Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0879 chromium security update 12 March 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: chromium Publisher: Debian Operating System: Debian GNU/Linux 10 Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2020-6420 CVE-2020-6418 CVE-2020-6416 CVE-2020-6415 CVE-2020-6414 CVE-2020-6413 CVE-2020-6412 CVE-2020-6411 CVE-2020-6410 CVE-2020-6409 CVE-2020-6408 CVE-2020-6407 CVE-2020-6406 CVE-2020-6405 CVE-2020-6404 CVE-2020-6403 CVE-2020-6402 CVE-2020-6401 CVE-2020-6400 CVE-2020-6399 CVE-2020-6398 CVE-2020-6397 CVE-2020-6396 CVE-2020-6395 CVE-2020-6394 CVE-2020-6393 CVE-2020-6392 CVE-2020-6391 CVE-2020-6390 CVE-2020-6389 CVE-2020-6388 CVE-2020-6387 CVE-2020-6386 CVE-2020-6385 CVE-2020-6384 CVE-2020-6383 CVE-2020-6382 CVE-2020-6381 CVE-2019-19926 CVE-2019-19925 CVE-2019-19923 CVE-2019-19880 CVE-2019-1992 Reference: ASB-2020.0053 ASB-2020.0052 ASB-2020.0034 ASB-2019.0065 ESB-2020.0848 ESB-2020.0537 Original Bulletin: http://www.debian.org/security/2020/dsa-4638 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4638-1 security@debian.org https://www.debian.org/security/ Michael Gilbert March 10, 2020 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : chromium CVE ID : CVE-2019-19880 CVE-2019-19923 CVE-2019-19925 CVE-2019-19926 CVE-2020-6381 CVE-2020-6382 CVE-2020-6383 CVE-2020-6384 CVE-2020-6385 CVE-2020-6386 CVE-2020-6387 CVE-2020-6388 CVE-2020-6389 CVE-2020-6390 CVE-2020-6391 CVE-2020-6392 CVE-2020-6393 CVE-2020-6394 CVE-2020-6395 CVE-2020-6396 CVE-2020-6397 CVE-2020-6398 CVE-2020-6399 CVE-2020-6400 CVE-2020-6401 CVE-2020-6402 CVE-2020-6403 CVE-2020-6404 CVE-2020-6405 CVE-2020-6406 CVE-2020-6407 CVE-2020-6408 CVE-2020-6409 CVE-2020-6410 CVE-2020-6411 CVE-2020-6412 CVE-2020-6413 CVE-2020-6414 CVE-2020-6415 CVE-2020-6416 CVE-2020-6418 CVE-2020-6420 Several vulnerabilities have been discovered in the chromium web browser. CVE-2019-19880 Richard Lorenz discovered an issue in the sqlite library. CVE-2019-19923 Richard Lorenz discovered an out-of-bounds read issue in the sqlite library. CVE-2019-19925 Richard Lorenz discovered an issue in the sqlite library. CVE-2019-19926 Richard Lorenz discovered an implementation error in the sqlite library= . CVE-2020-6381 UK's National Cyber Security Centre discovered an integer overflow issu= e in the v8 javascript library. CVE-2020-6382 Soyeon Park and Wen Xu discovered a type error in the v8 javascript library. CVE-2020-6383 Sergei Glazunov discovered a type error in the v8 javascript library. CVE-2020-6384 David Manoucheri discovered a use-after-free issue in WebAudio. CVE-2020-6385 Sergei Glazunov discovered a policy enforcement error. CVE-2020-6386 Zhe Jin discovered a use-after-free issue in speech processing. CVE-2020-6387 Natalie Silvanovich discovered an out-of-bounds write error in the WebR= TC implementation. CVE-2020-6388 Sergei Glazunov discovered an out-of-bounds read error in the WebRTC implementation. CVE-2020-6389 Natalie Silvanovich discovered an out-of-bounds write error in the WebR= TC implementation. CVE-2020-6390 Sergei Glazunov discovered an out-of-bounds read error. CVE-2020-6391 Micha=C5=82 Bentkowski discoverd that untrusted input was insufficientl= y validated. CVE-2020-6392 The Microsoft Edge Team discovered a policy enforcement error. CVE-2020-6393 Mark Amery discovered a policy enforcement error. CVE-2020-6394 Phil Freo discovered a policy enforcement error. CVE-2020-6395 Pierre Langlois discovered an out-of-bounds read error in the v8 javascript library. CVE-2020-6396 William Luc Ritchie discovered an error in the skia library. CVE-2020-6397 Khalil Zhani discovered a user interface error. CVE-2020-6398 pdknsk discovered an uninitialized variable in the pdfium library. CVE-2020-6399 Luan Herrera discovered a policy enforcement error. CVE-2020-6400 Takashi Yoneuchi discovered an error in Cross-Origin Resource Sharing. CVE-2020-6401 Tzachy Horesh discovered that user input was insufficiently validated. CVE-2020-6402 Vladimir Metnew discovered a policy enforcement error. CVE-2020-6403 Khalil Zhani discovered a user interface error. CVE-2020-6404 kanchi discovered an error in Blink/Webkit. CVE-2020-6405 Yongheng Chen and Rui Zhong discovered an out-of-bounds read issue in t= he sqlite library. CVE-2020-6406 Sergei Glazunov discovered a use-after-free issue. CVE-2020-6407 Sergei Glazunov discovered an out-of-bounds read error. CVE-2020-6408 Zhong Zhaochen discovered a policy enforcement error in Cross-Origin Resource Sharing. CVE-2020-6409 Divagar S and Bharathi V discovered an error in the omnibox implementation. CVE-2020-6410 evil1m0 discovered a policy enforcement error. CVE-2020-6411 Khalil Zhani discovered that user input was insufficiently validated. CVE-2020-6412 Zihan Zheng discovered that user input was insufficiently validated. CVE-2020-6413 Micha=C5=82 Bentkowski discovered an error in Blink/Webkit. CVE-2020-6414 Lijo A.T discovered a policy safe browsing policy enforcement error. CVE-2020-6415 Avihay Cohen discovered an implementation error in the v8 javascript library. CVE-2020-6416 Woojin Oh discovered that untrusted input was insufficiently validated. CVE-2020-6418 Clement Lecigne discovered a type error in the v8 javascript library. CVE-2020-6420 Taras Uzdenov discovered a policy enforcement error. For the oldstable distribution (stretch), security support for chromium has been discontinued. For the stable distribution (buster), these problems have been fixed in version 80.0.3987.132-1~deb10u1. We recommend that you upgrade your chromium packages. For the detailed security status of chromium please refer to its security tracker page at: https://security-tracker.debian.org/tracker/chromium Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQQzBAEBCgAdFiEEIwTlZiOEpzUxIyp4mD40ZYkUaygFAl5oNcAACgkQmD40ZYkU ayh0Rh/+PrQfatkM3FrjJJww29+dsIOZ3S2MGR6mggmYcfN8VBIurnBoa/T48RpX PH0JtNNXmGFXgByL877ykk9cgWeFgnTYlxc5RICKup2qlcZrXugqhN029AtjlMwl Ynw2tbgyHEEh+aRg/tiMMMDYhDtQpnIpgKJ3L206F9KEpjxgnCAuLMbabwfgf4lX +5ErU+4LEhWBESkUJCEJA/OFCFfsfBVaz+H564PgsIh1OG/Sm4QL0DoYma3iN+KQ f/jFejdSFkiTNfZgRmcOU2dqvzf0qfY/iJWrma/RPiF8r5ta5Ew65qoodCxz1pB5 Q7A2c/4ckNYpe+RvafkHZ7TX13IHYOPTaG2lR/lCK0wyuTi1m6KceI6O9fR7mrii pV9cnTFFYFV2i/Hjq59LFlVh3gfBU9fiO2cps/SVVpCkenxvD372S8NCijBWd3we K1xmyhmR07zTircuY305T8Sj5qJ/Gb+V0uvhOPeBhkC1cTHUSf/oeU2r+L2fnl41 ctYUfXIfwG5aqr47Q5N+6WuxZMJW/eTHA765/5HhLysyXqw7/fUWrZDU6G6wS9Ij 2pxFzxl2NFHbAl7rBRyrOVfzIT6lAj5OJhqktwI5+8ZSqOO0c+ETkZekfMJXB/H9 +mX1FLAJtxpDKwpqNWt3ZW/vdWF2fnnHifE3BmrdvAv6aBklUWmRGJwBA8/8YTjD noxg4JZG58GNonsU641iwP0YR4ncI2o0Qq7+plPzm+iG4iiLBsL6+zRe1hAaS38Q TZioSM3QVsFPKcWQ9pn3xengFVGsMaDH/nAHUfxyD4y6VEvIfJGQsNm2CN9c9Sz1 2ZltQIwtKPe0N2iEA/edzIzINrAmg9g7JB9h2XAsSU+48NtkVZ8gk2nzu/oreRDR EWe8PNPkHfWDQMv31TcXmqrZfS3RjmoOzlJxOk4iuYnhkhUpv2N/IuhOrVUg0e1v kVZiRUpdJAh31dKEUNTlEkNH5aCWELhxlr6FJb1tLYqV8Cfg7rHxB9knTzdgz93d MTsN2Ig6J+bDsBi8HclE0gYLwCbdGx08bFth7Tyd/WbdAlhaZaoMfZkTWXm9rl3e ReLx4VEZh8fEAXnYU7EqPuWv2UiQBQYSD713+WCmSNCnM7uDkobCJ1CF961FcX7u BtnFsjE5F1F7bE+FP9zOHXd3fhYCJHkKcg+BTNxYn9ORMYQhhfK0ms5awNT4CyFX AeWQh5/szmJHowmgfgRmcVSkHNK02R984kvYnRd+oqJg6R+P8PSZWXTmS0X2RnU3 BdoniwUi2Qrtx++E5KtH+qFUEaKJTB5NYub87ZVGJ1wvsHxAQxCW1iOcrZ7KV+Ly Cf9ugJha6dD2cjM09JPVBrHMzJVKbA=3D=3D =3DHo61 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXml8cmaOgq3Tt24GAQiQlg//dSNViZGHUwvFE73RlR8OJp2QVQjDif1w lGEs0M8p3hcoVJ3pgPT+k3mGYBVfLXpyxHhinwX6LSrtb77HFXG+6G5VI4laP5MR 6FHP3mEmLxgO+05rTXCfWZqqVz87LBMKchOan5dw+Jsgyg8ZmsLqNUfUAWaFcvDR buxrsgIG+N7rj+KoAx6n2Ld2nUM0ofaIdi2PVEanrt5NU0v5Ty5wg+qQO1G51zE0 n+N4BZ6fH01w84oWZy3jUVwCuYHv5Dq/Nt5/u0Fk6NvdPPy+fGyZPteXQ2i/0E0b TbiGzdg+h77HI2PfIq+mQIBG4qBhk5ub3IzwmrOBLrr4gqyczIyY33TYpyfxGwlN ig16qB/P2aslBWvp9WNzIRFOwUYJ30bEe1dOy7Oq8R+u0w1E8HhWqnNvBU9aokLa ZDbVEt/shRuDuNa0MjeN69Oi8eYvKz2JFj1l0Y83wN8XZTTA3CBvzibE8PlhfZhr 4s8FPMVExyJmpEQECPotRRxdkvCCZuAfh+YNrM5KuX/0Py4Dxx04rmk/EGvFkN4J RXnWOgXL0xd8Yc4XxbuulzG9p3GLjyUxS9X8cC95bxJm5HmQaLEZE3dJOAyUE9F1 xiycJQOlhhxOptVT+PdX+FQv32VH8Cu9QgvCOJGQ65nttQYxWpONRnJ6hJI+7kHw +PdEp6RkG2Y= =wjhv -----END PGP SIGNATURE-----