Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2018.3442
chromium-browser security update
5 November 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: chromium-browser
Publisher: Debian
Operating System: Debian GNU/Linux 9
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Unauthorised Access -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2018-17477 CVE-2018-17476 CVE-2018-17475
CVE-2018-17474 CVE-2018-17473 CVE-2018-17471
CVE-2018-17470 CVE-2018-17469 CVE-2018-17468
CVE-2018-17467 CVE-2018-17466 CVE-2018-17465
CVE-2018-17464 CVE-2018-17463 CVE-2018-17462
CVE-2018-5179
Reference: ASB-2018.0266
ESB-2018.3259
Original Bulletin:
http://www.debian.org/security/2018/dsa-4330
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4330-1 security@debian.org
https://www.debian.org/security/ Michael Gilbert
November 02, 2018 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : chromium-browser
CVE ID : CVE-2018-5179 CVE-2018-17462 CVE-2018-17463 CVE-2018-17464
CVE-2018-17465 CVE-2018-17466 CVE-2018-17467 CVE-2018-17468
CVE-2018-17469 CVE-2018-17470 CVE-2018-17471 CVE-2018-17473
CVE-2018-17474 CVE-2018-17475 CVE-2018-17476 CVE-2018-17477
Several vulnerabilities have been discovered in the chromium web browser.
CVE-2018-5179
Yannic Boneberger discovered an error in the ServiceWorker implementation.
CVE-2018-17462
Ned Williamson and Niklas Baumstark discovered a way to escape the sandbox.
CVE-2018-17463
Ned Williamson and Niklas Baumstark discovered a remote code execution
issue in the v8 javascript library.
CVE-2018-17464
xisigr discovered a URL spoofing issue.
CVE-2018-17465
Lin Zuojian discovered a use-after-free issue in the v8 javascript
library.
CVE-2018-17466
Omair discovered a memory corruption issue in the angle library.
CVE-2018-17467
Khalil Zhani discovered a URL spoofing issue.
CVE-2018-17468
Jams Lee discovered an information disclosure issue.
CVE-2018-17469
Zhen Zhou discovered a buffer overflow issue in the pdfium library.
CVE-2018-17470
Zhe Jin discovered a memory corruption issue in the GPU backend
implementation.
CVE-2018-17471
Lnyas Zhang discovered an issue with the full screen user interface.
CVE-2018-17473
Khalil Zhani discovered a URL spoofing issue.
CVE-2018-17474
Zhe Jin discovered a use-after-free issue.
CVE-2018-17475
Vladimir Metnew discovered a URL spoofing issue.
CVE-2018-17476
Khalil Zhani discovered an issue with the full screen user interface.
CVE-2018-17477
Aaron Muir Hamilton discovered a user interface spoofing issue in the
extensions pane.
This update also fixes a buffer overflow in the embedded lcms library included
with chromium.
For the stable distribution (stretch), these problems have been fixed in
version 70.0.3538.67-1~deb9u1.
We recommend that you upgrade your chromium-browser packages.
For the detailed security status of chromium-browser please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium-browser
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
iQQzBAEBCgAdFiEEluhy7ASCBulP9FUWuNayzQLW9HMFAlvcOIQACgkQuNayzQLW
9HP+1iAAsLTGaiN2DOVoaZcy7J81dIbvflucvy8wdch0sFPiqlP0V3PLr04yBKBG
vEZcbGSsdUzCX5oT/eF4SG4qDyY7lSVKCKA8kTvu4UmwnJD8XwouOaKMtsgdcrSc
GcChQ9zSBSlRBm6Aq0UvirkfCDz2W/zEAjUQZFqBCsNAC+2886SDO+kXwxXKv9ol
9P5tfKh+9+t10FMpj0qlBLwb6bdGqjum4iStxyIZEvX9tQ+6H/P6xhog4EoturMH
lerPgiWtItpnFxZX7bCCaFDNaMdByXWCw829k2Rc0+kX6KzUVLbgQaeNlmED2Pn3
EI8c+ABVsE7lJ0w6DTf9KLMYYkPD4NiREWmipptF1gdKDoTKmksAGMDae+Q600wT
8Yy0AAS4S33qliqFuveUMvCqvMR0DAnw8mn8Li1s2OcI2YRKeqEGvXwltqj2RIfz
pvzxVlDHx7Go/FIWO4j3o6MhsjVMUQNDXuFl8xkDzgRiICuFEibyKdXNgCEYyUwc
Nk/iXzRLxQyWjy1p9fWrtk2EpL97kuOIBtLf1SH9VC4O/uJyZ/H8L/hGA6esx99z
8AGpwy/zTVimff3dj1/+BtIFHhdWY3zhydlAchVkvZrpGMBRNHz1H1RWy/wx6IIy
JGb3LP1U/narlqf0vYKUQW2oDVFybXM5Exqwm4c6ipBYxWkuOYd4bXqx/ojMAgHC
ar135UrX2zdLIUyFVpICbFFUxQUil92VYdwPuJWXXAJdzzOMuz42UoM2xSqv0oRj
DRAU7/QFpz0Ilrf3C0+ktirWvo9GSNm5Kq5xNgC9Khp9uppu6cXHDCZxCCOQz6xX
yOYrYjzGeYB8EYrlVPVT1YmKHJ1/FqCjoJ3IkkCsIo8MnCR9olO0AK1smo21Dvim
+OcdJax6xWn4aIKbZDqL1GUYRotMoVfsnEbrsqBrsrLiWqlsmvVALN12083NK+zB
2OhYdU2D5oWep4Eb92+RI1ykk1wDaW9bpbdIOcK48HFAejk2PmZX2hhIgbrek0uP
/Lu5FZn7NehFIjAxYIQ2qAk9vNdXmk6u3MrAFC96VoBFaIvg09MXuA/K0nIOnryW
17n0WxUjk8/pFfgRMJFW7oobEvw0NFvHFNEteP+b1T1ucJj/2CEAtMGE73UbHnv/
03ez0boUiejkJmShpsPoWt02j/w4pfZ2vEDGlzBj0h3Bof8CmLJ422r0tfB5Vrp+
GuCxK7mQQItwatAMxyfXjBx+KxBROwb5mcQ0E9AwAonvsfgzrAgcoXAofV1oMiRy
UvxdDnkJ69wblQ+ahyFjjdhR8+L1VNHHuQkgxfXCdXRxLdCzt4GHk5EFHh/5zGdX
Ay238uDIBhE1NLHpUSX2D6/cMGFggA==
=AINb
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBW9+FgGaOgq3Tt24GAQhGsg//ZIG7H4rpILi5qlWC0KpgLqAGecu6I4pZ
8bdx5XjUzMBQ1zMUeXeVxsb4XdN2DgWYzdj1oG4rdG86Wq9gEoAGxyQwKDwxGWKS
GUv7Bq9gv411VoKSfG7pWeOydV/+xazNsEx0yVtHihcBuf1+bKku10zpMUI31agX
uRM4oc/LFv0H3IB/kuLC6dtBhTf+tL2o9f4pKdddlFcwogVEJWVP/9Vyp9oLrjIY
mO0ENDTCa8CtpefXD92F3aFdr1wX7grFvwvlfCehTpqst77kfNKswzr7i6bkL7Wk
k3uS5UbotTS/6mLvXIw0fgjleMfoiFGCWlvN9fnF9alwJmusj44VJ++mYHfuPUCI
4vk0BPMOKuL4QKLsojYq2lYPpNhRKQYBE04+aUJbR1d+QsiZHMd8gE4yU8Vu7Gmd
2oRR9tGWhCr3w5FC4kF6QIeRkvCqKM9jAfWcIwOd6/mqDIQREHs0XpY2jLXk3fFa
KcKcKQAMrZ9kchRjK2jNcn/ZJE6PcOPzUNu/7RA+IL13BV9qlueKFOQaAWMHxvqi
5byTm+l0T0ahJQi0zdKRS5KBp72+V26PV4bUwrZhEDt6hwREqgpG/nYJW1AJkLPI
H/+nR9dtByf+W3QmhXdhMO9CChBmqZVIY/ndb0E1FNt/UQ9nqk1QY+1MQYE6kAPu
fHUP8jCi/aE=
=io4J
-----END PGP SIGNATURE-----