-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.4226
                         chromium security update
                             11 November 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           chromium
Publisher:         Debian
Operating System:  Debian GNU/Linux 10
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Increased Privileges            -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Provide Misleading Information  -- Remote with User Interaction
                   Access Confidential Data        -- Remote with User Interaction
                   Unauthorised Access             -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-13721 CVE-2019-13720 CVE-2019-13719
                   CVE-2019-13718 CVE-2019-13717 CVE-2019-13716
                   CVE-2019-13715 CVE-2019-13714 CVE-2019-13713
                   CVE-2019-13711 CVE-2019-13710 CVE-2019-13709
                   CVE-2019-13708 CVE-2019-13707 CVE-2019-13706
                   CVE-2019-13705 CVE-2019-13704 CVE-2019-13703
                   CVE-2019-13702 CVE-2019-13701 CVE-2019-13700
                   CVE-2019-13699 CVE-2019-13697 CVE-2019-13696
                   CVE-2019-13695 CVE-2019-13694 CVE-2019-13693
                   CVE-2019-13692 CVE-2019-13691 CVE-2019-13688
                   CVE-2019-13687 CVE-2019-13686 CVE-2019-13685
                   CVE-2019-13683 CVE-2019-13682 CVE-2019-13681
                   CVE-2019-13680 CVE-2019-13679 CVE-2019-13678
                   CVE-2019-13677 CVE-2019-13676 CVE-2019-13675
                   CVE-2019-13674 CVE-2019-13673 CVE-2019-13671
                   CVE-2019-13670 CVE-2019-13669 CVE-2019-13668
                   CVE-2019-13667 CVE-2019-13666 CVE-2019-13665
                   CVE-2019-13664 CVE-2019-13663 CVE-2019-13662
                   CVE-2019-13661 CVE-2019-13660 CVE-2019-13659
                   CVE-2019-5880 CVE-2019-5879 CVE-2019-5878
                   CVE-2019-5877 CVE-2019-5876 CVE-2019-5875
                   CVE-2019-5874 CVE-2019-5872 CVE-2019-5871
                   CVE-2019-5870 CVE-2019-5869 

Reference:         ASB-2019.0308
                   ASB-2019.0251
                   ESB-2019.4166
                   ESB-2019.4001
                   ESB-2019.3378

Original Bulletin: 
   http://www.debian.org/security/2019/dsa-4562

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - --------------------------------------------------------------------------
Debian Security Advisory DSA-4562-1                   security@debian.org
https://www.debian.org/security/                          Michael Gilbert
November 10, 2019                     https://www.debian.org/security/faq
- - --------------------------------------------------------------------------

Package        : chromium
CVE ID         : CVE-2019-5869 CVE-2019-5870 CVE-2019-5871 CVE-2019-5872
                 CVE-2019-5874 CVE-2019-5875 CVE-2019-5876 CVE-2019-5877
                 CVE-2019-5878 CVE-2019-5879 CVE-2019-5880 CVE-2019-13659
                 CVE-2019-13660 CVE-2019-13661 CVE-2019-13662 CVE-2019-13663
                 CVE-2019-13664 CVE-2019-13665 CVE-2019-13666 CVE-2019-13667
                 CVE-2019-13668 CVE-2019-13669 CVE-2019-13670 CVE-2019-13671
                 CVE-2019-13673 CVE-2019-13674 CVE-2019-13675 CVE-2019-13676
                 CVE-2019-13677 CVE-2019-13678 CVE-2019-13679 CVE-2019-13680
                 CVE-2019-13681 CVE-2019-13682 CVE-2019-13683 CVE-2019-13685
                 CVE-2019-13686 CVE-2019-13687 CVE-2019-13688 CVE-2019-13691
                 CVE-2019-13692 CVE-2019-13693 CVE-2019-13694 CVE-2019-13695
                 CVE-2019-13696 CVE-2019-13697 CVE-2019-13699 CVE-2019-13700
                 CVE-2019-13701 CVE-2019-13702 CVE-2019-13703 CVE-2019-13704
                 CVE-2019-13705 CVE-2019-13706 CVE-2019-13707 CVE-2019-13708
                 CVE-2019-13709 CVE-2019-13710 CVE-2019-13711 CVE-2019-13713
                 CVE-2019-13714 CVE-2019-13715 CVE-2019-13716 CVE-2019-13717
                 CVE-2019-13718 CVE-2019-13719 CVE-2019-13720 CVE-2019-13721

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2019-5869

    Zhe Jin discovered a use-after-free issue.

CVE-2019-5870

    Guang Gong discovered a use-after-free issue.

CVE-2019-5871

    A buffer overflow issue was discovered in the skia library.

CVE-2019-5872

    Zhe Jin discovered a use-after-free issue.

CVE-2019-5874

    James Lee discovered an issue with external Uniform Resource Identifiers.

CVE-2019-5875

    Khalil Zhani discovered a URL spoofing issue.

CVE-2019-5876

    Man Yue Mo discovered a use-after-free issue.

CVE-2019-5877

    Guang Gong discovered an out-of-bounds read issue.

CVE-2019-5878

    Guang Gong discovered an use-after-free issue in the v8 javascript
    library.

CVE-2019-5879

    Jinseo Kim discover that extensions could read files on the local
    system.

CVE-2019-5880

    Jun Kokatsu discovered a way to bypass the SameSite cookie feature.

CVE-2019-13659

    Lnyas Zhang discovered a URL spoofing issue.

CVE-2019-13660

    Wenxu Wu discovered a user interface error in full screen mode.

CVE-2019-13661

    Wenxu Wu discovered a user interface spoofing issue in full screen mode.

CVE-2019-13662

    David Erceg discovered a way to bypass the Content Security Policy.

CVE-2019-13663

    Lnyas Zhang discovered a way to spoof Internationalized Domain Names.

CVE-2019-13664

    Thomas Shadwell discovered a way to bypass the SameSite cookie feature.

CVE-2019-13665

    Jun Kokatsu discovered a way to bypass the multiple file download
    protection feature.

CVE-2019-13666

    Tom Van Goethem discovered an information leak.

CVE-2019-13667

    Khalil Zhani discovered a URL spoofing issue.

CVE-2019-13668

    David Erceg discovered an information leak.

CVE-2019-13669

    Khalil Zhani discovered an authentication spoofing issue.

CVE-2019-13670

    Guang Gong discovered a memory corruption issue in the v8 javascript
    library.

CVE-2019-13671

    xisigr discovered a user interface error.

CVE-2019-13673

    David Erceg discovered an information leak.

CVE-2019-13674

    Khalil Zhani discovered a way to spoof Internationalized Domain Names.

CVE-2019-13675

    Jun Kokatsu discovered a way to disable extensions.

CVE-2019-13676

    Wenxu Wu discovered an error in a certificate warning.

CVE-2019-13677

    Jun Kokatsu discovered an error in the chrome web store.

CVE-2019-13678

    Ronni Skansing discovered a spoofing issue in the download dialog window.

CVE-2019-13679

    Conrad Irwin discovered that user activation was not required for
    printing.

CVE-2019-13680

    Thijs Alkamade discovered an IP address spoofing issue.

CVE-2019-13681

    David Erceg discovered a way to bypass download restrictions.

CVE-2019-13682

    Jun Kokatsu discovered a way to bypass the site isolation feature.

CVE-2019-13683

    David Erceg discovered an information leak.

CVE-2019-13685

    Khalil Zhani discovered a use-after-free issue.

CVE-2019-13686

    Brendon discovered a use-after-free issue.

CVE-2019-13687

    Man Yue Mo discovered a use-after-free issue.

CVE-2019-13688

    Man Yue Mo discovered a use-after-free issue.

CVE-2019-13691

    David Erceg discovered a user interface spoofing issue.

CVE-2019-13692

    Jun Kokatsu discovered a way to bypass the Same Origin Policy.

CVE-2019-13693

    Guang Gong discovered a use-after-free issue.

CVE-2019-13694

    banananapenguin discovered a use-after-free issue.

CVE-2019-13695

    Man Yue Mo discovered a use-after-free issue.

CVE-2019-13696

    Guang Gong discovered a use-after-free issue in the v8 javascript library.

CVE-2019-13697

    Luan Herrera discovered an information leak.

CVE-2019-13699

    Man Yue Mo discovered a use-after-free issue.

CVE-2019-13700

    Man Yue Mo discovered a buffer overflow issue.

CVE-2019-13701

    David Erceg discovered a URL spoofing issue.

CVE-2019-13702

    Phillip Langlois and Edward Torkington discovered a privilege escalation
    issue in the installer.

CVE-2019-13703

    Khalil Zhani discovered a URL spoofing issue.

CVE-2019-13704

    Jun Kokatsu discovered a way to bypass the Content Security Policy.

CVE-2019-13705

    Luan Herrera discovered a way to bypass extension permissions.

CVE-2019-13706

    pdknsk discovered an out-of-bounds read issue in the pdfium library.

CVE-2019-13707

    Andrea Palazzo discovered an information leak.

CVE-2019-13708

    Khalil Zhani discovered an authentication spoofing issue.

CVE-2019-13709

    Zhong Zhaochen discovered a way to bypass download restrictions.

CVE-2019-13710

    bernardo.mrod discovered a way to bypass download restrictions.

CVE-2019-13711

    David Erceg discovered an information leak.

CVE-2019-13713

    David Erceg discovered an information leak.

CVE-2019-13714

    Jun Kokatsu discovered an issue with Cascading Style Sheets.

CVE-2019-13715

    xisigr discovered a URL spoofing issue.

CVE-2019-13716

    Barron Hagerman discovered an error in the service worker implementation.

CVE-2019-13717

    xisigr discovered a user interface spoofing issue.

CVE-2019-13718

    Khalil Zhani discovered a way to spoof Internationalized Domain Names.

CVE-2019-13719

    Khalil Zhani discovered a user interface spoofing issue.

CVE-2019-13720

    Anton Ivanov and Alexey Kulaev discovered a use-after-free issue.

CVE-2019-13721

   banananapenguin discovered a use-after-free issue in the pdfium library.

For the oldstable distribution (stretch), support for chromium has been
discontinued.  Please upgrade to the stable release (buster) to continue
receiving chromium updates or switch to firefox, which continues to be
supported in the oldstable release.

For the stable distribution (buster), these problems have been fixed in
version 78.0.3904.97-1~deb10u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl3IYPMACgkQEMKTtsN8
TjarCw//cLfuU3jwfGHyW0ZY/04XHbGZqtiXyzf8+g/TYg4EYB9YDKWjMMOVU7hP
U9K99gbo7WGFWDqOx25VpGRNqMUJiNh2Ay9KdbN/55W6vhQhr4Trg4g9FLhbNybq
aqP/F2ivY48sE+p6aMCN6sCYB8IY524vKSexnh45eepA5pqrK0vaNX9rWBOe8DRV
v65zbfidkCbgl8yOP4SQAixe3NUIHzAEV8+sXnnpLQY3IcSjEPwf0igYeIJyNbF6
UV1TmgTOY0/979Aas/K/03Gu+TCNSAOZdgXohXzdToNsFJkQB3n5qfI0bewZ1Lsg
GUAxgo6+72aEzim2XDWz3Vd+y3EuxpPzRRlE+lC+7GcBpjJtEXJEA3U0bJYHxfhH
+QbXDa3yfPSds7dSKOMwAPxwB+hwSqkyIlkuhlUnKlEaND+8Ndukd36/6Yk7loqQ
yNZOaPJNw5naaLUOrTGqI1BWeH7RZPvtYQdgQmoxSw9AQuhaYNKsfHiurcSnVPPt
xu2Kem4kMDraK6xJH5T6tKGGQF7/ih/+vtX6lkh05ZWBXDCeEYLPBVxkbWmb3EZ6
2PdHlmpxTIA8RJ3Nb3jc6eNksW7HpzMuKGcE52my/tEQCgBrUAHqUAtsYJNhbrF2
svfh2Zkhi/fbVhzk62Q1H0SiuvYoB/fa7aEwTulvJkbZB7eIbX8=
=6vq3
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXci/sWaOgq3Tt24GAQgThg/5AZwtSQEm+nWMewqLEXvzAq+kHI/jus8U
4NJ0iIHpMjKF7oR7Cl8ElUN7xOTEhixL9gPfNPSOGrS7LZcIvfIr9q5B+2GHUJnt
ox33SP+SmnLFTQDD9oc8Z60qRR/YCLb9HLoDkunRitdmriz2mYEGZyTygjnQV6eP
cU8mEBOHPEeCY4GJZCyMjLlarei82mL1Lji1nSVcj+iNPidTSJpHaSaVMfUf+/dE
0frVJv2g54wTgWAjYx2xGbWJqNxCp63gAP0WROYaquN9rjNDZokGN5kWLVuFOVJe
ABLUXhOBKFGHm+1NBwdibJPlkwPD78j8JZ3W4UkFf+T/PEm/xXdJhRgZd+Q6PGzL
TS/pOgJ84eMpDvmeX6S+VYMpN3xO0JKhYgo13OZFRnNAgEqcj705zNkWHP2i1ycZ
52EoG6nOF1W1H0PcFEm434DAO0GxJrCma2xpiKy8Y/V1zFzUcZ7n6i+++1i7aNnp
mKwy/OJqwrX48+IXlu89vJ5SdpXIGnKdxJ1vLjrkdVSSWtD/0eltMFm/KXljl5cu
80Peqfy/TsHjRDouvFjbIPq+nXKKefz2iiimRWKyNWnG7oW5BUztWxxFjTBIP9DL
uTLUKvWsUKzLwGzpxrb+KeOedMXgnlp5fETO+bzBGksx1RChKI0HBIv6hcqzoNWL
yUUssIukVTU=
=uke/
-----END PGP SIGNATURE-----