Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.0525.2 chromium security update 28 February 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: chromium Publisher: Debian Operating System: Debian GNU/Linux Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Access Privileged Data -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Denial of Service -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-5784 CVE-2019-5783 CVE-2019-5782 CVE-2019-5781 CVE-2019-5780 CVE-2019-5779 CVE-2019-5778 CVE-2019-5777 CVE-2019-5776 CVE-2019-5775 CVE-2019-5774 CVE-2019-5773 CVE-2019-5772 CVE-2019-5770 CVE-2019-5769 CVE-2019-5768 CVE-2019-5767 CVE-2019-5766 CVE-2019-5765 CVE-2019-5764 CVE-2019-5763 CVE-2019-5762 CVE-2019-5760 CVE-2019-5759 CVE-2019-5758 CVE-2019-5757 CVE-2019-5756 CVE-2019-5755 CVE-2019-5754 CVE-2018-17481 Reference: ASB-2019.0048 ASB-2019.0044 ESB-2019.0426 Original Bulletin: http://www.debian.org/security/2019/dsa-4395 Revision History: February 28 2019: Update DSA-4395-2 due to regression. February 20 2019: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4395-1 security@debian.org https://www.debian.org/security/ Michael Gilbert February 18, 2019 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : chromium CVE ID : CVE-2018-17481 CVE-2019-5754 CVE-2019-5755 CVE-2019-5756 CVE-2019-5757 CVE-2019-5758 CVE-2019-5759 CVE-2019-5760 CVE-2019-5762 CVE-2019-5763 CVE-2019-5764 CVE-2019-5765 CVE-2019-5766 CVE-2019-5767 CVE-2019-5768 CVE-2019-5769 CVE-2019-5770 CVE-2019-5772 CVE-2019-5773 CVE-2019-5774 CVE-2019-5775 CVE-2019-5776 CVE-2019-5777 CVE-2019-5778 CVE-2019-5779 CVE-2019-5780 CVE-2019-5781 CVE-2019-5782 CVE-2019-5783 CVE-2019-5784 Several vulnerabilities have been discovered in the chromium web browser. CVE-2018-17481 A use-after-free issue was discovered in the pdfium library. CVE-2019-5754 Klzgrad discovered an error in the QUIC networking implementation. CVE-2019-5755 Jay Bosamiya discovered an implementation error in the v8 javascript library. CVE-2019-5756 A use-after-free issue was discovered in the pdfium library. CVE-2019-5757 Alexandru Pitis discovered a type confusion error in the SVG image format implementation. CVE-2019-5758 Zhe Jin discovered a use-after-free issue in blink/webkit. CVE-2019-5759 Almog Benin discovered a use-after-free issue when handling HTML pages containing select elements. CVE-2019-5760 Zhe Jin discovered a use-after-free issue in the WebRTC implementation. CVE-2019-5762 A use-after-free issue was discovered in the pdfium library. CVE-2019-5763 Guang Gon discovered an input validation error in the v8 javascript library. CVE-2019-5764 Eyal Itkin discovered a use-after-free issue in the WebRTC implementation. CVE-2019-5765 Sergey Toshin discovered a policy enforcement error. CVE-2019-5766 David Erceg discovered a policy enforcement error. CVE-2019-5767 Haoran Lu, Yifan Zhang, Luyi Xing, and Xiaojing Liao reported an error in the WebAPKs user interface. CVE-2019-5768 Rob Wu discovered a policy enforcement error in the developer tools. CVE-2019-5769 Guy Eshel discovered an input validation error in blink/webkit. CVE-2019-5770 hemidallt discovered a buffer overflow issue in the WebGL implementation. CVE-2019-5772 Zhen Zhou discovered a use-after-free issue in the pdfium library. CVE-2019-5773 Yongke Wong discovered an input validation error in the IndexDB implementation. CVE-2019-5774 Jnghwan Kang and Juno Im discovered an input validation error in the SafeBrowsing implementation. CVE-2019-5775 evil1m0 discovered a policy enforcement error. CVE-2019-5776 Lnyas Zhang discovered a policy enforcement error. CVE-2019-5777 Khalil Zhani discovered a policy enforcement error. CVE-2019-5778 David Erceg discovered a policy enforcement error in the Extensions implementation. CVE-2019-5779 David Erceg discovered a policy enforcement error in the ServiceWorker implementation. CVE-2019-5780 Andreas Hegenberg discovered a policy enforcement error. CVE-2019-5781 evil1m0 discovered a policy enforcement error. CVE-2019-5782 Qixun Zhao discovered an implementation error in the v8 javascript library. CVE-2019-5783 Shintaro Kobori discovered an input validation error in the developer tools. CVE-2019-5784 Lucas Pinheiro discovered an implementation error in the v8 javascript library. For the stable distribution (stretch), these problems have been fixed in version 72.0.3626.96-1~deb9u1. We recommend that you upgrade your chromium packages. For the detailed security status of chromium please refer to its security tracker page at: https://security-tracker.debian.org/tracker/chromium Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ ================================================================================= - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4395-2 security@debian.org https://www.debian.org/security/ Michael Gilbert February 26, 2019 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : chromium Debian Bug : 922794 923298 A regression was introduced in the previous chromium security update. The browser would always crash when launched in headless mode. This update fixes this problem. A file conflict with the buster chromium packages is also fixed. For the stable distribution (stretch), this problem has been fixed in version 72.0.3626.96-1~deb9u2. We recommend that you upgrade your chromium packages. For the detailed security status of chromium please refer to its security tracker page at: https://security-tracker.debian.org/tracker/chromium Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXHcrUGaOgq3Tt24GAQjDPxAAlfNhqFWfkjTRZT8uBKdt12go9L8/3xjY BtxvhHhxkv1g3oxS0K4XiYHM4FpBNuLvft7oHU3xWb+ajV3BhKo8UN9inD8n2Pli 2OjSblmyS9V9kPP0QJILOXSC0APZKLG7YqfnGhhV3V7NqMo4/LNEA1G0azWLiyVb zOAZ8OxcSbOAVJ4n7b2ulD86Z+Ma/JanxoeEXjM8QFP9H85j7c7Dw7ac3kZIhOC+ ByXEauhE1xKZnQDnlLZH+ilRcbA3naiKM389DqWA34Yc8S+5c+DMtmwOOH6gPdle 4Rn1Mv4JnvFT5qn7xQBflJTH0YEwOsJ8fryk5vF6dQWbbBIyhPtHSAo1V8EV/6XS 2/q17iIh3adbIvA6bPrPQ+zisLH69b3ytETzIXp5K1qS0YfyOPEDkBS/h9TvC31v kuKtBE1QCkKUrR6/UljNkozBNfU3iroztQr3HvCJL9psX/sRPOERE6ARO1PteGYn SxA9wutmns/cDGsdzx7QhpUTayMOH30lMYL/zOcIyrloixSpgG5aUcbyf2RLtbip qIVti1VQw7tmxwpggmJHWWWGO7pOoi+r/IuJFONhKo+iyULPEeomw732iUeAgSBg VWQLmUl3qHq7Md4SfpRxbnYmP+wC/sEn1snXbAAGr8fD2P2HLDNzNGDRNIcbNhgn s5hdz23PJPM= =maxM -----END PGP SIGNATURE-----