-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.1058
                         chromium security update
                               26 March 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           chromium
Publisher:         Debian
Operating System:  Debian GNU/Linux
Impact/Access:     Denial of Service               -- Remote with User Interaction
                   Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Access Confidential Data        -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-6449 CVE-2020-6429 CVE-2020-6428
                   CVE-2020-6427 CVE-2020-6426 CVE-2020-6425
                   CVE-2020-6424 CVE-2020-6422 CVE-2019-20503

Reference:         ESB-2020.1014
                   ESB-2020.0993
                   ESB-2020.0878

Original Bulletin: 
   http://www.debian.org/security/2020/dsa-4645

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4645-1                   security@debian.org
https://www.debian.org/security/                          Michael Gilbert
March 22, 2020                        https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : chromium
CVE ID         : CVE-2019-20503 CVE-2020-6422 CVE-2020-6424 CVE-2020-6425
                 CVE-2020-6426 CVE-2020-6427 CVE-2020-6428 CVE-2020-6429
                 CVE-2020-6449

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2019-20503

   Natalie Silvanovich discovered an out-of-bounds read issue in the usrsctp
   library.

CVE-2020-6422

    David Manouchehri discovered a use-after-free issue in the WebGL
    implementation.

CVE-2020-6424

    Sergei Glazunov discovered a use-after-free issue.

CVE-2020-6425

    Sergei Glazunov discovered a policy enforcement error related to
    extensions.

CVE-2020-6426

    Avihay Cohen discovered an implementation error in the v8 javascript
    library.

CVE-2020-6427

    Man Yue Mo discovered a use-after-free issue in the audio implementation.

CVE-2020-6428

    Man Yue Mo discovered a use-after-free issue in the audio implementation.

CVE-2020-6429

    Man Yue Mo discovered a use-after-free issue in the audio implementation.

CVE-2020-6449

    Man Yue Mo discovered a use-after-free issue in the audio implementation.

For the oldstable distribution (stretch), security support for chromium has
been discontinued.

For the stable distribution (buster), these problems have been fixed in
version 80.0.3987.149-1~deb10u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQQzBAEBCgAdFiEEIwTlZiOEpzUxIyp4mD40ZYkUaygFAl54E4IACgkQmD40ZYkU
ayiRMh//bTOibqPJBCxe0AqDuKGNi4xZ9E0fImuxB9Zi+oE+nEZPB5TxQm5id2aT
19Mqq2MNc1+Z2Ac0yn/j7kTTQ/fJ55olg57SWZ4H9k9ArI/jXZzqRPbzgHZg5wWs
ssB7eabIotkXWYM76ANLjSlXSpPx34Hjo0SUMSL5emh2V42QM/4RmCIEIeIMh2q6
jf2xkhYFqcAuK9p5wWChTIZEwM1aEiKtbW24t9J6/h7I6rwiglRhtb3LCgcsga7e
LkiNQLLiJmSIdJ1GkV4ly7NlBr2c8CQnx82PFj1atNJoEqEBaZEPIGhr2Wyen4K2
dwAmZ0T35ONwXpkxk71MxRRbJFDEDX6gWEKpkCU29LV9LMKpcVK826nhdwP0W8Ss
4zJMqQx0yiUSYGTYMxY7uELc278iXaNuHgy8OWP4uNMZ4pqjPzyvBOlRAAd0Lvhg
nU53dsaoInJW/MywLhJQ0UKIxrn0a6HrezhsNIENbIe+0MBlbNRDl1GtKyjE5rsS
DYUxqHUKlYuk4OinO0Xc0DabncFVuLWoiN5XptyBy51+ALh7PtnB+sTwzM98XICb
fp2vEIIcfk5WMqArhLoN5GNJHLurWl3heYqHdAB8K5V8G2fvW4ZFylUqeyRgNhze
FlQD21iwPChYTVtf1sLrhYq7L0QmvVaoG5bIBZe+laOyPeMGI7MP5UUhgf1J9kPl
OSUxu7OLv2asUD/rKxepIY9w7kI6l+TwtTO+s+uCkWKs+Gw0aDzwLbhNh1dpF+q7
ZNMqd8yqaodITNEI9ULpwhpFvABtYkB5DgttSA2gs2+fXjU7LnGavCDvWLb08ywa
vRhu6lTGnpfzVyOf5G4tCgnpNgdnKi7FO0nu2mlT8igVAXrVPQWAST25i1zUJjfX
GL0LZGATZvgNeRhIftbEd8ti2PsePwza699DDLqnoq3Ac3VXoKeX59M3UzIDHkuM
Hc8DuP9P6cd6+FtrYEzGcH+bqeKL29c8ucY6R1HkPkzifSXqkfTfRZE04Atqly+j
CdL0FWSl9SXJ8lI5oDp7M2FxuS6KDA0ynrM29ZEgg76FWYDaxQcohmqPu+uMvbPq
/miJM1HitgptmQuV9ThUpX0YsC8QoUTwZMk+uKbTmxoNQVzpaGrQaiBKD/RwZ4EN
AFqP/Fx+mSwBm2ExGPOz4HFichkNLYX5GZWHC33unecVSHP9QD75ciggnvDtSmea
tLA/Lpu9BjAuosa0YOIaK1Y+P9fOvL3jiAIVAbCOFOxoL0dsBPTxd6TJlVJVabeh
+edgot6YUfpc2JKLLrvDTZYKM4WBTbk50N6dhUDuWbQJ0j7n9NMqtsaHOl8x6yp7
TgA2OpXk0ntGnDTFDFHIuF8dpCS0jw==
=F7t7
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXnwJLWaOgq3Tt24GAQiA1Q/+Op/yIkGw/XbW71otY5TZcBwQDwprTd3w
mXx/y5HIryhIjgKxlaG1nzvk9B8fvTknIHPN1xtbBMXRGTiiHas4PVs/pDAq9EkV
II8+T4uShMaYil1hVqZzLqZVNnKWp/d775QsCzC6h9zHCb99h1rC+QUsWJqjviu7
7elx0Ns0IEwjfDxzXvDeS1m4+96S+iZXw4cuWEWci4IryP3qZvc9zJXHzkg9MK2W
iOlapM72dZbpnOfDnkz6ZUtyNlFIqmjc4GdlpXpBj5CfvoX+Q5BLTZgz93eCOZmf
ifn6op2I8iPhZU+J/eKfcdMM2mdQJ6ACyTNhnYp1T3ZpPKCtznC0DQSXQcSuINoa
HZAPPfXTvLF62x5IDgP3lg23nOT9hXNQRU0nvMjaR9VzQieVooo9Esx1G6NLEwWU
x9cDFVGhNiqFdmax5SlsfCuW9KMEwa8xUCGOF0RBj1eGYkKS+1Ze+QavYchn6npM
f9dPlmv84ey2zIZmlp/OMjGGfgIMTh20+tTZrykEEtzyJPFBZ9590Y8SkoOExVel
Vjsy9J+0+HsvTwr4eL/uy4O2GUXacwYrhGEMehswAGI8f1L3nLyJEb7C9swEUG+K
s2kULB/9fMR9Kn5WlpV29Ch+an9Dw0MaZ3z9Onq4ABKi+Wyqhk45a5Vr8nEZ+pMp
zMOE1EuJfjA=
=FG9E
-----END PGP SIGNATURE-----