Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4226 chromium security update 11 November 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: chromium Publisher: Debian Operating System: Debian GNU/Linux 10 Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Increased Privileges -- Remote with User Interaction Denial of Service -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Unauthorised Access -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-13721 CVE-2019-13720 CVE-2019-13719 CVE-2019-13718 CVE-2019-13717 CVE-2019-13716 CVE-2019-13715 CVE-2019-13714 CVE-2019-13713 CVE-2019-13711 CVE-2019-13710 CVE-2019-13709 CVE-2019-13708 CVE-2019-13707 CVE-2019-13706 CVE-2019-13705 CVE-2019-13704 CVE-2019-13703 CVE-2019-13702 CVE-2019-13701 CVE-2019-13700 CVE-2019-13699 CVE-2019-13697 CVE-2019-13696 CVE-2019-13695 CVE-2019-13694 CVE-2019-13693 CVE-2019-13692 CVE-2019-13691 CVE-2019-13688 CVE-2019-13687 CVE-2019-13686 CVE-2019-13685 CVE-2019-13683 CVE-2019-13682 CVE-2019-13681 CVE-2019-13680 CVE-2019-13679 CVE-2019-13678 CVE-2019-13677 CVE-2019-13676 CVE-2019-13675 CVE-2019-13674 CVE-2019-13673 CVE-2019-13671 CVE-2019-13670 CVE-2019-13669 CVE-2019-13668 CVE-2019-13667 CVE-2019-13666 CVE-2019-13665 CVE-2019-13664 CVE-2019-13663 CVE-2019-13662 CVE-2019-13661 CVE-2019-13660 CVE-2019-13659 CVE-2019-5880 CVE-2019-5879 CVE-2019-5878 CVE-2019-5877 CVE-2019-5876 CVE-2019-5875 CVE-2019-5874 CVE-2019-5872 CVE-2019-5871 CVE-2019-5870 CVE-2019-5869 Reference: ASB-2019.0308 ASB-2019.0251 ESB-2019.4166 ESB-2019.4001 ESB-2019.3378 Original Bulletin: http://www.debian.org/security/2019/dsa-4562 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - -------------------------------------------------------------------------- Debian Security Advisory DSA-4562-1 security@debian.org https://www.debian.org/security/ Michael Gilbert November 10, 2019 https://www.debian.org/security/faq - - -------------------------------------------------------------------------- Package : chromium CVE ID : CVE-2019-5869 CVE-2019-5870 CVE-2019-5871 CVE-2019-5872 CVE-2019-5874 CVE-2019-5875 CVE-2019-5876 CVE-2019-5877 CVE-2019-5878 CVE-2019-5879 CVE-2019-5880 CVE-2019-13659 CVE-2019-13660 CVE-2019-13661 CVE-2019-13662 CVE-2019-13663 CVE-2019-13664 CVE-2019-13665 CVE-2019-13666 CVE-2019-13667 CVE-2019-13668 CVE-2019-13669 CVE-2019-13670 CVE-2019-13671 CVE-2019-13673 CVE-2019-13674 CVE-2019-13675 CVE-2019-13676 CVE-2019-13677 CVE-2019-13678 CVE-2019-13679 CVE-2019-13680 CVE-2019-13681 CVE-2019-13682 CVE-2019-13683 CVE-2019-13685 CVE-2019-13686 CVE-2019-13687 CVE-2019-13688 CVE-2019-13691 CVE-2019-13692 CVE-2019-13693 CVE-2019-13694 CVE-2019-13695 CVE-2019-13696 CVE-2019-13697 CVE-2019-13699 CVE-2019-13700 CVE-2019-13701 CVE-2019-13702 CVE-2019-13703 CVE-2019-13704 CVE-2019-13705 CVE-2019-13706 CVE-2019-13707 CVE-2019-13708 CVE-2019-13709 CVE-2019-13710 CVE-2019-13711 CVE-2019-13713 CVE-2019-13714 CVE-2019-13715 CVE-2019-13716 CVE-2019-13717 CVE-2019-13718 CVE-2019-13719 CVE-2019-13720 CVE-2019-13721 Several vulnerabilities have been discovered in the chromium web browser. CVE-2019-5869 Zhe Jin discovered a use-after-free issue. CVE-2019-5870 Guang Gong discovered a use-after-free issue. CVE-2019-5871 A buffer overflow issue was discovered in the skia library. CVE-2019-5872 Zhe Jin discovered a use-after-free issue. CVE-2019-5874 James Lee discovered an issue with external Uniform Resource Identifiers. CVE-2019-5875 Khalil Zhani discovered a URL spoofing issue. CVE-2019-5876 Man Yue Mo discovered a use-after-free issue. CVE-2019-5877 Guang Gong discovered an out-of-bounds read issue. CVE-2019-5878 Guang Gong discovered an use-after-free issue in the v8 javascript library. CVE-2019-5879 Jinseo Kim discover that extensions could read files on the local system. CVE-2019-5880 Jun Kokatsu discovered a way to bypass the SameSite cookie feature. CVE-2019-13659 Lnyas Zhang discovered a URL spoofing issue. CVE-2019-13660 Wenxu Wu discovered a user interface error in full screen mode. CVE-2019-13661 Wenxu Wu discovered a user interface spoofing issue in full screen mode. CVE-2019-13662 David Erceg discovered a way to bypass the Content Security Policy. CVE-2019-13663 Lnyas Zhang discovered a way to spoof Internationalized Domain Names. CVE-2019-13664 Thomas Shadwell discovered a way to bypass the SameSite cookie feature. CVE-2019-13665 Jun Kokatsu discovered a way to bypass the multiple file download protection feature. CVE-2019-13666 Tom Van Goethem discovered an information leak. CVE-2019-13667 Khalil Zhani discovered a URL spoofing issue. CVE-2019-13668 David Erceg discovered an information leak. CVE-2019-13669 Khalil Zhani discovered an authentication spoofing issue. CVE-2019-13670 Guang Gong discovered a memory corruption issue in the v8 javascript library. CVE-2019-13671 xisigr discovered a user interface error. CVE-2019-13673 David Erceg discovered an information leak. CVE-2019-13674 Khalil Zhani discovered a way to spoof Internationalized Domain Names. CVE-2019-13675 Jun Kokatsu discovered a way to disable extensions. CVE-2019-13676 Wenxu Wu discovered an error in a certificate warning. CVE-2019-13677 Jun Kokatsu discovered an error in the chrome web store. CVE-2019-13678 Ronni Skansing discovered a spoofing issue in the download dialog window. CVE-2019-13679 Conrad Irwin discovered that user activation was not required for printing. CVE-2019-13680 Thijs Alkamade discovered an IP address spoofing issue. CVE-2019-13681 David Erceg discovered a way to bypass download restrictions. CVE-2019-13682 Jun Kokatsu discovered a way to bypass the site isolation feature. CVE-2019-13683 David Erceg discovered an information leak. CVE-2019-13685 Khalil Zhani discovered a use-after-free issue. CVE-2019-13686 Brendon discovered a use-after-free issue. CVE-2019-13687 Man Yue Mo discovered a use-after-free issue. CVE-2019-13688 Man Yue Mo discovered a use-after-free issue. CVE-2019-13691 David Erceg discovered a user interface spoofing issue. CVE-2019-13692 Jun Kokatsu discovered a way to bypass the Same Origin Policy. CVE-2019-13693 Guang Gong discovered a use-after-free issue. CVE-2019-13694 banananapenguin discovered a use-after-free issue. CVE-2019-13695 Man Yue Mo discovered a use-after-free issue. CVE-2019-13696 Guang Gong discovered a use-after-free issue in the v8 javascript library. CVE-2019-13697 Luan Herrera discovered an information leak. CVE-2019-13699 Man Yue Mo discovered a use-after-free issue. CVE-2019-13700 Man Yue Mo discovered a buffer overflow issue. CVE-2019-13701 David Erceg discovered a URL spoofing issue. CVE-2019-13702 Phillip Langlois and Edward Torkington discovered a privilege escalation issue in the installer. CVE-2019-13703 Khalil Zhani discovered a URL spoofing issue. CVE-2019-13704 Jun Kokatsu discovered a way to bypass the Content Security Policy. CVE-2019-13705 Luan Herrera discovered a way to bypass extension permissions. CVE-2019-13706 pdknsk discovered an out-of-bounds read issue in the pdfium library. CVE-2019-13707 Andrea Palazzo discovered an information leak. CVE-2019-13708 Khalil Zhani discovered an authentication spoofing issue. CVE-2019-13709 Zhong Zhaochen discovered a way to bypass download restrictions. CVE-2019-13710 bernardo.mrod discovered a way to bypass download restrictions. CVE-2019-13711 David Erceg discovered an information leak. CVE-2019-13713 David Erceg discovered an information leak. CVE-2019-13714 Jun Kokatsu discovered an issue with Cascading Style Sheets. CVE-2019-13715 xisigr discovered a URL spoofing issue. CVE-2019-13716 Barron Hagerman discovered an error in the service worker implementation. CVE-2019-13717 xisigr discovered a user interface spoofing issue. CVE-2019-13718 Khalil Zhani discovered a way to spoof Internationalized Domain Names. CVE-2019-13719 Khalil Zhani discovered a user interface spoofing issue. CVE-2019-13720 Anton Ivanov and Alexey Kulaev discovered a use-after-free issue. CVE-2019-13721 banananapenguin discovered a use-after-free issue in the pdfium library. For the oldstable distribution (stretch), support for chromium has been discontinued. Please upgrade to the stable release (buster) to continue receiving chromium updates or switch to firefox, which continues to be supported in the oldstable release. For the stable distribution (buster), these problems have been fixed in version 78.0.3904.97-1~deb10u1. We recommend that you upgrade your chromium packages. For the detailed security status of chromium please refer to its security tracker page at: https://security-tracker.debian.org/tracker/chromium Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl3IYPMACgkQEMKTtsN8 TjarCw//cLfuU3jwfGHyW0ZY/04XHbGZqtiXyzf8+g/TYg4EYB9YDKWjMMOVU7hP U9K99gbo7WGFWDqOx25VpGRNqMUJiNh2Ay9KdbN/55W6vhQhr4Trg4g9FLhbNybq aqP/F2ivY48sE+p6aMCN6sCYB8IY524vKSexnh45eepA5pqrK0vaNX9rWBOe8DRV v65zbfidkCbgl8yOP4SQAixe3NUIHzAEV8+sXnnpLQY3IcSjEPwf0igYeIJyNbF6 UV1TmgTOY0/979Aas/K/03Gu+TCNSAOZdgXohXzdToNsFJkQB3n5qfI0bewZ1Lsg GUAxgo6+72aEzim2XDWz3Vd+y3EuxpPzRRlE+lC+7GcBpjJtEXJEA3U0bJYHxfhH +QbXDa3yfPSds7dSKOMwAPxwB+hwSqkyIlkuhlUnKlEaND+8Ndukd36/6Yk7loqQ yNZOaPJNw5naaLUOrTGqI1BWeH7RZPvtYQdgQmoxSw9AQuhaYNKsfHiurcSnVPPt xu2Kem4kMDraK6xJH5T6tKGGQF7/ih/+vtX6lkh05ZWBXDCeEYLPBVxkbWmb3EZ6 2PdHlmpxTIA8RJ3Nb3jc6eNksW7HpzMuKGcE52my/tEQCgBrUAHqUAtsYJNhbrF2 svfh2Zkhi/fbVhzk62Q1H0SiuvYoB/fa7aEwTulvJkbZB7eIbX8= =6vq3 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXci/sWaOgq3Tt24GAQgThg/5AZwtSQEm+nWMewqLEXvzAq+kHI/jus8U 4NJ0iIHpMjKF7oR7Cl8ElUN7xOTEhixL9gPfNPSOGrS7LZcIvfIr9q5B+2GHUJnt ox33SP+SmnLFTQDD9oc8Z60qRR/YCLb9HLoDkunRitdmriz2mYEGZyTygjnQV6eP cU8mEBOHPEeCY4GJZCyMjLlarei82mL1Lji1nSVcj+iNPidTSJpHaSaVMfUf+/dE 0frVJv2g54wTgWAjYx2xGbWJqNxCp63gAP0WROYaquN9rjNDZokGN5kWLVuFOVJe ABLUXhOBKFGHm+1NBwdibJPlkwPD78j8JZ3W4UkFf+T/PEm/xXdJhRgZd+Q6PGzL TS/pOgJ84eMpDvmeX6S+VYMpN3xO0JKhYgo13OZFRnNAgEqcj705zNkWHP2i1ycZ 52EoG6nOF1W1H0PcFEm434DAO0GxJrCma2xpiKy8Y/V1zFzUcZ7n6i+++1i7aNnp mKwy/OJqwrX48+IXlu89vJ5SdpXIGnKdxJ1vLjrkdVSSWtD/0eltMFm/KXljl5cu 80Peqfy/TsHjRDouvFjbIPq+nXKKefz2iiimRWKyNWnG7oW5BUztWxxFjTBIP9DL uTLUKvWsUKzLwGzpxrb+KeOedMXgnlp5fETO+bzBGksx1RChKI0HBIv6hcqzoNWL yUUssIukVTU= =uke/ -----END PGP SIGNATURE-----