Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1158
chromium security update
7 April 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: chromium
Publisher: Debian
Operating System: Debian GNU/Linux
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Unauthorised Access -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2021-21199 CVE-2021-21198 CVE-2021-21197
CVE-2021-21196 CVE-2021-21195 CVE-2021-21194
CVE-2021-21193 CVE-2021-21192 CVE-2021-21191
CVE-2021-21190 CVE-2021-21189 CVE-2021-21188
CVE-2021-21187 CVE-2021-21186 CVE-2021-21185
CVE-2021-21184 CVE-2021-21183 CVE-2021-21182
CVE-2021-21181 CVE-2021-21180 CVE-2021-21179
CVE-2021-21178 CVE-2021-21177 CVE-2021-21176
CVE-2021-21175 CVE-2021-21174 CVE-2021-21173
CVE-2021-21172 CVE-2021-21171 CVE-2021-21170
CVE-2021-21169 CVE-2021-21168 CVE-2021-21167
CVE-2021-21166 CVE-2021-21165 CVE-2021-21163
CVE-2021-21162 CVE-2021-21161 CVE-2021-21160
CVE-2021-21159
Reference: ASB-2021.0058
ASB-2021.0049
ESB-2021.1107
ESB-2021.0906
Original Bulletin:
https://lists.debian.org/debian-security-announce/2021/msg00067.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4886-1 security@debian.org
https://www.debian.org/security/ Michael Gilbert
April 06, 2021 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : chromium
CVE ID : CVE-2021-21159 CVE-2021-21160 CVE-2021-21161 CVE-2021-21162
CVE-2021-21163 CVE-2021-21165 CVE-2021-21166 CVE-2021-21167
CVE-2021-21168 CVE-2021-21169 CVE-2021-21170 CVE-2021-21171
CVE-2021-21172 CVE-2021-21173 CVE-2021-21174 CVE-2021-21175
CVE-2021-21176 CVE-2021-21177 CVE-2021-21178 CVE-2021-21179
CVE-2021-21180 CVE-2021-21181 CVE-2021-21182 CVE-2021-21183
CVE-2021-21184 CVE-2021-21185 CVE-2021-21186 CVE-2021-21187
CVE-2021-21188 CVE-2021-21189 CVE-2021-21190 CVE-2021-21191
CVE-2021-21192 CVE-2021-21193 CVE-2021-21194 CVE-2021-21195
CVE-2021-21196 CVE-2021-21197 CVE-2021-21198 CVE-2021-21199
Several vulnerabilites have been discovered in the chromium web browser.
CVE-2021-21159
Khalil Zhani disocvered a buffer overflow issue in the tab implementation.
CVE-2021-21160
Marcin Noga discovered a buffer overflow issue in WebAudio.
CVE-2021-21161
Khalil Zhani disocvered a buffer overflow issue in the tab implementation.
CVE-2021-21162
A use-after-free issue was discovered in the WebRTC implementation.
CVE-2021-21163
Alison Huffman discovered a data validation issue.
CVE-2021-21165
Alison Huffman discovered an error in the audio implementation.
CVE-2021-21166
Alison Huffman discovered an error in the audio implementation.
CVE-2021-21167
Leecraso and Guang Gong discovered a use-after-free issue in the bookmarks
implementation.
CVE-2021-21168
Luan Herrera discovered a policy enforcement error in the appcache.
CVE-2021-21169
Bohan Liu and Moon Liang discovered an out-of-bounds access issue in the
v8 javascript library.
CVE-2021-21170
David Erceg discovered a user interface error.
CVE-2021-21171
Irvan Kurniawan discovered a user interface error.
CVE-2021-21172
Maciej Pulikowski discovered a policy enforcement error in the File
System API.
CVE-2021-21173
Tom Van Goethem discovered a network based information leak.
CVE-2021-21174
Ashish Guatam Kambled discovered an implementation error in the Referrer
policy.
CVE-2021-21175
Jun Kokatsu discovered an implementation error in the Site Isolation
feature.
CVE-2021-21176
Luan Herrera discovered an implementation error in the full screen mode.
CVE-2021-21177
Abdulrahman Alqabandi discovered a policy enforcement error in the
Autofill feature.
CVE-2021-21178
Japong discovered an error in the Compositor implementation.
CVE-2021-21179
A use-after-free issue was discovered in the networking implementation.
CVE-2021-21180
Abdulrahman Alqabandi discovered a use-after-free issue in the tab search
feature.
CVE-2021-21181
Xu Lin, Panagiotis Ilias, and Jason Polakis discovered a side-channel
information leak in the Autofill feature.
CVE-2021-21182
Luan Herrera discovered a policy enforcement error in the site navigation
implementation.
CVE-2021-21183
Takashi Yoneuchi discovered an implementation error in the Performance API.
CVE-2021-21184
James Hartig discovered an implementation error in the Performance API.
CVE-2021-21185
David Erceg discovered a policy enforcement error in Extensions.
CVE-2021-21186
dhirajkumarnifty discovered a policy enforcement error in the QR scan
implementation.
CVE-2021-21187
Kirtikumar Anandrao Ramchandani discovered a data validation error in
URL formatting.
CVE-2021-21188
Woojin Oh discovered a use-after-free issue in Blink/Webkit.
CVE-2021-21189
Khalil Zhani discovered a policy enforcement error in the Payments
implementation.
CVE-2021-21190
Zhou Aiting discovered use of uninitialized memory in the pdfium library.
CVE-2021-21191
raven discovered a use-after-free issue in the WebRTC implementation.
CVE-2021-21192
Abdulrahman Alqabandi discovered a buffer overflow issue in the tab
implementation.
CVE-2021-21193
A use-after-free issue was discovered in Blink/Webkit.
CVE-2021-21194
Leecraso and Guang Gong discovered a use-after-free issue in the screen
capture feature.
CVE-2021-21195
Liu and Liang discovered a use-after-free issue in the v8 javascript
library.
CVE-2021-21196
Khalil Zhani discovered a buffer overflow issue in the tab implementation.
CVE-2021-21197
Abdulrahman Alqabandi discovered a buffer overflow issue in the tab
implementation.
CVE-2021-21198
Mark Brand discovered an out-of-bounds read issue in the Inter-Process
Communication implementation.
CVE-2021-21199
Weipeng Jiang discovered a use-after-free issue in the Aura window and
event manager.
For the stable distribution (buster), these problems have been fixed in
version 89.0.4389.114-1~deb10u1.
We recommend that you upgrade your chromium packages.
For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
iQQzBAEBCgAdFiEEIwTlZiOEpzUxIyp4mD40ZYkUaygFAmBsY1oACgkQmD40ZYkU
ayiUXSAAgfMNsCeTke9JJBtyvUU4EzWt6op+dq3g4pN11Clqo5Y2vgHTPjiPjoYK
z5qy9V9FNUrnKyVmLjspdsNgSHaGUjxhFgiTUql59kSPOuOLCMrByP1aYZ7W6xGJ
Fw5Um5m2V/sPsDFFakTbU3YMLqOV/UnoWxb0E/1WR1ucXRU5DBviAJhl47yaCLwH
pP+FLQVgRbhgnwwtEmuq/VulA5UYy3GXU6kyE0NsXU4pvyzHuxJEutvLsQHQ9Lqs
Jf6PbN1oWLAESbVL2sPVNrkSwlfRDM6du+km4KZdaURTBaLN1d8P8nnvBlvVGiAy
ZgKM3d56PsMBqVvU+2mlg8JsGKqw1pi4yMXSOT13DkzpgfCBJNin9XuzzyzWbdPV
gjM+VzpoyD1HSFg23g5ly3VcQcZR62C+JwT35xve52Jed6RWMYK/HmYBMhcE8Yu/
7gQiUvg9CnEkvrLpbfy9LvrKNzLmo5KMsvjSFme+nlcrWL9Fp3j89R7uJp/GA4vw
nrF16QKz/sI8ylHXuJjnWVzc1LfbyIBWjyBr/YAm6RI8mRAhKIS31qT7Xqp2MXDf
HyvioFheWUykKMeX57rlv/U3t8e1iq2tvkMcD1vARTA1LHwHcCYhxHaHo/cZSMgL
7qriuNuv4b8PXDJxSsm096sMeeNdoRKUX3lZnaDa3Kbg1Rz78faY3/x2egkSS5eY
vzzYLKF2/oK8pXnZeT4woVlp4/bhxVW8YtScDOuGQwwNIVfYmV+AdFI+RJP0Fvlk
HC2rZ2Rc94zD5kN5ig8XYxFisr7iv7m3Ip1xwCxM0/NYeyv8VV2HX8YIclp4XHZ6
sWX9wNQWv9NKDwE/0mdQmqKwhGgfBgUD49HnJv8N9oLwpw0sp8qXupZfFxGHZnsT
L9xyHCmFxtQ13JrI2XLYSiDgJOCQjSOBQoE8kcQVe53V44djqKE1z5lsAL5MXGua
cK8HOuRQqMeUofBWoN/sIF9unUGqxO6tkqQiQw7PsIfOeTMofMYDDRI1ImyDuBCy
G/i6pwHMgjiAkIgxUm2q5JC6U+glOw7Hftxos3S9spUPbJHWxSpUKrlu+w+CNhDo
mX1E/mJvssTpOD3G0/M50bKgIsxWRnBgF+nzPaKfxmmVJ9V3mMZ7mnE8A+ByZmBG
pqyTN57rwJjty8IA14Ti6Cv1WhQ/QRNPNZi6WLj9pkLf0kL5jvJ9ukc44hTq3PLZ
gUvphhmU0BG9Yt+8JQZ5JqsoP7/Sj+tXlLwWH7lqkbr/mwLzbnTRlEULFTnKvs5W
7YJUxE9l9VsrDztOKw3iqTKbAUVozFvN/b/JEb0sQYV9RDSyqW0iiUEG6cVkSyih
wOPXdS43UhewHMEVGLe4sJxbMVKhJw==
=Acyh
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYGz6BeNLKJtyKPYoAQg+BxAAmWlepcaiteACNbMW1SaH1LHRmquKLFov
V+8vm1myFlPojKEB1ZAwfoUHEp2LVWp/ODWRQ1Kd802DOO9CJtNU+JMCtsxQYoeq
B0RJbMcf4idyTrajeLNdRyv8nbL23a0QJirb7Xp4EtB70dEee1m669GAe159Qpm2
Ch7H9qHXjNowpqRawJIB9wxrMENSeGtAlS/bi6xONhu9RQsDFaiiUYHVRdkc7s5a
pJ9pYc29AZLpS97Y0a33g5KrM1Qi0AtReVWpDpMOFrO+PJXxBqIrHJreMeRET/jI
1MHLsia22oCLH5j/uSiwP1XA5OIJ87hNYC50G5l/Gw2B/bo5OKv33cWzXs0KRIEX
6EFJfjiFAoMZFZ6ylVPOifA5v7b2Wt/swTPrGL+mzLvV6TYJ7cqbq+8ydg6POL9D
GwsPHJ9MkDb7ZIF4Xl/csB9MZaoxOh7Se9xis959yUDPr44IdodvHnHsdOy8nXNo
Tvjb2yWaJ4cXIlhwohKOEwncsmuegCfhCFMmL1EXnMlM37a5mSQ2D4DQbedCyJvO
s32HbMTmHQMP3SV9T6Irk+L3FbdDkpQU2ZZrTobqq2XGc0P4FdDJlqKp9Bk6hKtt
ksOBAUrarohiJj+vfBV7q92QjTHqli0tRTLr4r1m1Qj9FhunM9IkTsJtWKZfvmGL
TXVu0mOj8Jg=
=tLJb
-----END PGP SIGNATURE-----