Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.0879
chromium security update
12 March 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: chromium
Publisher: Debian
Operating System: Debian GNU/Linux 10
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2020-6420 CVE-2020-6418 CVE-2020-6416
CVE-2020-6415 CVE-2020-6414 CVE-2020-6413
CVE-2020-6412 CVE-2020-6411 CVE-2020-6410
CVE-2020-6409 CVE-2020-6408 CVE-2020-6407
CVE-2020-6406 CVE-2020-6405 CVE-2020-6404
CVE-2020-6403 CVE-2020-6402 CVE-2020-6401
CVE-2020-6400 CVE-2020-6399 CVE-2020-6398
CVE-2020-6397 CVE-2020-6396 CVE-2020-6395
CVE-2020-6394 CVE-2020-6393 CVE-2020-6392
CVE-2020-6391 CVE-2020-6390 CVE-2020-6389
CVE-2020-6388 CVE-2020-6387 CVE-2020-6386
CVE-2020-6385 CVE-2020-6384 CVE-2020-6383
CVE-2020-6382 CVE-2020-6381 CVE-2019-19926
CVE-2019-19925 CVE-2019-19923 CVE-2019-19880
CVE-2019-1992
Reference: ASB-2020.0053
ASB-2020.0052
ASB-2020.0034
ASB-2019.0065
ESB-2020.0848
ESB-2020.0537
Original Bulletin:
http://www.debian.org/security/2020/dsa-4638
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4638-1 security@debian.org
https://www.debian.org/security/ Michael Gilbert
March 10, 2020 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : chromium
CVE ID : CVE-2019-19880 CVE-2019-19923 CVE-2019-19925 CVE-2019-19926
CVE-2020-6381 CVE-2020-6382 CVE-2020-6383 CVE-2020-6384
CVE-2020-6385 CVE-2020-6386 CVE-2020-6387 CVE-2020-6388
CVE-2020-6389 CVE-2020-6390 CVE-2020-6391 CVE-2020-6392
CVE-2020-6393 CVE-2020-6394 CVE-2020-6395 CVE-2020-6396
CVE-2020-6397 CVE-2020-6398 CVE-2020-6399 CVE-2020-6400
CVE-2020-6401 CVE-2020-6402 CVE-2020-6403 CVE-2020-6404
CVE-2020-6405 CVE-2020-6406 CVE-2020-6407 CVE-2020-6408
CVE-2020-6409 CVE-2020-6410 CVE-2020-6411 CVE-2020-6412
CVE-2020-6413 CVE-2020-6414 CVE-2020-6415 CVE-2020-6416
CVE-2020-6418 CVE-2020-6420
Several vulnerabilities have been discovered in the chromium web browser.
CVE-2019-19880
Richard Lorenz discovered an issue in the sqlite library.
CVE-2019-19923
Richard Lorenz discovered an out-of-bounds read issue in the sqlite
library.
CVE-2019-19925
Richard Lorenz discovered an issue in the sqlite library.
CVE-2019-19926
Richard Lorenz discovered an implementation error in the sqlite library=
.
CVE-2020-6381
UK's National Cyber Security Centre discovered an integer overflow issu=
e
in the v8 javascript library.
CVE-2020-6382
Soyeon Park and Wen Xu discovered a type error in the v8 javascript
library.
CVE-2020-6383
Sergei Glazunov discovered a type error in the v8 javascript library.
CVE-2020-6384
David Manoucheri discovered a use-after-free issue in WebAudio.
CVE-2020-6385
Sergei Glazunov discovered a policy enforcement error.
CVE-2020-6386
Zhe Jin discovered a use-after-free issue in speech processing.
CVE-2020-6387
Natalie Silvanovich discovered an out-of-bounds write error in the WebR=
TC
implementation.
CVE-2020-6388
Sergei Glazunov discovered an out-of-bounds read error in the WebRTC
implementation.
CVE-2020-6389
Natalie Silvanovich discovered an out-of-bounds write error in the WebR=
TC
implementation.
CVE-2020-6390
Sergei Glazunov discovered an out-of-bounds read error.
CVE-2020-6391
Micha=C5=82 Bentkowski discoverd that untrusted input was insufficientl=
y
validated.
CVE-2020-6392
The Microsoft Edge Team discovered a policy enforcement error.
CVE-2020-6393
Mark Amery discovered a policy enforcement error.
CVE-2020-6394
Phil Freo discovered a policy enforcement error.
CVE-2020-6395
Pierre Langlois discovered an out-of-bounds read error in the v8
javascript library.
CVE-2020-6396
William Luc Ritchie discovered an error in the skia library.
CVE-2020-6397
Khalil Zhani discovered a user interface error.
CVE-2020-6398
pdknsk discovered an uninitialized variable in the pdfium library.
CVE-2020-6399
Luan Herrera discovered a policy enforcement error.
CVE-2020-6400
Takashi Yoneuchi discovered an error in Cross-Origin Resource Sharing.
CVE-2020-6401
Tzachy Horesh discovered that user input was insufficiently validated.
CVE-2020-6402
Vladimir Metnew discovered a policy enforcement error.
CVE-2020-6403
Khalil Zhani discovered a user interface error.
CVE-2020-6404
kanchi discovered an error in Blink/Webkit.
CVE-2020-6405
Yongheng Chen and Rui Zhong discovered an out-of-bounds read issue in t=
he
sqlite library.
CVE-2020-6406
Sergei Glazunov discovered a use-after-free issue.
CVE-2020-6407
Sergei Glazunov discovered an out-of-bounds read error.
CVE-2020-6408
Zhong Zhaochen discovered a policy enforcement error in Cross-Origin
Resource Sharing.
CVE-2020-6409
Divagar S and Bharathi V discovered an error in the omnibox
implementation.
CVE-2020-6410
evil1m0 discovered a policy enforcement error.
CVE-2020-6411
Khalil Zhani discovered that user input was insufficiently validated.
CVE-2020-6412
Zihan Zheng discovered that user input was insufficiently validated.
CVE-2020-6413
Micha=C5=82 Bentkowski discovered an error in Blink/Webkit.
CVE-2020-6414
Lijo A.T discovered a policy safe browsing policy enforcement error.
CVE-2020-6415
Avihay Cohen discovered an implementation error in the v8 javascript
library.
CVE-2020-6416
Woojin Oh discovered that untrusted input was insufficiently validated.
CVE-2020-6418
Clement Lecigne discovered a type error in the v8 javascript library.
CVE-2020-6420
Taras Uzdenov discovered a policy enforcement error.
For the oldstable distribution (stretch), security support for chromium has
been discontinued.
For the stable distribution (buster), these problems have been fixed in
version 80.0.3987.132-1~deb10u1.
We recommend that you upgrade your chromium packages.
For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
iQQzBAEBCgAdFiEEIwTlZiOEpzUxIyp4mD40ZYkUaygFAl5oNcAACgkQmD40ZYkU
ayh0Rh/+PrQfatkM3FrjJJww29+dsIOZ3S2MGR6mggmYcfN8VBIurnBoa/T48RpX
PH0JtNNXmGFXgByL877ykk9cgWeFgnTYlxc5RICKup2qlcZrXugqhN029AtjlMwl
Ynw2tbgyHEEh+aRg/tiMMMDYhDtQpnIpgKJ3L206F9KEpjxgnCAuLMbabwfgf4lX
+5ErU+4LEhWBESkUJCEJA/OFCFfsfBVaz+H564PgsIh1OG/Sm4QL0DoYma3iN+KQ
f/jFejdSFkiTNfZgRmcOU2dqvzf0qfY/iJWrma/RPiF8r5ta5Ew65qoodCxz1pB5
Q7A2c/4ckNYpe+RvafkHZ7TX13IHYOPTaG2lR/lCK0wyuTi1m6KceI6O9fR7mrii
pV9cnTFFYFV2i/Hjq59LFlVh3gfBU9fiO2cps/SVVpCkenxvD372S8NCijBWd3we
K1xmyhmR07zTircuY305T8Sj5qJ/Gb+V0uvhOPeBhkC1cTHUSf/oeU2r+L2fnl41
ctYUfXIfwG5aqr47Q5N+6WuxZMJW/eTHA765/5HhLysyXqw7/fUWrZDU6G6wS9Ij
2pxFzxl2NFHbAl7rBRyrOVfzIT6lAj5OJhqktwI5+8ZSqOO0c+ETkZekfMJXB/H9
+mX1FLAJtxpDKwpqNWt3ZW/vdWF2fnnHifE3BmrdvAv6aBklUWmRGJwBA8/8YTjD
noxg4JZG58GNonsU641iwP0YR4ncI2o0Qq7+plPzm+iG4iiLBsL6+zRe1hAaS38Q
TZioSM3QVsFPKcWQ9pn3xengFVGsMaDH/nAHUfxyD4y6VEvIfJGQsNm2CN9c9Sz1
2ZltQIwtKPe0N2iEA/edzIzINrAmg9g7JB9h2XAsSU+48NtkVZ8gk2nzu/oreRDR
EWe8PNPkHfWDQMv31TcXmqrZfS3RjmoOzlJxOk4iuYnhkhUpv2N/IuhOrVUg0e1v
kVZiRUpdJAh31dKEUNTlEkNH5aCWELhxlr6FJb1tLYqV8Cfg7rHxB9knTzdgz93d
MTsN2Ig6J+bDsBi8HclE0gYLwCbdGx08bFth7Tyd/WbdAlhaZaoMfZkTWXm9rl3e
ReLx4VEZh8fEAXnYU7EqPuWv2UiQBQYSD713+WCmSNCnM7uDkobCJ1CF961FcX7u
BtnFsjE5F1F7bE+FP9zOHXd3fhYCJHkKcg+BTNxYn9ORMYQhhfK0ms5awNT4CyFX
AeWQh5/szmJHowmgfgRmcVSkHNK02R984kvYnRd+oqJg6R+P8PSZWXTmS0X2RnU3
BdoniwUi2Qrtx++E5KtH+qFUEaKJTB5NYub87ZVGJ1wvsHxAQxCW1iOcrZ7KV+Ly
Cf9ugJha6dD2cjM09JPVBrHMzJVKbA=3D=3D
=3DHo61
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXml8cmaOgq3Tt24GAQiQlg//dSNViZGHUwvFE73RlR8OJp2QVQjDif1w
lGEs0M8p3hcoVJ3pgPT+k3mGYBVfLXpyxHhinwX6LSrtb77HFXG+6G5VI4laP5MR
6FHP3mEmLxgO+05rTXCfWZqqVz87LBMKchOan5dw+Jsgyg8ZmsLqNUfUAWaFcvDR
buxrsgIG+N7rj+KoAx6n2Ld2nUM0ofaIdi2PVEanrt5NU0v5Ty5wg+qQO1G51zE0
n+N4BZ6fH01w84oWZy3jUVwCuYHv5Dq/Nt5/u0Fk6NvdPPy+fGyZPteXQ2i/0E0b
TbiGzdg+h77HI2PfIq+mQIBG4qBhk5ub3IzwmrOBLrr4gqyczIyY33TYpyfxGwlN
ig16qB/P2aslBWvp9WNzIRFOwUYJ30bEe1dOy7Oq8R+u0w1E8HhWqnNvBU9aokLa
ZDbVEt/shRuDuNa0MjeN69Oi8eYvKz2JFj1l0Y83wN8XZTTA3CBvzibE8PlhfZhr
4s8FPMVExyJmpEQECPotRRxdkvCCZuAfh+YNrM5KuX/0Py4Dxx04rmk/EGvFkN4J
RXnWOgXL0xd8Yc4XxbuulzG9p3GLjyUxS9X8cC95bxJm5HmQaLEZE3dJOAyUE9F1
xiycJQOlhhxOptVT+PdX+FQv32VH8Cu9QgvCOJGQ65nttQYxWpONRnJ6hJI+7kHw
+PdEp6RkG2Y=
=wjhv
-----END PGP SIGNATURE-----