Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2451 chromium-browser security update 29 September 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: chromium-browser Publisher: Debian Operating System: Debian GNU/Linux 9 Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2017-5122 CVE-2017-5121 CVE-2017-5120 CVE-2017-5119 CVE-2017-5118 CVE-2017-5117 CVE-2017-5116 CVE-2017-5115 CVE-2017-5114 CVE-2017-5113 CVE-2017-5112 CVE-2017-5111 Reference: ESB-2017.2296 ESB-2017.2263 Original Bulletin: http://www.debian.org/security/2017/dsa-3985 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-3985-1 security@debian.org https://www.debian.org/security/ Michael Gilbert September 28, 2017 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : chromium-browser CVE ID : CVE-2017-5111 CVE-2017-5112 CVE-2017-5113 CVE-2017-5114 CVE-2017-5115 CVE-2017-5116 CVE-2017-5117 CVE-2017-5118 CVE-2017-5119 CVE-2017-5120 CVE-2017-5121 CVE-2017-5122 Several vulnerabilities have been discovered in the chromium web browser. CVE-2017-5111 Luat Nguyen discovered a use-after-free issue in the pdfium library. CVE-2017-5112 Tobias Klein discovered a buffer overflow issue in the webgl library. CVE-2017-5113 A buffer overflow issue was discovered in the skia library. CVE-2017-5114 Ke Liu discovered a memory issue in the pdfium library. CVE-2017-5115 Marco Giovannini discovered a type confusion issue in the v8 javascript library. CVE-2017-5116 Guang Gong discovered a type confusion issue in the v8 javascript library. CVE-2017-5117 Tobias Klein discovered an uninitialized value in the skia library. CVE-2017-5118 WenXu Wu discovered a way to bypass the Content Security Policy. CVE-2017-5119 Another uninitialized value was discovered in the skia library. CVE-2017-5120 Xiaoyin Liu discovered a way downgrade HTTPS connections during redirection. CVE-2017-5121 Jordan Rabet discovered an out-of-bounds memory access in the v8 javascript library. CVE-2017-5122 Choongwoo Han discovered an out-of-bounds memory access in the v8 javascript library. For the stable distribution (stretch), these problems have been fixed in version 61.0.3163.100-1~deb9u1. For the testing distribution (buster), these problems will be fixed soon. For the unstable distribution (sid), these problems have been fixed in version 61.0.3163.100-1. We recommend that you upgrade your chromium-browser packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQQzBAEBCgAdFiEEluhy7ASCBulP9FUWuNayzQLW9HMFAlnM7E0ACgkQuNayzQLW 9HPaQB/7BLQfY2DRCMoj0/WVxKCuR3DCjZasEeh6RRzPWUYMsvECBoQ+oeSdN6uW aZX4XYGY1OkE4cmKYoQCOp7wMQ7KD6hIWLvNTR9gC9KMmpxekiqrWTmhDzSCR6on /pYlguy0vCjtWfsGBMz9Tjba72lOGpMvW6Bbo9EvywN+pNeLNoKwkHFucCTwlSNH X/fLOZTxdFFHlSPq7fxFgvQQq/y1PcaPxWiJvw62ds+AFV6O03OdR4/vJBI4d8OY cwJRbZi0T91ary50MNuGZgLtA5PaCXBfBfXsx0MXTvMcpmNw6auKjUr2AEwKcB0L fs4iFErXjxciz2Lf3VoepJhPjeRL35R/rkxKXV+71uXZRlpMYqXd8mZdnZZ+cSEZ DoqJKSmr/PrwI6KSwiP1Gn2oWoxkjEV2T3lIAW/IdwX26rh0ruNjskPhZQbLmhlR 9OAW7UsMxnTzOxVV2BNghi7aQlyeq2pVFkakMQ2fMt0e+6YmdEH7I0CzOGXncCSK c5VocSHvZfwaCw0FeqYLocHz4s1o9SR8qhcI6HiCV1PCRfAe5It5P90PTcTNJMP3 5D+efQ/cxU7u7IXep8mE8fDin8v1kYRcMCgxB7VKHQaPY8uJlCqH89RKf9NgggNe 8rAAlPUhkDq1gLzG1oWDFcFRtFuxRwIK+htQixcxNQuIDguxWFwL0lEUvdFe8wBp B/896t2MM6kCkwmf4xXGDFk5DrPVMtUh6283CypZSjhcMs02l+SUBY2e/67xeKYE KDcj+7D7yBsv7mddDisYx8jF34wiSBP8kE8MJuC39IdrLLTEgsbWDMs0e3E2oi24 1kZqgCKZqaZHm2Wc/+V8q/bubeaFGuQHsl4JOjnkuefg7wTrniDs73x/jduo3RRW 24FMVCdw18JJNNoSifT7Vj36oqr9Ei7yWjKPCyu0880R3Rf2P0Cu+JkCnpf0/yci jur+d3Cs6ij1mAXVuIY0BoJtOlaljs/epFGyVfcPN255QXX1FDEG++2u4ovfxxmP 6bGCfczqnUtjxgVdHAJvbvLDBSgSLr3AWCTAN4P9fI99zUWgFHSi4cz/+JtlmRMn 6S0w4r0YJsK0tCKL6hzt2PhnDrDt8sJyDOczxA5a15zq9GgQdpFQW7bHv8EEj2Wk tV3F4uHAqLKEgW4aEBaiIXvSDJlxy/FXeeVZXfl/V+by3BrNnmmy4CHJZcYZqh4g NpEgXY6e67+S9zbQ/YqK4TL0lh6YWRt8KRxGRVDdev+k/IGQTmB7GgpyMyphVC57 AmN+vOD0uhV0UsLSzHl0vECoC9y5ko+JmZKW6JaDDsI1ql/MxOU9Q6rrMfbduRNp ZHMd4PsWBQUvvLR6Wd3m/GWQc5EkZg== =+/ji - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWc2F+Yx+lLeg9Ub1AQjWCBAAoZmewe7wsJdzL2FM1MMtKm1IQnTw+02r l2Zf1ks1ixzSMCK3jUWda04en9GMrMk7mnXvsFd99xdHcERlKUMuP1mMtJ5spydc /JOTrjyjbc5cfAWsPehurgitbGfxLwu6QFx3z30v21oUQwpKSjjO7qQl00+HjNYD Oi7FjvHf4mUc8PingsCivIi0fcCoOYQGMXzDrfVOcR8snGQ21t1uVHNeBYNu084j 2f4fqOx2YE8Qaz2fNt6mRemVfyb4gDgVdK5J+PcSNhoMgBu1Z3eV2XYDhg9djLZB 2CnBm+v3N3X4vBzAJfn+jeYMGQ/IRWndCR0cnyaQd9sAvVJXGnsueBR4sXuZzYK5 JtObR2nH+k2YjDlSDXAIZ97Sq/C4XF5/GIsv1DPBAlOtxOxus2wF09M/IEYjkwmz h46Qqguu0alrWr8TBLmCgevxt3UZQVl0QdJJx3l3shzah+09BXM03h1v9Sx5I0vl 6gfOCaAkMUcsqSP8Qo7xjNmMJyii4ZAfdXrMRYNTXR73DAXq10n83fFyx3XdY/1M nMskFO0ZeMv4vl0/bkP/AfqcJEWec/XKDisQ9EeE0r4vxTZEVi2KUuWK61iXitRj 4Q72eRP7UHuzo3MPSM9iqU3juwObRZkhp6B1+kxSz+YwXFtVdeyDJQr0XsUzd2XH E/26ipn8gy8= =I7ZD -----END PGP SIGNATURE-----