Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.2282
chromium security update
2 July 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: chromium
Publisher: Debian
Operating System: Debian GNU/Linux 10
Impact/Access: Denial of Service -- Remote/Unauthenticated
Execute Arbitrary Code/Commands -- Remote with User Interaction
Modify Arbitrary Files -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2020-6831 CVE-2020-6509 CVE-2020-6507
CVE-2020-6506 CVE-2020-6505 CVE-2020-6498
CVE-2020-6497 CVE-2020-6496 CVE-2020-6495
CVE-2020-6494 CVE-2020-6493 CVE-2020-6491
CVE-2020-6490 CVE-2020-6489 CVE-2020-6488
CVE-2020-6487 CVE-2020-6486 CVE-2020-6485
CVE-2020-6484 CVE-2020-6483 CVE-2020-6482
CVE-2020-6481 CVE-2020-6480 CVE-2020-6479
CVE-2020-6478 CVE-2020-6476 CVE-2020-6475
CVE-2020-6474 CVE-2020-6473 CVE-2020-6472
CVE-2020-6471 CVE-2020-6470 CVE-2020-6469
CVE-2020-6468 CVE-2020-6467 CVE-2020-6466
CVE-2020-6465 CVE-2020-6464 CVE-2020-6463
CVE-2020-6462 CVE-2020-6461 CVE-2020-6460
CVE-2020-6459 CVE-2020-6458 CVE-2020-6457
CVE-2020-6456 CVE-2020-6455 CVE-2020-6454
CVE-2020-6448 CVE-2020-6447 CVE-2020-6446
CVE-2020-6445 CVE-2020-6444 CVE-2020-6443
CVE-2020-6442 CVE-2020-6441 CVE-2020-6440
CVE-2020-6439 CVE-2020-6438 CVE-2020-6437
CVE-2020-6436 CVE-2020-6435 CVE-2020-6434
CVE-2020-6433 CVE-2020-6432 CVE-2020-6431
CVE-2020-6430 CVE-2020-6423
Reference: ESB-2020.2072
ESB-2020.2068
ESB-2020.1866
ESB-2020.1653
Original Bulletin:
http://www.debian.org/security/2020/dsa-4714
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4714-1 security@debian.org
https://www.debian.org/security/ Michael Gilbert
July 01, 2020 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : chromium
CVE ID : CVE-2020-6423 CVE-2020-6430 CVE-2020-6431 CVE-2020-6432
CVE-2020-6433 CVE-2020-6434 CVE-2020-6435 CVE-2020-6436
CVE-2020-6437 CVE-2020-6438 CVE-2020-6439 CVE-2020-6440
CVE-2020-6441 CVE-2020-6442 CVE-2020-6443 CVE-2020-6444
CVE-2020-6445 CVE-2020-6446 CVE-2020-6447 CVE-2020-6448
CVE-2020-6454 CVE-2020-6455 CVE-2020-6456 CVE-2020-6457
CVE-2020-6458 CVE-2020-6459 CVE-2020-6460 CVE-2020-6461
CVE-2020-6462 CVE-2020-6463 CVE-2020-6464 CVE-2020-6465
CVE-2020-6466 CVE-2020-6467 CVE-2020-6468 CVE-2020-6469
CVE-2020-6470 CVE-2020-6471 CVE-2020-6472 CVE-2020-6473
CVE-2020-6474 CVE-2020-6475 CVE-2020-6476 CVE-2020-6478
CVE-2020-6479 CVE-2020-6480 CVE-2020-6481 CVE-2020-6482
CVE-2020-6483 CVE-2020-6484 CVE-2020-6485 CVE-2020-6486
CVE-2020-6487 CVE-2020-6488 CVE-2020-6489 CVE-2020-6490
CVE-2020-6491 CVE-2020-6493 CVE-2020-6494 CVE-2020-6495
CVE-2020-6496 CVE-2020-6497 CVE-2020-6498 CVE-2020-6505
CVE-2020-6506 CVE-2020-6507 CVE-2020-6509 CVE-2020-6831
Several vulnerabilities have been discovered in the chromium web browser.
CVE-2020-6423
A use-after-free issue was found in the audio implementation.
CVE-2020-6430
Avihay Cohen discovered a type confusion issue in the v8 javascript
library.
CVE-2020-6431
Luan Herrera discovered a policy enforcement error.
CVE-2020-6432
Luan Herrera discovered a policy enforcement error.
CVE-2020-6433
Luan Herrera discovered a policy enforcement error in extensions.
CVE-2020-6434
HyungSeok Han discovered a use-after-free issue in the developer tools.
CVE-2020-6435
Sergei Glazunov discovered a policy enforcement error in extensions.
CVE-2020-6436
Igor Bukanov discovered a use-after-free issue.
CVE-2020-6437
Jann Horn discovered an implementation error in WebView.
CVE-2020-6438
Ng Yik Phang discovered a policy enforcement error in extensions.
CVE-2020-6439
remkoboonstra discovered a policy enforcement error.
CVE-2020-6440
David Erceg discovered an implementation error in extensions.
CVE-2020-6441
David Erceg discovered a policy enforcement error.
CVE-2020-6442
B@rMey discovered an implementation error in the page cache.
CVE-2020-6443
@lovasoa discovered an implementation error in the developer tools.
CVE-2020-6444
mlfbrown discovered an uninitialized variable in the WebRTC
implementation.
CVE-2020-6445
Jun Kokatsu discovered a policy enforcement error.
CVE-2020-6446
Jun Kokatsu discovered a policy enforcement error.
CVE-2020-6447
David Erceg discovered an implementation error in the developer tools.
CVE-2020-6448
Guang Gong discovered a use-after-free issue in the v8 javascript libra=
ry.
CVE-2020-6454
Leecraso and Guang Gong discovered a use-after-free issue in extensions=
.
CVE-2020-6455
Nan Wang and Guang Gong discovered an out-of-bounds read issue in the
WebSQL implementation.
CVE-2020-6456
Micha=C5=82 Bentkowski discovered insufficient validation of untrusted =
input.
CVE-2020-6457
Leecraso and Guang Gong discovered a use-after-free issue in the speech
recognizer.
CVE-2020-6458
Aleksandar Nikolic discoved an out-of-bounds read and write issue in th=
e
pdfium library.
CVE-2020-6459
Zhe Jin discovered a use-after-free issue in the payments implementatio=
n.
CVE-2020-6460
It was discovered that URL formatting was insufficiently validated.
CVE-2020-6461
Zhe Jin discovered a use-after-free issue.
CVE-2020-6462
Zhe Jin discovered a use-after-free issue in task scheduling.
CVE-2020-6463
Pawel Wylecial discovered a use-after-free issue in the ANGLE library.
CVE-2020-6464
Looben Yang discovered a type confusion issue in Blink/Webkit.
CVE-2020-6465
Woojin Oh discovered a use-after-free issue.
CVE-2020-6466
Zhe Jin discovered a use-after-free issue.
CVE-2020-6467
ZhanJia Song discovered a use-after-free issue in the WebRTC
implementation.
CVE-2020-6468
Chris Salls and Jake Corina discovered a type confusion issue in the v8
javascript library.
CVE-2020-6469
David Erceg discovered a policy enforcement error in the developer tool=
s.
CVE-2020-6470
Micha=C5=82 Bentkowski discovered insufficient validation of untrusted =
input.
CVE-2020-6471
David Erceg discovered a policy enforcement error in the developer tool=
s.
CVE-2020-6472
David Erceg discovered a policy enforcement error in the developer tool=
s.
CVE-2020-6473
Soroush Karami and Panagiotis Ilia discovered a policy enforcement erro=
r
in Blink/Webkit.
CVE-2020-6474
Zhe Jin discovered a use-after-free issue in Blink/Webkit.
CVE-2020-6475
Khalil Zhani discovered a user interface error.
CVE-2020-6476
Alexandre Le Borgne discovered a policy enforcement error.
CVE-2020-6478
Khalil Zhani discovered an implementation error in full screen mode.
CVE-2020-6479
Zhong Zhaochen discovered an implementation error.
CVE-2020-6480
Marvin Witt discovered a policy enforcement error.
CVE-2020-6481
Rayyan Bijoora discovered a policy enforcement error.
CVE-2020-6482
Abdulrahman Alqabandi discovered a policy enforcement error in the
developer tools.
CVE-2020-6483
Jun Kokatsu discovered a policy enforcement error in payments.
CVE-2020-6484
Artem Zinenko discovered insufficient validation of user data in the
ChromeDriver implementation.
CVE-2020-6485
Sergei Glazunov discovered a policy enforcement error.
CVE-2020-6486
David Erceg discovered a policy enforcement error.
CVE-2020-6487
Jun Kokatsu discovered a policy enforcement error.
CVE-2020-6488
David Erceg discovered a policy enforcement error.
CVE-2020-6489
@lovasoa discovered an implementation error in the developer tools.
CVE-2020-6490
Insufficient validation of untrusted data was discovered.
CVE-2020-6491
Sultan Haikal discovered a user interface error.
CVE-2020-6493
A use-after-free issue was discovered in the WebAuthentication
implementation.
CVE-2020-6494
Juho Nurimen discovered a user interface error.
CVE-2020-6495
David Erceg discovered a policy enforcement error in the developer tool=
s.
CVE-2020-6496
Khalil Zhani discovered a use-after-free issue in payments.
CVE-2020-6497
Rayyan Bijoora discovered a policy enforcement issue.
CVE-2020-6498
Rayyan Bijoora discovered a user interface error.
CVE-2020-6505
Khalil Zhani discovered a use-after-free issue.
CVE-2020-6506
Alesandro Ortiz discovered a policy enforcement error.
CVE-2020-6507
Sergei Glazunov discovered an out-of-bounds write issue in the v8
javascript library.
CVE-2020-6509
A use-after-free issue was discovered in extensions.
CVE-2020-6831
Natalie Silvanovich discovered a buffer overflow issue in the SCTP
library.
For the oldstable distribution (stretch), security support for chromium
has been discontinued.
For the stable distribution (buster), these problems have been fixed in
version 83.0.4103.116-1~deb10u1.
We recommend that you upgrade your chromium packages.
For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
iQQzBAEBCgAdFiEEIwTlZiOEpzUxIyp4mD40ZYkUaygFAl79PrwACgkQmD40ZYkU
ayj+4yAAlij5zApfa++eXf4kRR0DaDUSLH20zppWCPo4Qj3MPsQFJ3F7onHl/aYS
QATCCzF+ZcA7c6Dw2k4fLv/+UNhI6FS1uioddeF8NWDantMu1xVxBsesGJTUiJk8
OatCzBXdhSF4Zr8VCNW6YsIoj2DKEY6e1bzjMxhzEWYzRDcX9pHbUZHX92b34A2M
VlnLdlPhfheiHxwlo6oaIGyDIZfjmCqTmlgv8RsxgGXn6OhfqL0MIMeirZLW6qJO
Pr/b2R35gN2jZkKvpJ/7m4rplwdN814Eo0dzkHXyry9VlhtRCxswYGfOkwDcZ6C4
/cESMESZime1B1Vq+Y1Ip9OhPj6hFY8zdwm56WNJPIHx97SH4dMfzNWpqGv+1dKN
6gQFUPeM0eTJr5wLb4lZJDx7DA3ioXbotmN/bb9PnIRI6pSVVZ2jXp6QRLpO0UmL
Akc/JkyMy3woVRkdy1tRN64YnvLeJZGUpL4aPykvkS6tgv5Kh9HD04B7BOHQl0HO
z3CAPdwA0rE2wXF0oHgDMgdf6GucfV5xIUHUDdpqpFmQWRHGjaKvD25CVn35FXmf
/YSs8VAK+EGqvXbhWhs6rxLaZ2DxmhCMyQ6RxnQ8BtAtvdGQ/r9h+yUzUJK3+NOo
8M67ADHz/bN2Iw4yQ57Bscq0bG6JlQ/2xEhu17cer2nw2X3cklckI6GaoRCIl/+M
6JHsTqQ1vNKlcLB8rwpJY2APfJHWR2el07VrCsk6h/Ojn0E9aSAhQiyaEoy3Eh1E
GafVuMPEgy2AzAOIhG6F1Kglt+S9SlaGFo0VDU00E4Fs0o/h1Wlu3/Goorpfz1qj
ZKvodZ1lDWbb2fhVMGOX3kTSHIWwnDoYv7zZXLvPSmMr7+TpVLLu4RrYPzBhaFYo
S3MMtYt7ZkVUufidT7dYb+E5QMjx2h7V2lQ6AaLAbLR9sjfpjqYQ+LNbhoMYo4US
MVT5c9Gw9v3jLPwD2N9K7stngpAISMyAEdXNwUMcGCaqhAiU3mo4s7/kFkKugyMA
NHt8oAsR6FZr9TNNrV4GX5HSsMpaYQIEMtyfi27UHlnEFEMteTjLi2aaK9Qg5LSX
qSqArjx4uzPL/YQx1bbm58NkQsJ6eNSYw3U1OFnEr5xhygFeb8qZ4HYuGc/Yzq29
j63tAshrWOu10I6DpZ8CjfI8VAv6xRkocW1oX9upEAP4E65iBzQiPbTQUZOexckt
iXd0dR4zHwfnzYpaVO+0hqf2z8NbkHZ3J9/3xrwmFqz0fKeLvBlMCnFIJo3elayN
uVnWN49zfreVQEE+NWjbEq2ScPygfYDrxc+nR6tZevlgLFvFTM3K2IwUMb8gnAS9
wcrW+6H7AjxgM4bKEC0Uy/7gThkVDw=3D=3D
=3D15jh
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXv1iNuNLKJtyKPYoAQhFGBAAraI+s2KcoHl2Mj2KnCdP2RRQwhRhe9RW
IdP3xu6PpIfqUS8an4u9Qk0MDMCAXmQoQjYFHiwj3dbL/xAaqsZMQwPfFJdgIx2/
C90WChFGochgYR8DVKm10Qb/T3ufpKcqtXVyc8nf7VXj3/mUr57iBZfD6Vx/ESG1
Io6isHaiMnIr3xMGwy9Mp5oFHHvdyKhmEsQ6ytXziYDMqeOt+qAdSty1HZjrMRvx
Be2IgrCO7R/b8hsXAta7uNDJlG9Kp/oCXNdNH++PjqcKFzxnd95yG+DgsmPdtWaf
s6BDU85WHQwyqNRSNRpuAjSVWRONh8TeX/0RtZ6IdabCV4d03z+GcjmOCcQBJqqM
eMt/ilSOHmnjQF2rzKXvblNymPHIUN9kYjO7suDZALu4M+5/dzXvTLpzzybfVGJo
bn9yGJL26hzLAcS91621KBJV3Z7kxMIsP3IA3l/kRl0B6w08BJymsVAjBOEALidh
AiQzprqIZ+xR6v2BKxRQDT7lK+sbIO/19s3NuHrDYINyt9ne/isZReq5rHlvP3HJ
q54PgdpbbnUukv/zsPrEHriTNGM8qP6NBmIWhqmO7+bOQo9x0F50p0+W0EuuvsfH
5abgsIzZhKqTEdoqby9PuN+yzwqL/sOrgEzLtRoAXj6JoTs4SvIk+JSWJ2tC94aQ
pPTHp61a/bY=
=AGp6
-----END PGP SIGNATURE-----