Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.3815 chromium-browser security update 10 December 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: chromium-browser Publisher: Debian Operating System: Debian GNU/Linux 9 Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-18359 CVE-2018-18358 CVE-2018-18357 CVE-2018-18356 CVE-2018-18355 CVE-2018-18354 CVE-2018-18353 CVE-2018-18352 CVE-2018-18351 CVE-2018-18350 CVE-2018-18349 CVE-2018-18348 CVE-2018-18347 CVE-2018-18346 CVE-2018-18345 CVE-2018-18344 CVE-2018-18343 CVE-2018-18342 CVE-2018-18341 CVE-2018-18340 CVE-2018-18339 CVE-2018-18338 CVE-2018-18337 CVE-2018-18336 CVE-2018-18335 CVE-2018-17481 CVE-2018-17480 Reference: ASB-2018.0296 Original Bulletin: http://www.debian.org/security/2018/dsa-4352 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4352-1 security@debian.org https://www.debian.org/security/ Michael Gilbert December 07, 2018 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : chromium-browser CVE ID : CVE-2018-17480 CVE-2018-17481 CVE-2018-18335 CVE-2018-18336 CVE-2018-18337 CVE-2018-18338 CVE-2018-18339 CVE-2018-18340 CVE-2018-18341 CVE-2018-18342 CVE-2018-18343 CVE-2018-18344 CVE-2018-18345 CVE-2018-18346 CVE-2018-18347 CVE-2018-18348 CVE-2018-18349 CVE-2018-18350 CVE-2018-18351 CVE-2018-18352 CVE-2018-18353 CVE-2018-18354 CVE-2018-18355 CVE-2018-18356 CVE-2018-18357 CVE-2018-18358 CVE-2018-18359 Several vulnerabilities have been discovered in the chromium web browser. CVE-2018-17480 Guang Gong discovered an out-of-bounds write issue in the v8 javascript library. CVE-2018-17481 Several use-after-free issues were discovered in the pdfium library. CVE-2018-18335 A buffer overflow issue was discovered in the skia library. CVE-2018-18336 Huyna discovered a use-after-free issue in the pdfium library. CVE-2018-18337 cloudfuzzer discovered a use-after-free issue in blink/webkit. CVE-2018-18338 Zhe Jin discovered a buffer overflow issue in the canvas renderer. CVE-2018-18339 cloudfuzzer discovered a use-after-free issue in the WebAudio implementation. CVE-2018-18340 A use-after-free issue was discovered in the MediaRecorder implementation. CVE-2018-18341 cloudfuzzer discovered a buffer overflow issue in blink/webkit. CVE-2018-18342 Guang Gong discovered an out-of-bounds write issue in the v8 javascript library. CVE-2018-18343 Tran Tien Hung discovered a use-after-free issue in the skia library. CVE-2018-18344 Jann Horn discovered an error in the Extensions implementation. CVE-2018-18345 Masato Kinugawa and Jun Kokatsu discovered an error in the Site Isolation feature. CVE-2018-18346 Luan Herrera discovered an error in the user interface. CVE-2018-18347 Luan Herrera discovered an error in the Navigation implementation. CVE-2018-18348 Ahmed Elsobky discovered an error in the omnibox implementation. CVE-2018-18349 David Erceg discovered a policy enforcement error. CVE-2018-18350 Jun Kokatsu discovered a policy enforcement error. CVE-2018-18351 Jun Kokatsu discovered a policy enforcement error. CVE-2018-18352 Jun Kokatsu discovered an error in Media handling. CVE-2018-18353 Wenxu Wu discovered an error in the network authentication implementation. CVE-2018-18354 Wenxu Wu discovered an error related to integration with GNOME Shell. CVE-2018-18355 evil1m0 discovered a policy enforcement error. CVE-2018-18356 Tran Tien Hung discovered a use-after-free issue in the skia library. CVE-2018-18357 evil1m0 discovered a policy enforcement error. CVE-2018-18358 Jann Horn discovered a policy enforcement error. CVE-2018-18359 cyrilliu discovered an out-of-bounds read issue in the v8 javascript library. Several additional security relevant issues are also fixed in this update that have not yet received CVE identifiers. For the stable distribution (stretch), these problems have been fixed in version 71.0.3578.80-1~deb9u1. We recommend that you upgrade your chromium-browser packages. For the detailed security status of chromium-browser please refer to its security tracker page at: https://security-tracker.debian.org/tracker/chromium-browser Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQQzBAEBCgAdFiEEluhy7ASCBulP9FUWuNayzQLW9HMFAlwLIaoACgkQuNayzQLW 9HPFMCAAlLLx1FgfN9CHg5auKRnKdIbBDFPdUavLrfUabinBfve7yEcPIrWvdOIi fD3x7kAdDb1KhbDcVLohjkXyKQo5Hjt8x1qeQhGGzu2W4Fnq8ltYwC1FTZTGWmIt chpVd/UpuwM//zd0D8DRf1L7koW5IHtG2bOczKq4zn/1cgxTdhr0Wm329FSmJfG+ I6nQQBX5QlwTEquxKS16wYxk3bt+n1DzL5vUTzuizmbhRYxg2oCIZVhzRsCNjRR2 GzauW6utyo2u5VR2zp5alkWQedZNP8VNTbmExuDfB6vWIkpr44ilbRcK1jxulvfQ MiwVe38uBT52Vapsl39o0O64lnq+01tMwA87fDZVyKRK0wzO422zlBE0M81YRiDd PHwlEB20BbpYPfCWRWkcQq1ZHphWx6ZnP3zmNCn620lqbZCeyNQFKFcCBIC7TvmW lohfcFhpTK86DurO3ZZ7dUjhfre/GCehTvgbpE3MeEUjsqjRAfeeE6mnm6ZIblDq NjdLaj8zKi/xeTMpKjmkfl2OBUeGG0pM0zn3t0IHn2Z47lRQ3nwGzlnVy8woR36Z YX2WUWTN02xLjL1T4lvE64yAeIj2LG2S2UtFsiZD0Z51A+kDUeYOvhP7QOa9ufBk sxj7n6G5hfwAfQS4DsuE39LvSepoG+g2i+7rxNWrsFzIytLDYOIefNSs+5csjPkG 3BrCswQEwu+5pyS+RcANWN52Um28gmDkjR743Yqr1BtyD4nDearLHBdIxmHU7Ywo RcZt1xPIDLgjpwciSCwl+SbStICIb1kZ0KCphJHuB08X+d0BDyOsZ/4iBO3kLvVx 6qpha8guWAd4ZIZLtfRTb6+yWNDn9Jm6OxT4jfvaTAKndgTZvFbYK4HALiouLrxh iA6Pb6uvR06S6uBzwxXeEXDkCjDnQOS9dG0bEmjbbwVQE44S5vzYGPHae6Nz+KHp /pZhAwC0lb5qQhZzDtNngR+DzjOvEpFnmycnVsEa8hrg3aRoOORnG9AnUTB3RWAf N/8uiLUyZY6yOyEzH9cHT/zYV183hQd0LQYSmcNDxy9BML3SE389wOlv7jkDIXAl MtfSdnzAbtaufTQEZypl8DY0wrPL0FjdpivUmR6/1WRTWIQVySBQ04v+Zqf4n6PU J/mGWQk/vnkYaJBTbzwONUItPz4EZz04DAZgucIiMaPCQywDY49pwlVFat4UI9dK nXgqlv+GTt00c0/T41lkWwDZw7DVjoR84Nq8KTpk3fUJZcYlMHwKJnG4mwayeVYh tWOE2WGtzbRg4MF/MpQ3KAneC48VCBCqCtgd8TnKOtylGdVpZjLpi2kK8wZFNkX7 24nfvb+roYfjWjuwXDoPbINpGMOpxA== =eQTQ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXA3AiWaOgq3Tt24GAQjzlxAAqrYVhdrwWGdEA9FQ76VaKWL345+iSnkx Y1JBh5WrJCPHzo18Z/bD7c38wFcaOweBxiRQqFGcnj0M9+V5rAG4c0X4a9gwQwfJ QyAoqB8Lij3tx42B80p3BDjyepsPzMBsuoEpImtS0G3fdc9/SVo2uy1xcdNpkPVh dg0xVJ27fgLyGle+GPcQV9di7VEEI1RabXhukYyeb5cZdSncjQTliH3Bawge7P17 uG4ur4vq6mYbR6LiFTGubw0rKNw+0X1surtVWJqDwkX5xn9ndQk3qzLTn+R2rs/G riqmXzlfsgYXP9Npm2f5hkLwyX5DYydtbtz/YAMSrhNj54Xd9YGayr/MOaIRWUZS ZoYtcQsUfwy66JhqEUryH40nSHwKCAdZC2igybDA0txHXWMjHar9zAmSv9Bi3TZe qcWfk6zurkz05Y7M8obj/EbDdQd8fDMRp4dCslKVKfouhk+l5HemZMYhjHIw5T5u 37109mLYxOZg33huWhR4n0U05MzxHwO9Y2DJ6ctZEU3oNxh2mGQJRiVHVTulsauA KxOi77UVE6kBV6/SKtspAai9KeLx8M55s7RSBslFRycIsErcKGRBVdcFFK7ZX6lK LcwlgzsYuiC6f6t7pe0loB3yXKl7Jc4B0L1rObk+zXQ9jCYfq88v7TV9rpTKf4+y ZqOTaQR4I9Q= =NR8B -----END PGP SIGNATURE-----