Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3085 chromium security update 13 August 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: chromium Publisher: Debian Operating System: Debian GNU/Linux 10 Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Increased Privileges -- Remote with User Interaction Denial of Service -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Reduced Security -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2019-5868 CVE-2019-5867 CVE-2019-5865 CVE-2019-5864 CVE-2019-5862 CVE-2019-5861 CVE-2019-5860 CVE-2019-5859 CVE-2019-5858 CVE-2019-5857 CVE-2019-5856 CVE-2019-5855 CVE-2019-5854 CVE-2019-5853 CVE-2019-5852 CVE-2019-5851 CVE-2019-5850 CVE-2019-5849 CVE-2019-5848 CVE-2019-5847 CVE-2019-5842 CVE-2019-5840 CVE-2019-5839 CVE-2019-5838 CVE-2019-5837 CVE-2019-5836 CVE-2019-5834 CVE-2019-5833 CVE-2019-5832 CVE-2019-5831 CVE-2019-5830 CVE-2019-5829 CVE-2019-5828 CVE-2019-5827 CVE-2019-5826 CVE-2019-5825 CVE-2019-5824 CVE-2019-5823 CVE-2019-5822 CVE-2019-5821 CVE-2019-5820 CVE-2019-5819 CVE-2019-5818 CVE-2019-5815 CVE-2019-5814 CVE-2019-5813 CVE-2019-5811 CVE-2019-5810 CVE-2019-5809 CVE-2019-5808 CVE-2019-5807 CVE-2019-5806 CVE-2019-5805 Reference: ASB-2019.0228 ASB-2019.0225 ASB-2019.0196 ASB-2019.0131 ESB-2019.2210 ESB-2019.1608 Original Bulletin: http://www.debian.org/security/2019/dsa-4500 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4500-1 security@debian.org https://www.debian.org/security/ Michael Gilbert August 12, 2019 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : chromium CVE ID : CVE-2019-5805 CVE-2019-5806 CVE-2019-5807 CVE-2019-5808 CVE-2019-5809 CVE-2019-5810 CVE-2019-5811 CVE-2019-5813 CVE-2019-5814 CVE-2019-5815 CVE-2019-5818 CVE-2019-5819 CVE-2019-5820 CVE-2019-5821 CVE-2019-5822 CVE-2019-5823 CVE-2019-5824 CVE-2019-5825 CVE-2019-5826 CVE-2019-5827 CVE-2019-5828 CVE-2019-5829 CVE-2019-5830 CVE-2019-5831 CVE-2019-5832 CVE-2019-5833 CVE-2019-5834 CVE-2019-5836 CVE-2019-5837 CVE-2019-5838 CVE-2019-5839 CVE-2019-5840 CVE-2019-5842 CVE-2019-5847 CVE-2019-5848 CVE-2019-5849 CVE-2019-5850 CVE-2019-5851 CVE-2019-5852 CVE-2019-5853 CVE-2019-5854 CVE-2019-5855 CVE-2019-5856 CVE-2019-5857 CVE-2019-5858 CVE-2019-5859 CVE-2019-5860 CVE-2019-5861 CVE-2019-5862 CVE-2019-5864 CVE-2019-5865 CVE-2019-5867 CVE-2019-5868 Several vulnerabilities have been discovered in the chromium web browser. CVE-2019-5805 A use-after-free issue was discovered in the pdfium library. CVE-2019-5806 Wen Xu discovered an integer overflow issue in the Angle library. CVE-2019-5807 TimGMichaud discovered a memory corruption issue in the v8 javascript library. CVE-2019-5808 cloudfuzzer discovered a use-after-free issue in Blink/Webkit. CVE-2019-5809 Mark Brand discovered a use-after-free issue in Blink/Webkit. CVE-2019-5810 Mark Amery discovered an information disclosure issue. CVE-2019-5811 Jun Kokatsu discovered a way to bypass the Cross-Origin Resource Sharing feature. CVE-2019-5813 Aleksandar Nikolic discovered an out-of-bounds read issue in the v8 javascript library. CVE-2019-5814 @AaylaSecura1138 discovered a way to bypass the Cross-Origin Resource Sharing feature. CVE-2019-5815 Nicolas Grégoire discovered a buffer overflow issue in Blink/Webkit. CVE-2019-5818 Adrian Tolbaru discovered an uninitialized value issue. CVE-2019-5819 Svyat Mitin discovered an error in the developer tools. CVE-2019-5820 pdknsk discovered an integer overflow issue in the pdfium library. CVE-2019-5821 pdknsk discovered another integer overflow issue in the pdfium library. CVE-2019-5822 Jun Kokatsu discovered a way to bypass the Cross-Origin Resource Sharing feature. CVE-2019-5823 David Erceg discovered a navigation error. CVE-2019-5824 leecraso and Guang Gong discovered an error in the media player. CVE-2019-5825 Genming Liu, Jianyu Chen, Zhen Feng, and Jessica Liu discovered an out-of-bounds write issue in the v8 javascript library. CVE-2019-5826 Genming Liu, Jianyu Chen, Zhen Feng, and Jessica Liu discovered a use-after-free issue. CVE-2019-5827 mlfbrown discovered an out-of-bounds read issue in the sqlite library. CVE-2019-5828 leecraso and Guang Gong discovered a use-after-free issue. CVE-2019-5829 Lucas Pinheiro discovered a use-after-free issue. CVE-2019-5830 Andrew Krashichkov discovered a credential error in the Cross-Origin Resource Sharing feature. CVE-2019-5831 yngwei discovered a map error in the v8 javascript library. CVE-2019-5832 Sergey Shekyan discovered an error in the Cross-Origin Resource Sharing feature. CVE-2019-5833 Khalil Zhani discovered a user interface error. CVE-2019-5834 Khalil Zhani discovered a URL spoofing issue. CVE-2019-5836 Omair discovered a buffer overflow issue in the Angle library. CVE-2019-5837 Adam Iawniuk discovered an information disclosure issue. CVE-2019-5838 David Erceg discovered an error in extension permissions. CVE-2019-5839 Masato Kinugawa discovered implementation errors in Blink/Webkit. CVE-2019-5840 Eliya Stein and Jerome Dangu discovered a way to bypass the popup blocker. CVE-2019-5842 BUGFENSE discovered a use-after-free issue in Blink/Webkit. CVE-2019-5847 m3plex discovered an error in the v8 javascript library. CVE-2019-5848 Mark Amery discovered an information disclosure issue. CVE-2019-5849 Zhen Zhou discovered an out-of-bounds read in the Skia library. CVE-2019-5850 Brendon Tiszka discovered a use-after-free issue in the offline page fetcher. CVE-2019-5851 Zhe Jin discovered a use-after-poison issue. CVE-2019-5852 David Erceg discovered an information disclosure issue. CVE-2019-5853 Yngwei and sakura discovered a memory corruption issue. CVE-2019-5854 Zhen Zhou discovered an integer overflow issue in the pdfium library. CVE-2019-5855 Zhen Zhou discovered an integer overflow issue in the pdfium library. CVE-2019-5856 Yongke Wang discovered an error related to file system URL permissions. CVE-2019-5857 cloudfuzzer discovered a way to crash chromium. CVE-2019-5858 evil1m0 discovered an information disclosure issue. CVE-2019-5859 James Lee discovered a way to launch alternative browsers. CVE-2019-5860 A use-after-free issue was discovered in the v8 javascript library. CVE-2019-5861 Robin Linus discovered an error determining click location. CVE-2019-5862 Jun Kokatsu discovered an error in the AppCache implementation. CVE-2019-5864 Devin Grindle discovered an error in the Cross-Origin Resourse Sharing feature for extensions. CVE-2019-5865 Ivan Fratric discovered a way to bypass the site isolation feature. CVE-2019-5867 Lucas Pinheiro discovered an out-of-bounds read issue in the v8 javascript library. CVE-2019-5868 banananapenguin discovered a use-after-free issue in the v8 javascript library. For the stable distribution (buster), these problems have been fixed in version 76.0.3809.100-1~deb10u1. We recommend that you upgrade your chromium packages. For the detailed security status of chromium please refer to its security tracker page at: https://security-tracker.debian.org/tracker/chromium Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl1SR9VfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QDbxAAhaq23j1gqSxJi5stWewT4rYfirfgWGkuHoCwSwNzdgeQ0bq3jcMFPXUs kSq4rr6pHfCQlYZHVvi5nUZm3VX67GhMDBNltd/NBr+eDQdVnyTegvBcKHqzzOMu eZGbEUIe+QdetYCwbJKUhmdwE1aMCtH0z1YzfTj56hrpviFSTOxeGmC/JNr8nnzB gOBAwAKDFhPRg+bO7Hy/m9AqX/2o5xJRIsrcA0jTfF3fq8xcWBpEbHhWlJgd/ttq rwfku9Mq2rt0z4woBZ6XA9XblnX86wzX5TfV5VZzt7nUA7DFjdPsyd5du4VoDGAs SMQGuyfouAQ8Ow9GMKcqJYFr9+ngZQgF1spv1R2zwFVDGPTTIPPC8ON6oMIK7DF6 ctujRCq8OZoR7x/gpvFcq8wiMrxY2hLdg0DLvKp5za4cx5Cfd/dqer4Yzpbj40WP bZgJHVc9wL+BSh1eVC+aQYu31imHiS11Vy9AAHSlyxFpU6JZLa95XF0KFjo+slxJ Ie7CN8b/yZE2YOC1Swk/JfK+TwcYJ48js3KLqzzLHAFDP1nfGhM2n60WqUfREtVO j1clkbicUZixmSP9KhZ5GU/Bdn9p75yUeglvRvPLQiuel1g4b5C72e5VkVoj+w5I zRs5TuLpmLUkdB0QGGxW2Ke6+p3EPyWU1NKvStH0l1OthqVCxOE= =WAY4 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXVJTGWaOgq3Tt24GAQgMCg/+K69hmsNESCnnLwOtiDRkHtZXSWtVOhaV 12K+ldndVRt5yYBJirw+o1KN/CSNsivDAb8YCr6eLxo/pMejITDzGpb+fWlpmZ37 Uy0KviIrQRxeAVunM7mdCi8x+ICjfBD1p0ySvIGf+0hWpPqVi2lpty3i52goGKlh BM/zRltpHCbaAn8k36ysrmQJA/MYfTAxiz5Z+dd6xXfFqAIxeOEwRR+PTu++ciyF che+uuqdiEgUwvy1DdhIWCytf0mopdalJEhHMK46pNaa9z1SGcr71RxPfLYDj2u1 MmHC+zj0No3lTtW6YWdD+uwRVmF0szGsNqy185nHKp3c68BaHye6R4XgoLfiueDX NCDIFnEN4Yj8GUuTNU/Jkr98eHdkq0dA0SKom9G9+S3I5AJo0AJu82pyAkyIu1dP Bwuq82ZW0ybkL7oe66hbQGydawBHJqKhKb9O3RYSthvugHT5+qRhpchbQtpwtpDa Gn1E5eJa0HnW5c9QvgwGXJ1nxW0rYf3il+CaMV7/Q+dVI04i20COnZOhbb1yZtRl hCVdgL12m2K5JncDkXeyblSzFQDI5T+LzlSDB28UPoMfbBL5EhGCSXHNFOVumzqh h0rP5m5zqOBiT2lgZ7Kde0WReF4ppNzJJGXH7tdGk6yXc99PtD33qH7FoOYCdk0h TyShj7DO3uo= =ujLs -----END PGP SIGNATURE-----