Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.0426
chromium security update
8 February 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: chromium
Publisher: Debian
Operating System: Debian GNU/Linux
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Unauthorised Access -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2021-21147 CVE-2021-21146 CVE-2021-21145
CVE-2021-21144 CVE-2021-21143 CVE-2021-21142
CVE-2021-21141 CVE-2021-21140 CVE-2021-21139
CVE-2021-21138 CVE-2021-21137 CVE-2021-21136
CVE-2021-21135 CVE-2021-21134 CVE-2021-21133
CVE-2021-21132 CVE-2021-21131 CVE-2021-21130
CVE-2021-21129 CVE-2021-21128 CVE-2021-21127
CVE-2021-21126 CVE-2021-21125 CVE-2021-21124
CVE-2021-21123 CVE-2021-21122 CVE-2021-21121
CVE-2021-21120 CVE-2021-21119 CVE-2021-21118
CVE-2021-21117 CVE-2020-16044
Reference: ASB-2021.0035
ESB-2021.0387
ESB-2021.0362
ESB-2021.0201
ESB-2021.0128
Original Bulletin:
http://www.debian.org/security/2021/dsa-4846
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4846-1 security@debian.org
https://www.debian.org/security/ Michael Gilbert
February 07, 2021 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : chromium
CVE ID : CVE-2020-16044 CVE-2021-21117 CVE-2021-21118 CVE-2021-21119
CVE-2021-21120 CVE-2021-21121 CVE-2021-21122 CVE-2021-21123
CVE-2021-21124 CVE-2021-21125 CVE-2021-21126 CVE-2021-21127
CVE-2021-21128 CVE-2021-21129 CVE-2021-21130 CVE-2021-21131
CVE-2021-21132 CVE-2021-21133 CVE-2021-21134 CVE-2021-21135
CVE-2021-21136 CVE-2021-21137 CVE-2021-21138 CVE-2021-21139
CVE-2021-21140 CVE-2021-21141 CVE-2021-21142 CVE-2021-21143
CVE-2021-21144 CVE-2021-21145 CVE-2021-21146 CVE-2021-21147
Several vulnerabilities have been discovered in the chromium web browser.
CVE-2020-16044
Ned Williamson discovered a use-after-free issue in the WebRTC
implementation.
CVE-2021-21117
Rory McNamara discovered a policy enforcement issue in Cryptohome.
CVE-2021-21118
Tyler Nighswander discovered a data validation issue in the v8 javascript
library.
CVE-2021-21119
A use-after-free issue was discovered in media handling.
CVE-2021-21120
Nan Wang and Guang Gong discovered a use-after-free issue in the WebSQL
implementation.
CVE-2021-21121
Leecraso and Guang Gong discovered a use-after-free issue in the Omnibox.
CVE-2021-21122
Renata Hodovan discovered a use-after-free issue in Blink/WebKit.
CVE-2021-21123
Maciej Pulikowski discovered a data validation issue.
CVE-2021-21124
Chaoyang Ding discovered a use-after-free issue in the speech recognizer.
CVE-2021-21125
Ron Masas discovered a policy enforcement issue.
CVE-2021-21126
David Erceg discovered a policy enforcement issue in extensions.
CVE-2021-21127
Jasminder Pal Singh discovered a policy enforcement issue in extensions.
CVE-2021-21128
Liang Dong discovered a buffer overflow issue in Blink/WebKit.
CVE-2021-21129
Maciej Pulikowski discovered a policy enforcement issue.
CVE-2021-21130
Maciej Pulikowski discovered a policy enforcement issue.
CVE-2021-21131
Maciej Pulikowski discovered a policy enforcement issue.
CVE-2021-21132
David Erceg discovered an implementation error in the developer tools.
CVE-2021-21133
wester0x01 discovered a policy enforcement issue.
CVE-2021-21134
wester0x01 discovered a user interface error.
CVE-2021-21135
ndevtk discovered an implementation error in the Performance API.
CVE-2021-21136
Shiv Sahni, Movnavinothan V, and Imdad Mohammed discovered a policy
enforcement error.
CVE-2021-21137
bobbybear discovered an implementation error in the developer tools.
CVE-2021-21138
Weipeng Jiang discovered a use-after-free issue in the developer tools.
CVE-2021-21139
Jun Kokatsu discovered an implementation error in the iframe sandbox.
CVE-2021-21140
David Manouchehri discovered uninitialized memory in the USB
implementation.
CVE-2021-21141
Maciej Pulikowski discovered a policy enforcement error.
CVE-2021-21142
Khalil Zhani discovered a use-after-free issue.
CVE-2021-21143
Allen Parker and Alex Morgan discovered a buffer overflow issue in
extensions.
CVE-2021-21144
Leecraso and Guang Gong discovered a buffer overflow issue.
CVE-2021-21145
A use-after-free issue was discovered.
CVE-2021-21146
Alison Huffman and Choongwoo Han discovered a use-after-free issue.
CVE-2021-21147
Roman Starkov discovered an implementation error in the skia library.
For the stable distribution (buster), these problems have been fixed in
version 88.0.4324.146-1~deb10u1.
We recommend that you upgrade your chromium packages.
For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
iQQzBAEBCgAdFiEEIwTlZiOEpzUxIyp4mD40ZYkUaygFAmAgOWAACgkQmD40ZYkU
aygtGyAArkdhz8ru3JqXZGrt7jACotBh/lrS/U5piVuIpwViRCRaKRHtYq2HaSb0
//1heoKDmCreKZ1v1511sGFTlfNaHSgHm1Jlh+U/gnFAM2oSFbNZy2iT+TSJv8AP
7KJIF3Eifh+hDbPTgiRxJOIhWIpu+UpSLD5jYAz+xY0rHWE3QJubALC1vlqC2fRv
zpv9zWpXZAXf4n15RjnKSr2iB7vKHiNCJQF+oLQeZIjGwYQP5lfgeza0QyZon33K
JV7kCXOAy86PHd2q9IYXGT3VheGw9aPq6/fGdSOpIEwLSlawtoA4b2yQoI9OoDPO
rd7BsY0x4jZqU6JtF4a2cTo6Pl3QJM49Chmcr1JMYJvShDvmYNcpt0ll6h53cYBM
VOPKAMEHo8nns2wPwl+P2p4ZWRUUzLfDy9vfBWURS7KsaZ+5mEZfuaK6N1Z/GbNN
R74Q+KmUwA9KX2r8l2dofVmMPmD78NnTKUD/6tZkDqXiJegtZ6cElV6BQhg3jV0t
OzUOeLdOXN92PbLPqMRRMYLUcTsYbNkfZ6lOnVDwzNxyn9A7jaILUYSfD1i5WAo3
ps5ixMUZxy+/WpnMDpfbMCDj4+OUWCOB8J9vHDFekxjzKnP8f9R021YN7UZBusdm
PQoyCj5zAI2OxlhMKGnI7RAo9/wz8m0bWolDoDoe/SCtb7r7TnYIPafh/vpHoQNL
50DQnNXmORUdP/bbUoFlkLuV1DyHGAeldU5fhyM83P9cUUN1e9l9zyYwsAAYRbiJ
mVhCXQfvaCvfUkVqqAXqDXmEwO6qw4EQyQTDJIWv6x8Xa4kpx1mqTCiwbv6kwwx3
qWZTw8SuRqx311C8WlNjOR5qTIKy79dM7uZaN76YwKmiRKO79uN1WOmG2toKc78i
JrEZF5tXs2GWqK5a3Ts7pBzQV1jXA5O09yHYWRWUzP1eil8ewMQKek7h8taJQ6cX
TXQ9/yojbLTa1eWfQJejYI0rCYVilArPKlhB2p5saD0CO2bCqjOU7SiXN8lbUiPw
Y1ykTbptHgmLDdwMtUm93dEKx86/q/AKITaK9vdHXxOdhMg4ITPQRnrXd804iT0h
76GRGhi7dMNNWpTDTWrhOPYwltumEitmDy05C/EpLAny43tWJdBR8/2zLD2/mkiY
Vt7sbQn3OifrTzxwHHfko7JlrINpeanMhUYgViQSmjX07nEiab50f7U8sjvYOdHP
yC17ZAkCMU+Pi4mpD2UdzNvKiNntYidYFHiTISmen1ZdNQGTy33dNFN/raVzvIVw
DrXr+VJbPexpIc4CBmcxHBSaPZbLEBev1halhq/+MjOXzi3Xixs7E0/CPeKp/HdW
IDplympw7i37TbFo9PF/v3v6WOsDhQ==
=ckXH
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYCCo9uNLKJtyKPYoAQgVDhAAn0DPpcK84CTRQ4ruDdcLYOuHUfIBQaom
NmShsVgiH5+b382jzgamZbKdny2fOvlrn9Z9hnQVAJdRkPoXITfjEk/i/fs9D33o
7uRnpiz6qnnNCM8hGd5JgVJddOnMR4+sikF5FxrxDMqvGHFwb9Pz6SIbP6b/pQeZ
EL/00GN700J3V/2CDl4f39LreH7W6iypmXuSSIkCLC2jR2l8Y3+HsRNunRI6qIXK
Nz7QCavy7ilZpQQR3Ln0gqEreqObuJFsgNfE8zooEhMzy6Gnx+9un5LAydM5aEdi
sAgdAp5BIf6JV0AqsnL/R34o9tVgqz2RSjkumyuRnY/EkMDSf/LsBkuAGU9Cr3UO
1mICqeBOQE9A6x8K8FVQ94mFT25TUhYyAnWLLQepatvIYYwttIKBhSHCenJEnZU8
x4a6OmKfj81ptl4r4bwTWls6FtJJnicqXar73mr//I+rbnIwfB/OWA/biwXXoNTC
HJb1cUMEHCacQBB1R4d3jlA0JaF7U78fB1+51VH+0f+x+J6tb5abLU4OHGd2QgO9
0VqB9/K6b9CYZcKlRJ/62ov+QqDwuoB5Gv1KeGFMidgHkd9CjXfu9YHxk4bMdhtf
Cfbg405FK6JRRsGe9uf57D7iU/h0mOCKlDuIc1gHa3RV68E4UCBbtcY4M5o5v4WC
jeUzDn58k44=
=N4XO
-----END PGP SIGNATURE-----