[ubuntu/precise] chromium-browser 15.0.874.102~r106587-0ubuntu1 (Accepted)

Micah Gersten micahg at ubuntu.com
Wed Oct 26 08:10:51 UTC 2011


chromium-browser (15.0.874.102~r106587-0ubuntu1) precise; urgency=low

  * New upstream release from the Stable Channel (LP: #881786)
    - fix LP: #881607 - Error initializing NSS without a persistent database
    This release fixes the following security issues:
    - [86758] High CVE-2011-2845: URL bar spoof in history handling. Credit to
      Jordi Chancel.
    - [88949] Medium CVE-2011-3875: URL bar spoof with drag+drop of URLs. Credit
      to Jordi Chancel.
    - [90217] Low CVE-2011-3876: Avoid stripping whitespace at the end of
      download filenames. Credit to Marc Novak.
    - [91218] Low CVE-2011-3877: XSS in appcache internals page. Credit to
      Google Chrome Security Team (Tom Sepez) plus independent discovery by
      Juho Nurminen.
    - [94487] Medium CVE-2011-3878: Race condition in worker process
      initialization. Credit to miaubiz.
    - [95374] Low CVE-2011-3879: Avoid redirect to chrome scheme URIs. Credit to
      Masato Kinugawa.
    - [95992] Low CVE-2011-3880: Don’t permit as a HTTP header delimiter. Credit
      to Vladimir Vorontsov, ONsec company.
    - [96047] [96885] [98053] [99512] [99750] High CVE-2011-3881: Cross-origin
      policy violations. Credit to Sergey Glazunov.
    - [96292] High CVE-2011-3882: Use-after-free in media buffer handling.
      Credit to Google Chrome Security Team (Inferno).
    - [96902] High CVE-2011-3883: Use-after-free in counter handling. Credit to
      miaubiz.
    - [97148] High CVE-2011-3884: Timing issues in DOM traversal. Credit to
      Brian Ryner of the Chromium development community.
    - [97599] [98064] [98556] [99294] [99880] [100059] High CVE-2011-3885: Stale
      style bugs leading to use-after-free. Credit to miaubiz.
    - [98773] [99167] High CVE-2011-3886: Out of bounds writes in v8. Credit to
      Christian Holler.
    - [98407] Medium CVE-2011-3887: Cookie theft with javascript URIs. Credit to
      Sergey Glazunov.
    - [99138] High CVE-2011-3888: Use-after-free with plug-in and editing.
      Credit to miaubiz.
    - [99211] High CVE-2011-3889: Heap overflow in Web Audio. Credit to miaubiz.
    - [99553] High CVE-2011-3890: Use-after-free in video source handling.
      Credit to Ami Fischman of the Chromium development community.
    - [100332] High CVE-2011-3891: Exposure of internal v8 functions. Credit to
      Steven Keuchel of the Chromium development community plus independent
      discovery by Daniel Divricean.

  [ Micah Gersten <micahg at ubuntu.com> ]
  * Switch to xz debs; Add Pre-Depends on dpkg >= 1.15.6 which is needed
    until after Precise
    - update debian/rules
    - update debian/control

  [ Chris Coulson <chris.coulson at canonical.com> ]
  * Refresh patches
    - update debian/patches/dlopen_sonamed_gl.patch
    - update debian/patches/webkit_rev_parser.patch
  * Dropped patches, fixed upstream
    - remove debian/patches/cups_1.5_build_fix.patch
    - update debian/patches/series
  * Don't depend on cdbs being installed to create a tarball
    - update debian/rules
    - update debian/cdbs/tarball.mk

  [ Fabien Tassin ]
  * Disable NaCl until we figure out what to do with the private toolchain
    - update debian/rules
  * Do not install the pseudo_locales files in the debs
    - update debian/rules
  * Add python-simplejson to Build-depends. This is needed by NaCl even with
    NaCl disabled, so this is a temporary workaround to unbreak the build, it
    must be fixed upstream
    - update debian/control

Date: Wed, 26 Oct 2011 02:52:39 -0500
Changed-By: Micah Gersten <micahg at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/precise/+source/chromium-browser/15.0.874.102~r106587-0ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 26 Oct 2011 02:52:39 -0500
Source: chromium-browser
Binary: chromium-browser chromium-browser-dbg chromium-browser-l10n chromium-codecs-ffmpeg chromium-codecs-ffmpeg-dbg chromium-codecs-ffmpeg-extra chromium-codecs-ffmpeg-extra-dbg
Architecture: source
Version: 15.0.874.102~r106587-0ubuntu1
Distribution: precise
Urgency: low
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Micah Gersten <micahg at ubuntu.com>
Description: 
 chromium-browser - Chromium browser
 chromium-browser-dbg - chromium-browser debug symbols
 chromium-browser-l10n - chromium-browser language packages
 chromium-codecs-ffmpeg - Free ffmpeg codecs for the Chromium Browser
 chromium-codecs-ffmpeg-dbg - chromium-codecs-ffmpeg debug symbols
 chromium-codecs-ffmpeg-extra - Extra ffmpeg codecs for the Chromium Browser
 chromium-codecs-ffmpeg-extra-dbg - chromium-codecs-ffmpeg-extra debug symbols
Launchpad-Bugs-Fixed: 881607 881786
Changes: 
 chromium-browser (15.0.874.102~r106587-0ubuntu1) precise; urgency=low
 .
   * New upstream release from the Stable Channel (LP: #881786)
     - fix LP: #881607 - Error initializing NSS without a persistent database
     This release fixes the following security issues:
     - [86758] High CVE-2011-2845: URL bar spoof in history handling. Credit to
       Jordi Chancel.
     - [88949] Medium CVE-2011-3875: URL bar spoof with drag+drop of URLs. Credit
       to Jordi Chancel.
     - [90217] Low CVE-2011-3876: Avoid stripping whitespace at the end of
       download filenames. Credit to Marc Novak.
     - [91218] Low CVE-2011-3877: XSS in appcache internals page. Credit to
       Google Chrome Security Team (Tom Sepez) plus independent discovery by
       Juho Nurminen.
     - [94487] Medium CVE-2011-3878: Race condition in worker process
       initialization. Credit to miaubiz.
     - [95374] Low CVE-2011-3879: Avoid redirect to chrome scheme URIs. Credit to
       Masato Kinugawa.
     - [95992] Low CVE-2011-3880: Don’t permit as a HTTP header delimiter. Credit
       to Vladimir Vorontsov, ONsec company.
     - [96047] [96885] [98053] [99512] [99750] High CVE-2011-3881: Cross-origin
       policy violations. Credit to Sergey Glazunov.
     - [96292] High CVE-2011-3882: Use-after-free in media buffer handling.
       Credit to Google Chrome Security Team (Inferno).
     - [96902] High CVE-2011-3883: Use-after-free in counter handling. Credit to
       miaubiz.
     - [97148] High CVE-2011-3884: Timing issues in DOM traversal. Credit to
       Brian Ryner of the Chromium development community.
     - [97599] [98064] [98556] [99294] [99880] [100059] High CVE-2011-3885: Stale
       style bugs leading to use-after-free. Credit to miaubiz.
     - [98773] [99167] High CVE-2011-3886: Out of bounds writes in v8. Credit to
       Christian Holler.
     - [98407] Medium CVE-2011-3887: Cookie theft with javascript URIs. Credit to
       Sergey Glazunov.
     - [99138] High CVE-2011-3888: Use-after-free with plug-in and editing.
       Credit to miaubiz.
     - [99211] High CVE-2011-3889: Heap overflow in Web Audio. Credit to miaubiz.
     - [99553] High CVE-2011-3890: Use-after-free in video source handling.
       Credit to Ami Fischman of the Chromium development community.
     - [100332] High CVE-2011-3891: Exposure of internal v8 functions. Credit to
       Steven Keuchel of the Chromium development community plus independent
       discovery by Daniel Divricean.
 .
   [ Micah Gersten <micahg at ubuntu.com> ]
   * Switch to xz debs; Add Pre-Depends on dpkg >= 1.15.6 which is needed
     until after Precise
     - update debian/rules
     - update debian/control
 .
   [ Chris Coulson <chris.coulson at canonical.com> ]
   * Refresh patches
     - update debian/patches/dlopen_sonamed_gl.patch
     - update debian/patches/webkit_rev_parser.patch
   * Dropped patches, fixed upstream
     - remove debian/patches/cups_1.5_build_fix.patch
     - update debian/patches/series
   * Don't depend on cdbs being installed to create a tarball
     - update debian/rules
     - update debian/cdbs/tarball.mk
 .
   [ Fabien Tassin ]
   * Disable NaCl until we figure out what to do with the private toolchain
     - update debian/rules
   * Do not install the pseudo_locales files in the debs
     - update debian/rules
   * Add python-simplejson to Build-depends. This is needed by NaCl even with
     NaCl disabled, so this is a temporary workaround to unbreak the build, it
     must be fixed upstream
     - update debian/control
Checksums-Sha1: 
 7a7e91f9c124e65f27900607aac41c479211c2e7 2135 chromium-browser_15.0.874.102~r106587-0ubuntu1.dsc
 6d4343b5d39b9c5f799f063405de836954919e54 213854835 chromium-browser_15.0.874.102~r106587.orig.tar.gz
 cfc897369ec368aa0aec6ea21bff58e839559022 207626 chromium-browser_15.0.874.102~r106587-0ubuntu1.diff.gz
Checksums-Sha256: 
 f53fff56a6512a280d9e7c38ed599ec31a19a21089c2dfd5448855e22eb0f33b 2135 chromium-browser_15.0.874.102~r106587-0ubuntu1.dsc
 cff0974ad7873950f103fcff9807c736541306b4922836206b93a8a900fe4760 213854835 chromium-browser_15.0.874.102~r106587.orig.tar.gz
 8882d551a664165c15296b2e77f8e072900c2b7e6be5342d88ff2bfa934f7ba3 207626 chromium-browser_15.0.874.102~r106587-0ubuntu1.diff.gz
Files: 
 5265749b759413a5233c9ca69e4569d1 2135 web optional chromium-browser_15.0.874.102~r106587-0ubuntu1.dsc
 ec85e84e7ee68ccabd7522eda2140868 213854835 web optional chromium-browser_15.0.874.102~r106587.orig.tar.gz
 c31dc433dcc4f33f9e90c4d8019da09e 207626 web optional chromium-browser_15.0.874.102~r106587-0ubuntu1.diff.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk6nvHoACgkQTniv4aqX/Vn9awCfch0ZuhuCL2pk3m2mdjFmSNbj
87cAnAtL15punuiB5BodeajC1U0D9xvV
=BaYu
-----END PGP SIGNATURE-----


More information about the Precise-changes mailing list