[ubuntu/raring-security] chromium-browser 28.0.1500.52-0ubuntu1.13.04.2 (Accepted)

Chris Coulson chris.coulson at canonical.com
Thu Jun 27 21:48:36 UTC 2013

chromium-browser (28.0.1500.52-0ubuntu1.13.04.2) raring-security; urgency=low

  [Chad MILLER]
  * New stable release 28.0.1500.52
  * New stable release 28.0.1500.45
  * New stable release 27.0.1453.110:
    - CVE-2013-2855: Memory corruption in dev tools API.
    - CVE-2013-2856: Use-after-free in input handling.
    - CVE-2013-2857: Use-after-free in image handling.
    - CVE-2013-2858: Use-after-free in HTML5 Audio.
    - CVE-2013-2859: Cross-origin namespace pollution.
    - CVE-2013-2860: Use-after-free with workers accessing database APIs.
    - CVE-2013-2861: Use-after-free with SVG.
    - CVE-2013-2862: Memory corruption in Skia GPU handling.
    - CVE-2013-2863: Memory corruption in SSL socket handling.
    - CVE-2013-2864: Bad free in PDF viewer.
  * New stable release 27.0.1453.93:
    - CVE-2013-2837: Use-after-free in SVG.
    - CVE-2013-2838: Out-of-bounds read in v8.
    - CVE-2013-2839: Bad cast in clipboard handling.
    - CVE-2013-2840: Use-after-free in media loader.
    - CVE-2013-2841: Use-after-free in Pepper resource handling.
    - CVE-2013-2842: Use-after-free in widget handling.
    - CVE-2013-2843: Use-after-free in speech handling.
    - CVE-2013-2844: Use-after-free in style resolution.
    - CVE-2013-2845: Memory safety issues in Web Audio.
    - CVE-2013-2846: Use-after-free in media loader.
    - CVE-2013-2847: Use-after-free race condition with workers.
    - CVE-2013-2848: Possible data extraction with XSS Auditor.
    - CVE-2013-2849: Possible XSS with drag+drop or copy+paste.
  * Drop unneeded patches,
  * Temporarily disable webapps patches.
  * Update arm-neon patch, format-flag patch, search-credit patch,
    title-bar-system-default patch.
  * Make get-orig-source nicer.  Package tarball contents from upstream
  * Reenable dyn-linking of major components of chromium for 32-bit machines.
    Fix a libdir path bug in debian/chromium-browser.sh.in .
  * No longer try to use system libraries. Generally, Security Team would
    hate bundled libraries because they provide a wide liability, but 
    Chromium Project is pretty good about maintaining their bundled-source
    libraries. We can not pull cr-required lib versions forward in older
    Ubuntus, and we can't guarantee all the distro versions of libraries work
    with chromium-browser. The default security policy might be worse. Bundled
    libraries is less work overall.
  * Exclude included XDG files even if they are built.
  * Use NEON instructions on ARM, optionally. This might use run-time checks
    for hardware capability, but even if it doesn't we can add it later.
  * Clean up difference checks in debian/rules that make sure that all files
    that the build makes are used in packages, and no longer hide any, and no
    longer consider it an error if some are unused.  Treat it as a warning,
    not a fatality.
  * Use legible shell instead of make-generated shell in setting the rpath
    in rules.
  * Add new build-dep, "chrpath".

  [Chris Coulson]
  * debian/rules: Disable tcmalloc on all component builds, not just on
    arm builds.

Date: 2013-06-26 20:45:13.087545+00:00
Changed-By: Chad Miller <chad.miller at canonical.com>
Signed-By: Chris Coulson <chris.coulson at canonical.com>
-------------- next part --------------
Sorry, changesfile not available.

More information about the Raring-changes mailing list