzt/ UoTuTuTvCiT1vKgMXvQpb810ECqaMhPF+sUpFKfqM7sdM1it9ysOtp4uikA5WwFm MAtVxaBgzvzkHBsnPdDhO+vmEOophQ04DitkfS6oCaAneX3H7BUrbLBmjvELYwTH PZZtC5IZyaA= =ARYa -----END PGP SIGNATURE-----